How to clear security eventlog with the SYSTEM account.

After you clear the security log, one log entry is created (Event ID 1120) with the information who did this (account name, domain name) and when.
If you, for some reasons, want to hide that information you can clear the security log (or other event logs) with the SYSTEM account. This account is on every Windows operating system, so it is hard to guess who really cleared that log.
Let's do it.
First of all, you need two applications psexec.exe and psloglist.exe, you can get them from Next, open your command prompt, and change directory to where you have downloaded these files. Type the following command:

psexec -accepteula -s -c psloglist.exe -accepteula -c system -n 1

psexec switches:
-s Run remote process in the System account.
-c Copy the specified program to the remote system for execution. (psloglist.exe in our case)

psloglist switches:
-c Clear the event log after displaying,
-n 1 Show only most recent entry (you can omit this if you want to see all events)

-accepteula automatic license agreement (if you run sysinternals tools for the first time you have to accept the license, this switch prevents from waitng for user response)
The really cool thing about this trick is to use it on remote machine:

psexec \\[host] -u [user] -p [password] -accepteula -s -c psloglist.exe -accepteula -c security -n 1

Of course you must have suitable privileges to clear the security log (in most cases you have to be an administrator).


Post a Comment