Windows Logging Service (WLS) 3.7.25 Now Available!

Forensics
1

What’s New!

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

  • ARP
    • Added IsRouter and IsUnreachable fields to IPv6 logs
  • FileMetadata
    • Added AccessControlFields, GetFileAttributes, GetMSIPLabels, GetOverlay, LogFileCerts, PDFProperties
  • FileTail
    • Added Depth and PathFilter parameters
    • Added Position and SID fields
    • Added performance monitoring
    • Now supports multiple %USERPROFILE% definitions
  • File Integrity Monitor (FIM)
    • Monitors defined paths for changes based on user defined metadata
  • FileMonitor
    • Added LogUser parameter
    • Added EventTriggers
  • FileTail
    • Added HistoryDays and HistoryRemoveEmptyDirectories parameters
  • Heartbeat
    • Added LogsError reporting
  • Logging
    • Add SIDFields parameter
  • LogRouting
    • Added ADHarvest as a way to define network location IP ranges
    • Added RELP protocol support
  • Logs
    • Added support for XPath event log query definitions
  • RegistryMonitor
    • Added SID resolution for HKEY_USER definitions
    • Added Enable parameter for hive subitems
  • SessionMonitor
    • Added GroupSIDs parameter – replaces PKINIT field
    • Added UserNameHint field
  • ServiceMonitor
    • Added Security field based on registry data

What’s Changed?

  • FileMetadata
    • ImpHash calculations now ignore empty function names
  • FileTail
    • Deprecated IncludeSubdirectories. See Depth.
    • Filter supports multiple values and regular expressions
  • LogRouting
    • Where possible, BufferedStream is now used
  • Logs
    • Event logs that are null when received are counted as errors
  • TaskMonitor
    • Added Task Trigger XML to log
  • WLS Records
    • All control characters are now sanitized from field names and values

Fixes!

  • ARP/DNS
    • Fixed updating interval when changed while running
  • Audio
    • Fixed being enabled when disabled if FullReportInterval was set
  • CommandMonitor
    • Added extra checks when scanning memory for history structures to prevent errors
  • FileMetadata
    • Fixed quoted path loop bug
  • FileTail
    • BufferSize set as expected
    • Ensure file position is set to 0 on creation
    • Improved file position tracking
    • Reading multiple %USERPROFILE% settings
    • Setting CharSize
  • LNK
    • Fixed string decoding
    • Updated Enums and reporting of unknown values
  • LogFormat
    • Fixed appending HMAC
  • RemoteConfiguration
    • Fixed requiring rules.xml when not needed
  • ServiceMonitor
    • Fixed reporting at Interval

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Article Link: https://digirati82.com/2025/04/14/windows-logging-service-wls-3-7-25-now-available/