What’s New!
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
- ARP
- Added IsRouter and IsUnreachable fields to IPv6 logs
- FileMetadata
- Added AccessControlFields, GetFileAttributes, GetMSIPLabels, GetOverlay, LogFileCerts, PDFProperties
- FileTail
- Added Depth and PathFilter parameters
- Added Position and SID fields
- Added performance monitoring
- Now supports multiple %USERPROFILE% definitions
- File Integrity Monitor (FIM)
- Monitors defined paths for changes based on user defined metadata
- FileMonitor
- Added LogUser parameter
- Added EventTriggers
- FileTail
- Added HistoryDays and HistoryRemoveEmptyDirectories parameters
- Heartbeat
- Added LogsError reporting
- Logging
- Add SIDFields parameter
- LogRouting
- Added ADHarvest as a way to define network location IP ranges
- Added RELP protocol support
- Logs
- Added support for XPath event log query definitions
- RegistryMonitor
- Added SID resolution for HKEY_USER definitions
- Added Enable parameter for hive subitems
- SessionMonitor
- Added GroupSIDs parameter – replaces PKINIT field
- Added UserNameHint field
- ServiceMonitor
- Added Security field based on registry data
What’s Changed?
- FileMetadata
- ImpHash calculations now ignore empty function names
- FileTail
- Deprecated IncludeSubdirectories. See Depth.
- Filter supports multiple values and regular expressions
- LogRouting
- Where possible, BufferedStream is now used
- Logs
- Event logs that are null when received are counted as errors
- TaskMonitor
- Added Task Trigger XML to log
- WLS Records
- All control characters are now sanitized from field names and values
Fixes!
- ARP/DNS
- Fixed updating interval when changed while running
- Audio
- Fixed being enabled when disabled if FullReportInterval was set
- CommandMonitor
- Added extra checks when scanning memory for history structures to prevent errors
- FileMetadata
- Fixed quoted path loop bug
- FileTail
- BufferSize set as expected
- Ensure file position is set to 0 on creation
- Improved file position tracking
- Reading multiple %USERPROFILE% settings
- Setting CharSize
- LNK
- Fixed string decoding
- Updated Enums and reporting of unknown values
- LogFormat
- Fixed appending HMAC
- RemoteConfiguration
- Fixed requiring rules.xml when not needed
- ServiceMonitor
- Fixed reporting at Interval
If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.
Article Link: https://digirati82.com/2025/04/14/windows-logging-service-wls-3-7-25-now-available/