# Disable Windows Event Logging Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creating, and much more. This data is used by security tools and analysis to generate detections. Adversaries may target system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind. **Example:** We can also disable the eventlog service from the workstation this can be done with PowerShell but we will need to apply the **-Force** flag since this service has other services dependent from it. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhopYn_fCpSkqplzRE%2F-MRhovTyFjjG_kdUldYd%2Fimage.png?alt=media\&token=d4703c85-279e-4da9-816b-de43318eea0c) We can confirm it with CMD as well and we see that it is unable to start since the service is also disabled, besides being stopped as well. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhopYn_fCpSkqplzRE%2F-MRhowOtDJVUKL6Lah0Q%2Fimage.png?alt=media\&token=5488e4ca-6cb1-475d-a043-79076a4fb0ee) Set it back how it was is simple. ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MRhopYn_fCpSkqplzRE%2F-MRhoxOSCVBWjJ9WOabO%2Fimage.png?alt=media\&token=ec7aa860-805e-4e39-814b-c985854d19b0) And a restart then all back to normal. As we can see this is a great method to hide our tracks and a progression done in an environment APT have a use for these techniques to evade Defenses --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.