Disabling Event Logging
Microsoft defines event logging as a standard centralised way for applications (and the operating system) to record important software and hardware events. The event logging service records events from various sources and stores them in a single collection called an event log.
Event logs may contain a wealth of information including, but not limited to user logins, external device connections, process creation, remote desktop connections, file activity, and even remote thread creations. The event logging service is, like other Windows services, run as threads under an svchost process container. From a forensic standpoint, it is a valuable source from which certain activity can be detected or discovered via monitoring or recovered from a machine of interest. To deny event logging is to avoid initial detection from administration and, if necessary, the destruction of crucial evidence and proper analysis of the infected system. It is important to know that despite its effectiveness, it is suspicious when there are long delays in between log entries and even more so when the logs are empty.