<P> It is theoretically possible to write false events to the log . Microsoft notes, "To be able to write to the Security log, SeAuditPrivilege is required . By default, only Local System and Network Service accounts have such privilege". Microsoft Windows Internals states, "Processes that call audit system services...must have the SeAuditPrivilege privilege to successfully generate an audit record". The Winzapper FAQ notes that it is "possible to add your own' made up' event records to the log" but this feature was not added because it was considered "too nasty," a reference to the fact that someone with Administrator access could use such functionality to shift the blame for unauthorized activity to an innocent party . Server 2003 added some API calls so that applications could register with the security event logs and write security audit entries . Specifically, the AuthzInstallSecurityEventSource function installs the specified source as a security event source . </P> <P> The EventTracker newsletter states that "The possibility of tampering is not enough to cause the logs to be inadmissible, there must be specific evidence of tampering in order for the logs to be considered inadmissible". </P>

Where is the security log in windows 7