├── README.md
└── Creating Custom Logs.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Setting up a  Windows Event Collector
  2 | 
  3 | ## __ENVIRONMENT:__
  4 | 
  5 | #### MACHINES:
  6 | HOSTNAME | MACHINE IP | OS | Description 
  7 | --- | --- | --- | --- 
  8 | MSEDGEWIN10 | 192.168.150.128 | Windows 10 Enterprise Evaluation | Source Machine
  9 | WIN-BO2CT95INDP | 192.168.150.133 | Windows Server 2016 | Collector Machine
 10 | 
 11 | __NOTE(S)__:
 12 | - The FQDN for WIN-BO2CT95INDP is __win-bo2ct95indp.bossmanben.local__
 13 | 
 14 | ---
 15 | 
 16 | ## __ASSUMPTIONS:__
 17 | ### i.  The Source Machine (MSEDGEWIN10) is part of a Domain Controller (WIN-BO2CT95INDP).
 18 | ### ii. This guide uses __*Security Logs*__ as an example.
 19 | ---
 20 | 
 21 | ## __PROCEDURE:__
 22 | 
 23 | __NOTE(S)__:
 24 | - The steps below will create a subscription that collects __*Security logs*__ from the __Source Machine__ (MSEDGEWIN10)
 25 | 
 26 | ### __i. Start the WinRM service__
 27 | 
 28 | 1. Open __PowerShell__ on the Source Machine (MSEDGEWIN10):
 29 |    ```ps1
 30 |    winrm quickconfig
 31 |    ```
 32 |    __NOTE(S)__:
 33 |    - Add the Collector Machine to the Source Machine's trustedhosts:
 34 |      ```ps1
 35 |      Set-Item wsman:localhost/client/trustedhosts 192.168.150.133
 36 |      ```
 37 |    - Restart the service for changes to take effect:
 38 |      ```ps1
 39 |      Restart-Service WinRM
 40 |      ```
 41 | 
 42 | 2. Check if the service is running:
 43 |    ```ps1
 44 |    winrm get winrm/config
 45 |    ```
 46 |    ```
 47 |    ...omitted...
 48 |            AllowRemoteAccess = true
 49 |        Winrs
 50 |            AllowRemoteShellAccess = true
 51 |    ...omitted...
 52 |    ```
 53 |    __NOTE(S)__:
 54 |    - `AllowRemoteAccess = true` signifies that the service is running.
 55 | 
 56 | 3. Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:
 57 |    ```ps1
 58 |    Test-WSMan WIN-BO2CT95INDP
 59 |    ```
 60 |    ```
 61 |    wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
 62 |    ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
 63 |    ProductVendor   : Microsoft Corporation
 64 |    ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0
 65 |    ```
 66 |    __NOTE(S)__:
 67 |    - WinRM is __enabled by default__ on Windows Server 2012 and up.
 68 |    - This is just a measure to check if the Collector Machine is indeed reachable.
 69 | 
 70 | ### __ii. Add the Collector Machine to the Event Log Readers groups__
 71 | 
 72 | - __In the Source Machine (MSEDGEWIN10):__
 73 | 
 74 |   1. Open the __Local Users and Groups__:
 75 |     
 76 |      - Press `Win` + `R` then enter `lusrmgr.msc`
 77 | 
 78 |   2. Navigate to `Local Users and Groups (Local)` __>__ `Groups`:
 79 |       
 80 |      1. Right-click `Event Log Readers` and select `Properties`
 81 |      2. Select `Add...`
 82 | 
 83 |   3. Select `Object Types...` then check the box, `Computers`
 84 | 
 85 |   4. `Enter the object names to select` -- "__*WIN-BO2CT95INDP*__"
 86 | 
 87 |      __NOTE(S)__:
 88 |      - Select `Check Names` for good measure.
 89 | 
 90 |   5. Select `OK` when done.
 91 | 
 92 | ### __iii. Create Subscriptions using Event Viewer__
 93 | 
 94 | - __In the Collector Machine (WIN-BO2CT95INDP):__
 95 | 
 96 |   1. Open the __Event Viewer__:
 97 | 
 98 |      - Press `Win` + `R` then enter gpedit `eventvwr.msc`
 99 | 
100 |   2. On the left panel, right-click on `Subscriptions` then select `Create Subscription...`
101 | 
102 |      1. `Subscription Name` -- "__*Remote Security Logs*__"
103 | 
104 |      2. `Description` -- "__*Security Logs from the Domain Computer, MSEDGEWIN10*__"
105 |       
106 |      3. `Destination log` -- "__*Forwarded Events*__"
107 |         
108 |         __NOTE(S)__:
109 |         - Custom logs could be created but `Forwarded Events` is selected by default.
110 |         - Click [here](./Creating%20Custom%20Logs.md) to create custom logs.
111 | 
112 |      4. Select `Subscription type and source computers`:
113 | 
114 |         - If you choose `Collector initiated` then select `Select Computers...`:
115 | 
116 |           1. Select `Add Domain Computers...`
117 |           2. `Enter the object name to select` -- "__*MSEDGEWIN10*__"
118 |           3. Select `Check Names` for good measure.
119 |           4. Select `OK`
120 |           5. Select `Test` for good measure.
121 |           6. Select `OK`
122 | 
123 |         - If you choose `Source initiated` then select `Select Computer Groups...`:
124 | 
125 |           1. Select `Add Domain Computers...`
126 |           2. `Enter the object name to select` -- "__*MSEDGEWIN10*__"
127 |           3. Select `Check Names` for good measure.
128 |           4. Select `OK`
129 |           5. Select `Test` for good measure.
130 |           6. Select `OK`
131 | 
132 |           - On the Source Machine (MSEDGEWIN10):
133 |             
134 |             1. Press `Win` + `R` then enter `gpedit.msc`
135 |                
136 |                1. Navigate to `Computer Management` __>__ `Administrative Templates` __>__ `Windows Components` __>__ `Event Forwarding`
137 |                2. Right-click on `Configure target Subscription Manager` then select `Edit`
138 |                3. Choose `Enabled`
139 |                4. Under `Options`, beside `SubscriptionManagers`, press `Show...`
140 |                5. Enter `Server=http://win-bo2ct95indp.bossmanben.local:5985/wsman/SubscriptionManager/WEC,Refresh=30`
141 |                6. Press `OK`
142 |                7. Press `OK`
143 | 
144 |             2. Open __PowerShell__ or __cmd__ the run `gpupdate /force`
145 | 
146 |           - On the Collector Machine (WIN-BO2CT95INDP):
147 | 
148 |             1. Open __PowerShell__ or __cmd__ then run `wecutil quick-config`         
149 | 
150 |      5. Select `Select Events...`:
151 | 
152 |         1. `Logged` -- "__*Any time*__"
153 |         2. `Event level` -- __*Critical*__, __*Error*__, __*Information*__, __*Warning*__
154 |         3. Choose `By log` -- __*Windows*__ -> __*Security*__
155 |         4. Filter __Event IDs__ -- 4624,4657,4688,4698,4720,4722,4724,4732,4738,4769
156 |         5. Select `OK`
157 |    
158 |      6. Select `Advanced...`:
159 |          
160 |         1. `User Account` -- Choose `Machine Account`
161 |         2. `Event Delivery Optimization` -- Choose `Minimize Latency`
162 |         3. Select `OK`
163 | 
164 |         __NOTE(S)__:
165 |         - There are three `Event Delivery Optimization` options:
166 | 
167 |           OPTION | DESCRIPTION | INTERVAL
168 |           --- | --- | ---
169 |           Normal | Does not conserve bandwidth | 15 minutes via pull delivery
170 |           Minimize Bandwidth | Bandwidth for delivery is controlled | 6 hours via push delivery
171 |           Minimize Latency | Delivery with minimal delay | 30 seconds via push delivery 
172 | 
173 |      7. Select `OK`
174 | 
175 |   3. Right-click on the newly created subscription then select `Runtime Status`:
176 |      ```
177 |      [MSEDGEWIN10.bossmanben.local] - Error - Last retry time: 7/17/2019 8:27:52 PM. 
178 |      Code (0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll" 
179 |      ```
180 | 
181 | - __In the Source Machine (WIN-BO2CT95INDP):__
182 | 
183 |   1. Run `wevtutil`:
184 |      ```ps1
185 |      wevtutil get-log Security
186 |      ```
187 |      ```
188 |      name: Security
189 |      enabled: true
190 |      type: Admin
191 |      owningPublisher:
192 |      isolation: Custom
193 |      channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
194 |      logging:
195 |        logFileName: %SystemRoot%\System32\Winevt\Logs\Security.evtx
196 |        retention: false
197 |        autoBackup: false
198 |        maxSize: 20971520
199 |      publishing:
200 |        fileMax: 1
201 |      ```
202 | 
203 |   2. Add the __Network Service Account__ (S-1-5-20) to the `channelAccess` field:
204 |      ```ps1
205 |      wevtutil set-log Security /ca:"O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"
206 |      ```
207 |      __NOTE(S)__:
208 |      - WinRM runs under the __*Network Service Account*__ which had no access to the __Security Logs__
209 | 
210 | - __Going back to the Collector Machine (WIN-BO2CT95INDP):__
211 | 
212 |   1. Go to the __Event Viewer__:
213 | 
214 |      - Press `Win` + `R` then enter gpedit `eventvwr.msc`
215 | 
216 |   2. On the left panel, go to `Subscriptions` then select the recently created subscription
217 | 
218 |   3. On the right panel, under the __*subscription name*__, select `Retry`
219 | 
220 |   4. Right-click on the recently created subscription then select `Runtime Status`:
221 |      ```
222 |      [MSEDGEWIN10.bossmanben.local] - Active - : No additional status.
223 |      ```
224 |      __NOTE(S)__:
225 |      - An Event with __ID 100 (Name="SubscribeSuccess")__ will appear on __*Microsoft-Windows-Event-ForwardPlugin/Operational*__ in the Source Machine (MSEDGEWIN10)
226 | 
227 | ### __iv. Wait for logs to be sent to the Forwarded Events logs__
228 | 
229 | __NOTE(S)__:
230 | - TImestamps are preserved
231 | - Log contents are preserved
232 | 
233 | ---
234 | 
235 | ## __REFERENCES:__
236 | - https://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding?fbclid=IwAR1bQ9VpgL--PWaqvEWcJBduR3xJ2UnBBhZmO7UGef-NXcKN9PCINZ3gmQ0
237 | - https://www.itprotoday.com/strategy/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and?fbclid=IwAR3ceGoJU-jgkD2U_rVo2FmQee5M0spvE85lZRVw0FHv4YFTphLaX-5JJe8
238 | - https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/?fbclid=IwAR01Puy9Wvr4eCQeV828raqfLesYJwVTw_8EAmDgvJIKYBVWoaT3giv24PA
239 | - https://blogs.technet.microsoft.com/supportingwindows/2016/07/18/setting-up-a-source-initiated-subscription-on-an-event-collector-computer/?fbclid=IwAR2JagIePrComWaIcZknK_92Igakb4_jvnrmJJnGpZlFGnms_2PM7z6trJc
240 | 


--------------------------------------------------------------------------------
/Creating Custom Logs.md:
--------------------------------------------------------------------------------
  1 | # CREATING __CUSTOM LOGS__ FOR __WINDOWS EVENT FORWARDER__
  2 | 
  3 | ## ENVIRONMENT
  4 | 
  5 | WINDOWS | OS | BUILD No. | REMARKS
  6 | --- | --- | --- | ---
  7 | WIN-BO2CT95INDP | Windows Server 2016 Standard | 10.0.14393 Build 14393 | Collector Machine
  8 | 
  9 | ---
 10 | 
 11 | ## APPLICATIONS/TOOLS USED
 12 | 
 13 | 1. Windows SDK (Development Kit):
 14 |    - ecmangen.exe
 15 |    - mc.exe (Message Compiler)
 16 |    - rc.exe (Resource Compiler)
 17 | 2. csc.exe (C# Compiler)
 18 | 3. wevtutil
 19 | 
 20 | __NOTE(S)__:
 21 | - __ecmangen.exe__ was removed from the Windows 10 SDK starting from 10.0.16299.15
 22 |   - Parallel installations of Windows SDK are allowed.
 23 |   - In this case, [Windows 10 SDK (10.0.14393.795)](https://go.microsoft.com/fwlink/p/?LinkId=838916) was installed alongside the latest SDK version.
 24 | - __csc.exe__ is included in the __*Microsoft .NET Framework*__.
 25 |   - __.NET Framework__ is native to Windows Operating Systems.
 26 |   - The Framework's version depends on the OS installed.
 27 | - __wevtutil__ is a command native to the __*Command Prompt*__
 28 | 
 29 | ---
 30 | 
 31 | ## PROCEDURE
 32 | 
 33 | 1. Create a manifest file:
 34 |    1. Open `ecmangen.exe`:
 35 | 
 36 |       ```
 37 |       C:\Program Files (x86)\Windows Kits\10\bin\x64\ecmangen.exe
 38 |       ```
 39 | 
 40 |    2. Create a new __*provider*__:
 41 |       
 42 |       1. On the left panel, right click on `Events Section` then select __New__ -> __Provider__.
 43 |       2. Fill up the following fields:
 44 | 
 45 |          FIELD | VALUE
 46 |          --- | ---
 47 |          Name | `WEF-Events`
 48 |          Symbol | `WEF_Events`
 49 |          GUID | Press `New` beside the input field
 50 |          Resources | `C:\Windows\System32\WEF-Events.dll`
 51 |          Messages | `C:\Windows\System32\WEF-Events.dll`
 52 | 
 53 |       3. On the right panel, click on `Save`.
 54 | 
 55 |    3. Create a new __*template*__:
 56 | 
 57 |       1. On the left panel, under `WEF-Events`, select `Templates`.
 58 |       2. On the right panel, select `New Template`. 
 59 |       3. Fill up the following fields:
 60 |  
 61 |          FIELD | VALUE
 62 |          --- | ---
 63 |          Name | `WEF-Template`
 64 |       
 65 |       4. Add `Field Attributes`:
 66 | 
 67 |          Name | InType | OutType | Count | Length
 68 |          --- | --- | --- | --- | ---
 69 |          Unicode | win:UnicodeString | xs:string | default | default
 70 |          UInt32 | win:UInt32 | xs:unsignedInt | default | -
 71 | 
 72 |       5. On the right panel, click `Save`.
 73 | 
 74 |    4. Create __*channels*__ (maximum of 8):
 75 |       
 76 |       1. On the left panel, under `WEF-Events`, select `Channels`.
 77 |       2. On the right panel, select `New Channel`.
 78 |       3. Fill up the following fields:
 79 | 
 80 |          NAME | SYMBOL | TYPE | ENABLE | DESCRIPTION | CHANNEL SECURITY
 81 |          --- | --- | --- | --- | --- | ---
 82 |          WEF-Security | WEF_Security | Operational | Yes | DC Security Logs | Default
 83 |          WEF-System | WEF_System | Operational | Yes | DC System Logs | Default
 84 |          WEF-PowerShell | WEF_PowerShell | Operational | Yes | DC PowerShell Logs | Default
 85 |          WEF-Sysmon | WEF_Sysmon | Operational | Yes | DC Sysmon Logs | Default
 86 | 
 87 |       4. On the right panel, click `Save`.
 88 | 
 89 |    5. Create a new __*event*__:
 90 |     
 91 |       1. On the left panel, under `WEF-Events`, select `Events`.
 92 |       2. On the right panel, select `New Event`.
 93 |       3. Fill up the following fields:
 94 |          
 95 |          FIELD | VALUE
 96 |          --- | ---
 97 |          Symbol | `WEF_Event`
 98 |          Event ID | `6969`
 99 |          Message | `$(string.WEF-Events.event.6969.message)`
100 |          Channel | `WEF-Security`
101 |          Template | `WEF-Template`
102 |          Keywoards | `win:AuditSuccess`, `win:AuditFailure`
103 |     
104 |       4. On the right panel, click on `Save`.
105 | 
106 |    6. Save the manifest file as "WEF_Events.man"
107 | 
108 |       __NOTE(S)__:
109 |       - Avoid using the character, '`-`', in the filename.
110 |         - The generated C# file during compiling will face an error.
111 | 
112 |       - Resulting manifest file (XML formatted):
113 | 
114 |         ```xml
115 |         <?xml version="1.0"?>
116 |         <instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace">
117 |         	<instrumentation>
118 |         		<events>
119 |         			<provider name="WEF-Events" guid="{CB3EB4AA-FEDD-41C4-A7BB-E173045E4DC7}" symbol="WEF_Events" resourceFileName="C:\Windows\System32\WEF_Events.dll" messageFileName="C:\Windows\System32\WEF_Events.dll">
120 |         				<events>
121 |         					<event symbol="WEF_Event" value="6969" version="0" channel="WEF-Security" template="WEF-Template" keywords="win:AuditSuccess win:AuditFailure " message="$(string.WEF-Events.event.6969.message)"></event>
122 |         				</events>
123 |         				<channels>
124 |         					<channel name="WEF-Security" chid="WEF-Security" symbol="WEF_Security" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_Security.message)"></channel>
125 |         					<channel name="WEF-System" chid="WEF-System" symbol="WEF_System" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_System.message)"></channel>
126 |         					<channel name="WEF-PowerShell" chid="WEF-PowerShell" symbol="WEF_PowerShell" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_PowerShell.message)"></channel>
127 |         					<channel name="WEF-Sysmon" chid="WEF-Sysmon" symbol="WEF_Sysmon" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_Sysmon.message)"></channel>
128 |         				</channels>
129 |         				<keywords></keywords>
130 |         				<templates>
131 |         					<template tid="WEF-Template">
132 |         						<data name="Unicode" inType="win:UnicodeString" outType="xs:string"></data>
133 |         						<data name="UInt32" inType="win:UInt32" outType="xs:unsignedInt"></data>
134 |         					</template>
135 |         				</templates>
136 |         			</provider>
137 |         		</events>
138 |         	</instrumentation>
139 |         	<localization>
140 |         		<resources culture="en-US">
141 |         			<stringTable>
142 |         				<string id="keyword.AuditSuccess" value="Audit Success"></string>
143 |         				<string id="keyword.AuditFailure" value="Audit Failure"></string>
144 |         				<string id="WEF-Events.event.6969.message" value="$(string.WEF-Events.event.6969.message)"></string>
145 |         				<string id="WEF-Events.channel.WEF_System.message" value="DC System Logs"></string>
146 |         				<string id="WEF-Events.channel.WEF_Sysmon.message" value="DC Sysmon Logs"></string>
147 |         				<string id="WEF-Events.channel.WEF_Security.message" value="DC Security Logs"></string>
148 |         				<string id="WEF-Events.channel.WEF_PowerShell.message" value="DC PowerShell Logs"></string>
149 |         			</stringTable>
150 |         		</resources>
151 |         	</localization>
152 |         </instrumentationManifest>
153 |         ```
154 | 
155 | 2. Compile the manifest file and generate relevant files (e.g. WEF-Events.dll)
156 | 
157 |    1. Press `Win` + `R` then enter `cmd`.
158 |    2. Navigate to where `WEF_Events.man` was saved.
159 |    3. Enter the following commands:
160 | 
161 |       1. __mc.exe__ (Message Compiler)
162 |         
163 |          ```cmd
164 |          "C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe" WEF_Events.man
165 |          "C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe" -css WEF_Events.DummyEvent WEF_Events.man
166 |          ```
167 |          __NOTE(S)__:
168 |          - The compiler generates the message resource files to which your application links.
169 |          - Switches used:
170 |   
171 |            OPTION | DESCRIPTION
172 |            --- | ---
173 |            -css &lt;namespace> | <ul><li>Generates a __static__ C# class</li><li>It includes the methods that you would call to log the events defined in your manifest</li></ul>
174 | 
175 |          - File(s) generated after execution:
176 | 
177 |            - MSG00001.bin
178 |            - WEF_Events.cs
179 |            - WEF_Events.h
180 |            - WEF_Events.rc
181 |            - WEF_EventsTEMP.bin
182 | 
183 |       2. __rc.exe__ (Resource Compiler)
184 | 
185 |          ```cmd
186 |          "C:\Program Files (x86)\Windows Kits\10\bin\x64\rc.exe" WEF_Events.rc
187 |          
188 |          # Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384
189 |          # Copyright (C) Microsoft Corporation.  All rights reserved.
190 |          ```
191 |          __NOTE(S)__:
192 |          - `rc.exe` compiles an application's resources and could be used to build Windows-based applications.
193 |          - File(s) generated after execution:
194 | 
195 |            - WEF_Events.res
196 |         
197 |       3. __csc.exe__ (C# Compiler)
198 |          ```cmd
199 |          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /win32res:WEF_Events.res /unsafe /target:library /out:WEF_Events.dll WEF_Events.cs
200 |          ```
201 |          __NOTE(S)__:
202 |          - No output means the command was successfully executed 
203 |          - Switches used:
204 |              
205 |            OPTION | DESCRIPTION
206 |            --- | ---
207 |            /win32res:&lt;file> | Specify a Win32 resource file (.res) 
208 |            /unsafe | Allow 'unsafe' code
209 |            /target:library | Build a library (Short form: /t:library)
210 |            /out:&lt;file> | Specify output file name (default: base name of file with main class or first file)
211 | 
212 |          - File(s) generated after execution:
213 | 
214 |            - WEF_Events.dll
215 | 
216 | 3. Install the __manifest file__ with the matching __dll file__:
217 | 
218 |    1. Move both files to the `C:\Windows\System32` directory:
219 | 
220 |       ```cmd
221 |       copy .\WEF_Events.man C:\Windows\System32\WEF_Events.man
222 |       copy .\WEF_Events.dll C:\Windows\System32\WEF_Events.dll
223 |       ```
224 | 
225 |    2. Install the manifest file using `wevtutil`:
226 |      
227 |       ```cmd
228 |       wevtutil im C:\Windows\System32\WEF_Events.man
229 |       ```
230 | 4. The created logs should appear under `Applications and Services Logs` inside __Event Viewer__
231 | 
232 |    __NOTE(S)__:
233 |    - The logs generated could be used for created subscriptions.
234 |    - Additional columns could be added/removed from the logs (e.g. `Log`, `Computer`) 
235 | 
236 | ---
237 | 
238 | ## REFERENCES
239 | 
240 | - https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/
241 | - https://stackoverflow.com/questions/53028775/cannot-locate-ecmangen
242 | - https://developer.microsoft.com/en-us/windows/downloads/sdk-archive
243 | - https://blogs.msdn.microsoft.com/astebner/2007/03/14/mailbag-what-version-of-the-net-framework-is-included-in-what-version-of-the-os/
244 | - https://docs.microsoft.com/en-us/windows/win32/wes/message-compiler--mc-exe-         
245 | - https://docs.microsoft.com/en-us/windows/win32/menurc/using-rc-the-rc-command-line-
246 | 


--------------------------------------------------------------------------------