Link to home
Start Free TrialLog in
Avatar of AlistairDyer
AlistairDyer

asked on

C# wmi security logs

Hi, I am using c# WMI to iterate through the application, security and system eventlogs.  This all works fine apart from I cannot enumerate the Security log (I am a local admin on the computer) I use the win32_nteventlog.  How do I get all the events inside the security log?  Thanks.
Avatar of graye
graye
Flag of United States of America image

Reading from the Event Logs requries a privilege that is not enabled by default (even for administrators).   You'll have to write a small routine to enable the SeSecurityPrivilege on the current thread.

Here is an example that does precisely that.  (Sorry, it's written in VB.Net, but I'd bet it'd be trivial to convert)

Imports System.Runtime.InteropServices
Public Class SetSeSecurityPrivilege

    <StructLayout(LayoutKind.Sequential, Pack:=4)> _
    Private Structure LUID_AND_ATTRIBUTES
        Dim Luid As Long
        Dim Attributes As Integer
    End Structure

    <StructLayout(LayoutKind.Sequential, Pack:=4)> _
    Private Structure TOKEN_PRIVILEGES
        Dim PrivilegeCount As Integer
        Dim Privilege1 As LUID_AND_ATTRIBUTES
    End Structure

    'BOOL OpenProcessToken(
    '  HANDLE ProcessHandle,
    '  DWORD DesiredAccess,
    '  PHANDLE TokenHandle
    ');
    Private Declare Function OpenProcessToken Lib "advapi32.dll" ( _
        ByVal ProcessHandle As IntPtr, _
        ByVal DesiredAccess As Integer, _
        ByRef TokenHandle As IntPtr _
    ) As Boolean

    'BOOL LookupPrivilegeValue(
    '  LPCTSTR lpSystemName,
    '  LPCTSTR lpName,
    '  PLUID lpLuid
    ');

    Private Declare Auto Function LookupPrivilegeValue Lib "advapi32.dll" ( _
        ByVal lpSystemName As String, _
        ByVal lpName As String, _
        ByRef lpLuid As Long _
    ) As Boolean

    'BOOL AdjustTokenPrivileges(
    '  HANDLE TokenHandle,
    '  BOOL DisableAllPrivileges,
    '  PTOKEN_PRIVILEGES NewState,
    '  DWORD BufferLength,
    '  PTOKEN_PRIVILEGES PreviousState,
    '  PDWORD ReturnLength
    ');
    Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" ( _
        ByVal TokenHandle As IntPtr, _
        ByVal DisableAllPrivileges As Boolean, _
        ByRef NewState As TOKEN_PRIVILEGES, _
        ByVal BufferLength As Integer, _
        ByVal PreviousState As IntPtr, _
        ByVal ReturnLength As IntPtr _
    ) As Boolean

    Private Const TOKEN_QUERY As Integer = &H8
    Private Const TOKEN_ADJUST_PRIVILEGES As Integer = &H20
    Private Const SE_SECURITY_NAME As String = "SeSecurityPrivilege"
    Private Const SE_PRIVILEGE_ENABLED As Integer = &H2
    '
    ' Set the privileges for reading the Security Logs
    '
    Public Function SetPrivileges() As Boolean
        Dim hProc, hToken As IntPtr
        Dim luid_Security As Long
        Dim tp As New TOKEN_PRIVILEGES

        ' Get the current process's token
        hProc = Process.GetCurrentProcess().Handle
        hToken = IntPtr.Zero
        If Not OpenProcessToken(hProc, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken) Then
            Return False
        End If

        ' Get the LUIDs for the Security privilege
        luid_Security = 0
        If Not LookupPrivilegeValue(Nothing, SE_SECURITY_NAME, luid_Security) Then
            Return False
        End If

        tp.PrivilegeCount = 1
        tp.Privilege1.Luid = luid_Security
        tp.Privilege1.Attributes = SE_PRIVILEGE_ENABLED

        ' Enable the privileges
        If Not AdjustTokenPrivileges(hToken, False, tp, 0, IntPtr.Zero, IntPtr.Zero) Then
            Return False
        End If

        Return True
    End Function
End Class
Avatar of AlistairDyer
AlistairDyer

ASKER

So there is no way to query the security log through WMI?  You have to use a token? I have managed to get the security log from WMI using VB6.0 without an issue...  there must be an easier way of getting the log than this?
Huh?  Sure, there's a way to read the security log through WMI with a managed application!

All you have to do is adjust a security token before you connect via WMI.  After you've performed that little feat of magic, your existing code to read the event logs will now work for the Security log file.  There's nothing else to do.

Did you need help translating the example to C#?
Yes please :)
ASKER CERTIFIED SOLUTION
Avatar of graye
graye
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial