AlistairDyer
asked on
C# wmi security logs
Hi, I am using c# WMI to iterate through the application, security and system eventlogs. This all works fine apart from I cannot enumerate the Security log (I am a local admin on the computer) I use the win32_nteventlog. How do I get all the events inside the security log? Thanks.
ASKER
So there is no way to query the security log through WMI? You have to use a token? I have managed to get the security log from WMI using VB6.0 without an issue... there must be an easier way of getting the log than this?
Huh? Sure, there's a way to read the security log through WMI with a managed application!
All you have to do is adjust a security token before you connect via WMI. After you've performed that little feat of magic, your existing code to read the event logs will now work for the Security log file. There's nothing else to do.
Did you need help translating the example to C#?
All you have to do is adjust a security token before you connect via WMI. After you've performed that little feat of magic, your existing code to read the event logs will now work for the Security log file. There's nothing else to do.
Did you need help translating the example to C#?
ASKER
Yes please :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is an example that does precisely that. (Sorry, it's written in VB.Net, but I'd bet it'd be trivial to convert)
Imports System.Runtime.InteropServ
Public Class SetSeSecurityPrivilege
<StructLayout(LayoutKind.S
Private Structure LUID_AND_ATTRIBUTES
Dim Luid As Long
Dim Attributes As Integer
End Structure
<StructLayout(LayoutKind.S
Private Structure TOKEN_PRIVILEGES
Dim PrivilegeCount As Integer
Dim Privilege1 As LUID_AND_ATTRIBUTES
End Structure
'BOOL OpenProcessToken(
' HANDLE ProcessHandle,
' DWORD DesiredAccess,
' PHANDLE TokenHandle
');
Private Declare Function OpenProcessToken Lib "advapi32.dll" ( _
ByVal ProcessHandle As IntPtr, _
ByVal DesiredAccess As Integer, _
ByRef TokenHandle As IntPtr _
) As Boolean
'BOOL LookupPrivilegeValue(
' LPCTSTR lpSystemName,
' LPCTSTR lpName,
' PLUID lpLuid
');
Private Declare Auto Function LookupPrivilegeValue Lib "advapi32.dll" ( _
ByVal lpSystemName As String, _
ByVal lpName As String, _
ByRef lpLuid As Long _
) As Boolean
'BOOL AdjustTokenPrivileges(
' HANDLE TokenHandle,
' BOOL DisableAllPrivileges,
' PTOKEN_PRIVILEGES NewState,
' DWORD BufferLength,
' PTOKEN_PRIVILEGES PreviousState,
' PDWORD ReturnLength
');
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" ( _
ByVal TokenHandle As IntPtr, _
ByVal DisableAllPrivileges As Boolean, _
ByRef NewState As TOKEN_PRIVILEGES, _
ByVal BufferLength As Integer, _
ByVal PreviousState As IntPtr, _
ByVal ReturnLength As IntPtr _
) As Boolean
Private Const TOKEN_QUERY As Integer = &H8
Private Const TOKEN_ADJUST_PRIVILEGES As Integer = &H20
Private Const SE_SECURITY_NAME As String = "SeSecurityPrivilege"
Private Const SE_PRIVILEGE_ENABLED As Integer = &H2
'
' Set the privileges for reading the Security Logs
'
Public Function SetPrivileges() As Boolean
Dim hProc, hToken As IntPtr
Dim luid_Security As Long
Dim tp As New TOKEN_PRIVILEGES
' Get the current process's token
hProc = Process.GetCurrentProcess(
hToken = IntPtr.Zero
If Not OpenProcessToken(hProc, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken) Then
Return False
End If
' Get the LUIDs for the Security privilege
luid_Security = 0
If Not LookupPrivilegeValue(Nothi
Return False
End If
tp.PrivilegeCount = 1
tp.Privilege1.Luid = luid_Security
tp.Privilege1.Attributes = SE_PRIVILEGE_ENABLED
' Enable the privileges
If Not AdjustTokenPrivileges(hTok
Return False
End If
Return True
End Function
End Class