Solved

Programming NT security log

Posted on 1997-06-23
2
263 Views
Last Modified: 2013-12-28
HI,

Does anyone knows how to retrieve events logged by the security log file in windows NT?

I'm programming using Windows SDK.  Are there APIs that I can use to retrieve the information I want from the security log file?

Thanks!
kianbeng

0
Comment
Question by:YamSeng
2 Comments
 
LVL 1

Accepted Solution

by:
moosach earned 20 total points
Comment Utility
Hi,

that shouldn't be a major problem.  There are a couple of API's in the Win32 SDK like OpenEvenLog, ReadEventLog and so on.

Check also the MS knowledgebase article below. Is still valid for NT 4.0.

Regards

Toni

.......................................................................................................

 Accessing the Event Logs

PSS ID Number: Q108230
Article last modified on 11-02-1995
PSS database name: WIN32SDK
 
3.10 3.50
 
WINDOWS NT
 

-------------------------------------------------------------------------
The information in this article applies to:
 
 - Microsoft Win32 Application Programming Interface (API) included with:
 
    - Microsoft Windows NT versions 3.1 and 3.5
-------------------------------------------------------------------------
 
SUMMARY
=======
 
Event logs are used to store significant events, such as warnings, errors,
or information. There are five operations that can be performed on event
logs through the event logging application programming interface (API):
backup, clear, query, read, and write.
 
The default event logs are the Application event log, the Security event
log, and the System event log. Access to these event logs is determined by
which account the application is running under.
 
MORE INFORMATION
================
 
The following table shows which accounts are granted access to which logs
and what type of access is granted under Windows NT 3.1:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
 
   System        LocalSys    read write clear
                 Admins      read       clear
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 1 - access granted in Windows NT 3.1
 
The Local System account (LocalSys) is a special account that may be used
by Windows NT services. The Administrator account (Admins) consists of the
administrators for the system. The Server Operator account (ServerOp)
consists of the administrators of the domain server. The World account
includes all users on all systems.
 
Changes made were for Windows NT 3.5:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
                 World       read       clear *
 
   System        LocalSys    read write clear
                 Admins      read write clear **
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 2 - access granted under Windows NT 3.5
 
    * Users that have been granted manage auditing and security log rights
      can read and clear the Security log.
 
   ** Admins can write to the System log.
 
The following table shows which types of access are required for the
corresponding event logging API:
 
   Event Logging API         Access Required
   -------------------------------------------
   OpenEventLog()            read
   OpenBackupEventLog()      read
   RegisterEventSource()     write
   ClearEventLog()           clear
   -------------------------------------------
   Table 3 - access required for event logging APIs
 
As an example, OpenEventLog() requires read access (see Table 2). A member
of the ServerOp account can call OpenEventLog() for the Application event
log and the System event log, because ServerOp has read access for both of
these logs (see Table 1). However, a member of the ServerOp account cannot
call OpenEventLog() for the Security log, because it does not have read
access for this log (see Table 1).
 
Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseMisc
=============================================================================
Copyright Microsoft Corporation 1995.


 

0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
I've got the answer....thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

For a variety of reasons, it sometimes makes sense to reboot a Windows-based computer on a regular, perhaps daily basis. This "cures" a lot of ills by resetting processes, flushing caches, refreshing memory, and reestablish network connections. In a…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now