Solved

Programming NT security log

Posted on 1997-06-23
2
298 Views
Last Modified: 2013-12-28
HI,

Does anyone knows how to retrieve events logged by the security log file in windows NT?

I'm programming using Windows SDK.  Are there APIs that I can use to retrieve the information I want from the security log file?

Thanks!
kianbeng

0
Comment
Question by:YamSeng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
moosach earned 20 total points
ID: 1779125
Hi,

that shouldn't be a major problem.  There are a couple of API's in the Win32 SDK like OpenEvenLog, ReadEventLog and so on.

Check also the MS knowledgebase article below. Is still valid for NT 4.0.

Regards

Toni

.......................................................................................................

 Accessing the Event Logs

PSS ID Number: Q108230
Article last modified on 11-02-1995
PSS database name: WIN32SDK
 
3.10 3.50
 
WINDOWS NT
 

-------------------------------------------------------------------------
The information in this article applies to:
 
 - Microsoft Win32 Application Programming Interface (API) included with:
 
    - Microsoft Windows NT versions 3.1 and 3.5
-------------------------------------------------------------------------
 
SUMMARY
=======
 
Event logs are used to store significant events, such as warnings, errors,
or information. There are five operations that can be performed on event
logs through the event logging application programming interface (API):
backup, clear, query, read, and write.
 
The default event logs are the Application event log, the Security event
log, and the System event log. Access to these event logs is determined by
which account the application is running under.
 
MORE INFORMATION
================
 
The following table shows which accounts are granted access to which logs
and what type of access is granted under Windows NT 3.1:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
 
   System        LocalSys    read write clear
                 Admins      read       clear
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 1 - access granted in Windows NT 3.1
 
The Local System account (LocalSys) is a special account that may be used
by Windows NT services. The Administrator account (Admins) consists of the
administrators for the system. The Server Operator account (ServerOp)
consists of the administrators of the domain server. The World account
includes all users on all systems.
 
Changes made were for Windows NT 3.5:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
                 World       read       clear *
 
   System        LocalSys    read write clear
                 Admins      read write clear **
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 2 - access granted under Windows NT 3.5
 
    * Users that have been granted manage auditing and security log rights
      can read and clear the Security log.
 
   ** Admins can write to the System log.
 
The following table shows which types of access are required for the
corresponding event logging API:
 
   Event Logging API         Access Required
   -------------------------------------------
   OpenEventLog()            read
   OpenBackupEventLog()      read
   RegisterEventSource()     write
   ClearEventLog()           clear
   -------------------------------------------
   Table 3 - access required for event logging APIs
 
As an example, OpenEventLog() requires read access (see Table 2). A member
of the ServerOp account can call OpenEventLog() for the Application event
log and the System event log, because ServerOp has read access for both of
these logs (see Table 1). However, a member of the ServerOp account cannot
call OpenEventLog() for the Security log, because it does not have read
access for this log (see Table 1).
 
Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseMisc
=============================================================================
Copyright Microsoft Corporation 1995.


 

0
 
LVL 1

Author Comment

by:YamSeng
ID: 1779126
I've got the answer....thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question