Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Programming NT security log

Posted on 1997-06-23
2
Medium Priority
?
303 Views
Last Modified: 2013-12-28
HI,

Does anyone knows how to retrieve events logged by the security log file in windows NT?

I'm programming using Windows SDK.  Are there APIs that I can use to retrieve the information I want from the security log file?

Thanks!
kianbeng

0
Comment
Question by:YamSeng
2 Comments
 
LVL 1

Accepted Solution

by:
moosach earned 80 total points
ID: 1779125
Hi,

that shouldn't be a major problem.  There are a couple of API's in the Win32 SDK like OpenEvenLog, ReadEventLog and so on.

Check also the MS knowledgebase article below. Is still valid for NT 4.0.

Regards

Toni

.......................................................................................................

 Accessing the Event Logs

PSS ID Number: Q108230
Article last modified on 11-02-1995
PSS database name: WIN32SDK
 
3.10 3.50
 
WINDOWS NT
 

-------------------------------------------------------------------------
The information in this article applies to:
 
 - Microsoft Win32 Application Programming Interface (API) included with:
 
    - Microsoft Windows NT versions 3.1 and 3.5
-------------------------------------------------------------------------
 
SUMMARY
=======
 
Event logs are used to store significant events, such as warnings, errors,
or information. There are five operations that can be performed on event
logs through the event logging application programming interface (API):
backup, clear, query, read, and write.
 
The default event logs are the Application event log, the Security event
log, and the System event log. Access to these event logs is determined by
which account the application is running under.
 
MORE INFORMATION
================
 
The following table shows which accounts are granted access to which logs
and what type of access is granted under Windows NT 3.1:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
 
   System        LocalSys    read write clear
                 Admins      read       clear
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 1 - access granted in Windows NT 3.1
 
The Local System account (LocalSys) is a special account that may be used
by Windows NT services. The Administrator account (Admins) consists of the
administrators for the system. The Server Operator account (ServerOp)
consists of the administrators of the domain server. The World account
includes all users on all systems.
 
Changes made were for Windows NT 3.5:
 
   Log           Account     Access Granted
   -------------------------------------------
   Application   LocalSys    read write clear
                 Admins      read write clear
                 ServerOp    read write clear
                 World       read write
 
   Security      LocalSys    read write clear
                 Admins      read       clear
                 World       read       clear *
 
   System        LocalSys    read write clear
                 Admins      read write clear **
                 ServerOp    read       clear
                 World       read
   -------------------------------------------
   Table 2 - access granted under Windows NT 3.5
 
    * Users that have been granted manage auditing and security log rights
      can read and clear the Security log.
 
   ** Admins can write to the System log.
 
The following table shows which types of access are required for the
corresponding event logging API:
 
   Event Logging API         Access Required
   -------------------------------------------
   OpenEventLog()            read
   OpenBackupEventLog()      read
   RegisterEventSource()     write
   ClearEventLog()           clear
   -------------------------------------------
   Table 3 - access required for event logging APIs
 
As an example, OpenEventLog() requires read access (see Table 2). A member
of the ServerOp account can call OpenEventLog() for the Application event
log and the System event log, because ServerOp has read access for both of
these logs (see Table 1). However, a member of the ServerOp account cannot
call OpenEventLog() for the Security log, because it does not have read
access for this log (see Table 1).
 
Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseMisc
=============================================================================
Copyright Microsoft Corporation 1995.


 

0
 
LVL 1

Author Comment

by:YamSeng
ID: 1779126
I've got the answer....thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question