Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Win32_NtLogEvent Where LogFile is Security Question

156 views
Skip to first unread message

Matt

unread,
Mar 17, 2006, 4:13:27 PM3/17/06
to
Hello,
In C++ code, I need to know how I can be a consumer of Security Event Log
events. In all scenarios, please assume that I am running with Domain Admin
privileges. Here is my current CoInitializeSecurity call:


hr = CoInitializeSecurity(0, -1, 0, 0, RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, 0, EOAC_NONE, 0);

Here is my IWbemLocator::ConnectServer call:

hr = ConnectServer(qualifiedNamespace, L"", L"", L"", 0, L"", 0,
ppNamespace);

Note: I do not call CosSetProxyBlanket() on the resulting connection under
any circumstance.

Now, all bad practices aside that may exist in the manner that these calls
are made, it works for now in Win2000 SP2 and above all the way through
Win2003 SP1 where the remote peers and local servers consist of just about
all combinations of those operating systems.

Now, here's the problem: Event registrations from the Application and
System logs using ExecNotificationQueryAsync work great. However, this event
registration WQL string:

"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA
"Win32_NTLogEvent" AND TargetInstance.LogFile="Security" AND
TargetInstance.SourceName="Security" AND TargetInstance.Type="Success Audit"
AND TargetInstance.EventCode="560""

does not work, and by "does not work" does not mean I get an error. The
ExecNotificationQueryAsync call does not return an error. I've seen some
posts using VB script that talk about enabling the SeSecurityPrivilege
privilege. My questions related to this are as follows:

-How do I accomplish this using C++?
-What, if anything differs between a solution that works when accessing the
local security event log, as opposed to a remote security event log, keeping
all other factors the same?
-Are there any problems/differences that exist for the operating systems
that I outline above?

Also, strangely enough, when logged in as an administrator on my local
machine, using that WQL string results in an 'Access Denied' error
(0x80041003). This occurs even after I have checked the "Enable all
Privileges" checkbox.


Thanks,

Matt

Venus Millo

unread,
Mar 19, 2006, 3:15:50 AM3/19/06
to
Look up OpenThreadToken and AdjustTokenPrivileges in MSDN.
This is how it's done in C++.

hth


"Matt" <anon...@nospam.nospam> wrote in message
news:BC095ED7-2CB3-4311...@microsoft.com...

Gary Chang[MSFT]

unread,
Mar 20, 2006, 3:44:33 AM3/20/06
to
Hi Matt,

Hi Matt,

>-What, if anything differs between a solution that works
>when accessing the local security event log, as
>opposed to a remote security event log, keeping
>all other factors the same?

One point you need to be concerned with herewould be the target process(a
solution) running under a different security context. The process would be
running under the remote machine's logon session, and thus the token it
owns would be different from the one when it owns running on the local
machine.

By the way, the remote machine would have a different local security
policy(or environment) from the local machine.

Best regards,

Gary Chang
Microsoft Community Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng06 when prompted. Once you have entered the
secure code mmpng06, you will be able to update your profile and access the
partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

Matt

unread,
Mar 20, 2006, 11:49:30 AM3/20/06
to
Hi Gary,
Thanks for the response. So, what steps do I need to take in order to
gain access to the Security Event Log per the criteria outlined in my
original question?

Thanks,

Matt

Gary Chang[MSFT]

unread,
Mar 21, 2006, 5:07:20 AM3/21/06
to
Hi Matt,

>So, what steps do I need to take in order to gain access
>to the Security Event Log per the criteria outlined in my
>original question?

I just provided some general points that need to be concerned when a
process is run in a remote machine comparing in the local machine.

To your issue, I suggest you may need to make sure whether your account has
the enough privileges to access the remote machine's security event log. Do
you have any problem using the WMI utility wbemtest.exe with the same query
to access the remote machine's security event log?

Thanks!

0 new messages