Reading the security log in Vista
-
Hello all, I have some wierdness. using the very simple code below: EventLog el = new EventLog("Security"); foreach (EventLogEntry elr in el.Entries) { Trace.WriteLine(elr.Message); } results with the following message: The description for Event ID '4647' in Source 'Microsoft-Windows-Security-Auditing' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'S-1-5-21-51003140-4199384537-3980697693-500', 'Administrator', '26L2233A1-06', '0x86377' As far as I can tell, it's like the .net framework can't find the source dll to resolve the message. I pulled out some old C++ code that did some event log processing and ran it on the same machine and sure enough I couldn't find the message DLL. I know that Microsoft changed the event log API in vista/2008 but I thought the new API was backwards compatible. Backwards compatible or not, I need to be able to read the security log on vista/2008. Any ideas? thanks, Gene
-
Hello all, I have some wierdness. using the very simple code below: EventLog el = new EventLog("Security"); foreach (EventLogEntry elr in el.Entries) { Trace.WriteLine(elr.Message); } results with the following message: The description for Event ID '4647' in Source 'Microsoft-Windows-Security-Auditing' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'S-1-5-21-51003140-4199384537-3980697693-500', 'Administrator', '26L2233A1-06', '0x86377' As far as I can tell, it's like the .net framework can't find the source dll to resolve the message. I pulled out some old C++ code that did some event log processing and ran it on the same machine and sure enough I couldn't find the message DLL. I know that Microsoft changed the event log API in vista/2008 but I thought the new API was backwards compatible. Backwards compatible or not, I need to be able to read the security log on vista/2008. Any ideas? thanks, Gene
Can you read other logs? Application, System, DNS, FRS etc? There isn't an API (in the Win32 SDK function sense) to read the text details from the event logs. Your C++ code is probably reading the MessageFile setting from the appropriate place in the registry, and doing a Loadlibrary / FormatMessage dance. That won't work on Vista / 2K8. The message DLLs are referenced in a different way (look at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers). If the .NET framework only uses the "old" way, you'll have to roll your own.
-
Can you read other logs? Application, System, DNS, FRS etc? There isn't an API (in the Win32 SDK function sense) to read the text details from the event logs. Your C++ code is probably reading the MessageFile setting from the appropriate place in the registry, and doing a Loadlibrary / FormatMessage dance. That won't work on Vista / 2K8. The message DLLs are referenced in a different way (look at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers). If the .NET framework only uses the "old" way, you'll have to roll your own.
Thank you Graham, I can read the application log correctly but that's probably because they are registering their message dlls in the old NT way instead of the new vista way. I found the key that you reference, but couldn't find the "GUID" in the event log entry so I couldn't figure out the correct message dll to do the load/format message. I couldn't find any documentation on all this mess; can you point me some? thank you again, gene
-
Thank you Graham, I can read the application log correctly but that's probably because they are registering their message dlls in the old NT way instead of the new vista way. I found the key that you reference, but couldn't find the "GUID" in the event log entry so I couldn't figure out the correct message dll to do the load/format message. I couldn't find any documentation on all this mess; can you point me some? thank you again, gene
Getting further, maybe the problem is that thre isn't a key for "Microsoft-Windows-Security-Auditing" in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels hive. I guess I could just enumerate the all the publishers values and look for the value "Microsoft-Windows-Security-Auditing" to get the message dll name. I'll try that next. ;)
-
Can you read other logs? Application, System, DNS, FRS etc? There isn't an API (in the Win32 SDK function sense) to read the text details from the event logs. Your C++ code is probably reading the MessageFile setting from the appropriate place in the registry, and doing a Loadlibrary / FormatMessage dance. That won't work on Vista / 2K8. The message DLLs are referenced in a different way (look at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers). If the .NET framework only uses the "old" way, you'll have to roll your own.
well...I'm getting closer but I can't figure out how to get a "real" event ID for the security log. for example, Here is a sample event in C#: EntryType SuccessAudit EventID 0x00001210 Source "Microsoft-Windows-Security-Auditing" now, I've figured out that the REAL event ID that the Vista Event API wants is -1342172656 or 0xB0001210, so the piece that I'm missing is the 0xB000???? path. according to this http://msdn.microsoft.com/en-us/library/aa385646(VS.85).aspx it says that I'm suppose to shift the EntryType left by 30 but the EVENTLOG_AUDIT_SUCCESS is 8 so shifting it 30 bits slides it right off the DWORD. Does anyone know how to turn a EventLogEntry into a Message DLL ID? I THINK it's all related that I can't figure out the facility and severity correct. thank you for any help, Gene