C# (CSharp) POLICY_AUDIT_EVENTS_INFO Beispiele

Beispiel #1

Datei: SecurityPolicyManager.cs Projekt: walex6925/CyberPatriot-Scoring-Report

        public static void GetAuditPolicy()
        {
            IntPtr handle;

            // Null name gets local machine
            string name = null;
            LSA_OBJECT_ATTRIBUTES objAttrib = default(LSA_OBJECT_ATTRIBUTES);

            // Get handle to local policies, returns zero on success
            if (WinAPI.LsaOpenPolicy(ref name, ref objAttrib, 2, out handle) != 0)
            {
                return;
            }

            IntPtr buffer;

            // Query for event audit policy details
            if (WinAPI.LsaQueryInformationPolicy(handle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out buffer) != 0)
            {
                // Query failed, close policy handle
                WinAPI.LsaClose(handle);

                return;
            }

            // Get event info from pointer to structure
            POLICY_AUDIT_EVENTS_INFO auditPolicyInfo = Marshal.PtrToStructure <POLICY_AUDIT_EVENTS_INFO>(buffer);

            // Create array with length of returned length of audit events
            POLICY_AUDIT_EVENT[] auditEventInfo = new POLICY_AUDIT_EVENT[auditPolicyInfo.MaximumAuditEventCount];

            // Store modifiable pointer to array
            IntPtr elementPtr = auditPolicyInfo.EventAuditingOptions;

            // For every event in array
            for (int i = 0; i < auditEventInfo.Length; i++)
            {
                // Get integer from pointer, and convert to type enum
                auditEventInfo[i] = (POLICY_AUDIT_EVENT)Marshal.PtrToStructure <int>(elementPtr);

                // Add size of integer to pointer to get next integer in array
                elementPtr += sizeof(int);

                // Get header of current audit type
                string header = AuditHeaders[(POLICY_AUDIT_EVENT_TYPE)i];

                // Store audit info with header
                Settings.LocalPolicies.AuditPolicy.HeaderSettingPairs[header] = auditEventInfo[i];
            }

            // Close handle and free memory
            WinAPI.LsaClose(handle);
            WinAPI.LsaFreeMemory(buffer);
        }

Beispiel #2

        public static Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > GetSubcategoryPolicies()
        {
            Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > result = new Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> >();

            LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
            IntPtr hPolicy        = IntPtr.Zero;
            IntPtr pInfo          = IntPtr.Zero;
            IntPtr pGuid          = IntPtr.Zero;
            IntPtr pAuditPolicies = IntPtr.Zero;
            IntPtr pSubcategories = IntPtr.Zero;

            UInt32 lrc  = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy);
            uint   code = LsaNtStatusToWinError(lrc);

            if (code != 0)
            {
                throw new System.ComponentModel.Win32Exception((int)code);
            }
            try {
                //
                // Query the policy
                //
                lrc  = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo);
                code = LsaNtStatusToWinError(lrc);
                if (code != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)code);
                }
                POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO();
                info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType());

                //
                // Iterate through the event types
                //
                for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++)
                {
                    pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
                    if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid))
                    {
                        throw new System.ComponentModel.Win32Exception(GetLastError());
                    }
                    UInt32 subcategoryCount = 0;
                    if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount))
                    {
                        throw new System.ComponentModel.Win32Exception(GetLastError());
                    }
                    if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies))
                    {
                        throw new System.ComponentModel.Win32Exception(GetLastError());
                    }

                    Dictionary <String, AuditEventStatus> dict = new Dictionary <String, AuditEventStatus>();
                    AUDIT_POLICY_INFORMATION policyInfo        = new AUDIT_POLICY_INFORMATION();
                    for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++)
                    {
                        IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() +
                                                    (long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo));
                        policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType());
                        dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()],
                                 (AuditEventStatus)policyInfo.AuditingInformation);
                    }
                    result.Add((AuditEventPolicy)eventType, dict);

                    AuditFree(pAuditPolicies);
                    pAuditPolicies = IntPtr.Zero;
                    AuditFree(pSubcategories);
                    pSubcategories = IntPtr.Zero;
                    Marshal.FreeHGlobal(pGuid);
                    pGuid = IntPtr.Zero;
                }
            } finally {
                //
                // Cleanup
                //
                if (pInfo != IntPtr.Zero)
                {
                    LsaFreeMemory(pInfo);
                }
                if (pGuid != IntPtr.Zero)
                {
                    Marshal.FreeHGlobal(pGuid);
                }
                if (pAuditPolicies != IntPtr.Zero)
                {
                    AuditFree(pAuditPolicies);
                }
                if (pSubcategories != IntPtr.Zero)
                {
                    AuditFree(pSubcategories);
                }
                LsaClose(hPolicy);
            }
            return(result);
        }

Beispiel #3

        public static Dictionary <AuditEventPolicy, AuditEventStatus> GetPolicies()
        {
            Dictionary <AuditEventPolicy, AuditEventStatus> result = new Dictionary <AuditEventPolicy, AuditEventStatus>();

            LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
            IntPtr hPolicy = IntPtr.Zero;
            IntPtr pInfo   = IntPtr.Zero;
            IntPtr pGuid   = IntPtr.Zero;

            UInt32 lrc  = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy);
            uint   code = LsaNtStatusToWinError(lrc);

            if (code != 0)
            {
                throw new System.ComponentModel.Win32Exception((int)code);
            }
            try {
                //
                // Query the policy
                //
                lrc  = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo);
                code = LsaNtStatusToWinError(lrc);
                if (code != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)code);
                }
                POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO();
                info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType());

                //
                // Iterate through the event types
                //
                for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++)
                {
                    pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
                    if (AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid))
                    {
                        IntPtr itemPtr = new IntPtr(info.EventAuditingOptions.ToInt64() +
                                                    (Int64)eventType * (Int64)Marshal.SizeOf(typeof(UInt32)));
                        UInt32 status = 0;
                        status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType());
                        result.Add((AuditEventPolicy)eventType, (AuditEventStatus)(status & 0x3));
                        Marshal.FreeHGlobal(pGuid);
                        pGuid = IntPtr.Zero;
                    }
                    else
                    {
                        throw new System.ComponentModel.Win32Exception(GetLastError());
                    }
                }
            } finally {
                //
                // Cleanup
                //
                if (pInfo != IntPtr.Zero)
                {
                    LsaFreeMemory(pInfo);
                }
                if (pGuid != IntPtr.Zero)
                {
                    Marshal.FreeHGlobal(pGuid);
                }
                LsaClose(hPolicy);
            }
            return(result);
        }

Beispiel #4

Datei: AuditEventPolicyHelper.cs Projekt: JorgeHudson/modSIC

        public virtual Dictionary<AuditEventPolicies, AuditEventStatus> GetAuditEventPolicies(TargetInfo targetInfo)
        {
            Dictionary<AuditEventPolicies, AuditEventStatus> retList = new Dictionary<AuditEventPolicies, AuditEventStatus>();

            LSA_UNICODE_STRING systemName = string2LSAUS(targetInfo.GetAddress());
            LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();

            IntPtr policyHandle = IntPtr.Zero;
            IntPtr pAuditEventsInfo = IntPtr.Zero;
            IntPtr pAuditCategoryGuid = IntPtr.Zero;
            IntPtr pAuditSubCategoryGuids = IntPtr.Zero;
            IntPtr pAuditPolicies = IntPtr.Zero;

            UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle);
            uint retVal = LsaNtStatusToWinError(lretVal);
            if (retVal != 0)
            {
                throw new System.ComponentModel.Win32Exception((int)retVal);
            }

            try
            {
                lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
                retVal = LsaNtStatusToWinError(lretVal);
                if (retVal != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)retVal);
                }

                //  EventAuditingOptions: The index of each array element corresponds to an audit event type value in the POLICY_AUDIT_EVENT_TYPE enumeration type.
                //  Each POLICY_AUDIT_EVENT_OPTIONS variable in the array can specify the following auditing options.
                //  POLICY_AUDIT_EVENT_UNCHANGED, POLICY_AUDIT_EVENT_SUCCESS, POLICY_AUDIT_EVENT_FAILURE, POLICY_AUDIT_EVENT_NONE
                POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
                myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());

                for (UInt32 policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++)
                {

                    pAuditCategoryGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
                    if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryGuid))
                    {
                        int causingError = GetLastError();
                        throw new System.ComponentModel.Win32Exception(causingError);
                    }

                    String categoryName = String.Empty;
                    AuditLookupCategoryName(pAuditCategoryGuid, ref categoryName);

                    UInt32 status = 0;
                    IntPtr itemPtr = new IntPtr(myAuditEventsInfo.EventAuditingOptions.ToInt64() + (Int64)policyAuditEventType * (Int64)Marshal.SizeOf(typeof(UInt32)));
                    status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType());
                    retList.Add((AuditEventPolicies)policyAuditEventType, (AuditEventStatus)(status & 0x3));

                    Marshal.FreeHGlobal(pAuditCategoryGuid);
                    pAuditCategoryGuid = IntPtr.Zero;
                }
            }
            finally
            {
                if (pAuditEventsInfo != IntPtr.Zero)
                {
                    LsaFreeMemory(pAuditEventsInfo);
                }

                if (pAuditCategoryGuid != IntPtr.Zero)
                {
                    Marshal.FreeHGlobal(pAuditCategoryGuid);
                }

                LsaClose(policyHandle);
            }

            return retList;
        }

Beispiel #5

        public virtual Dictionary <AuditEventPolicies, AuditEventStatus> GetAuditEventPolicies(TargetInfo targetInfo)
        {
            Dictionary <AuditEventPolicies, AuditEventStatus> retList = new Dictionary <AuditEventPolicies, AuditEventStatus>();

            LSA_UNICODE_STRING    systemName = string2LSAUS(targetInfo.GetAddress());
            LSA_OBJECT_ATTRIBUTES objAttrs   = new LSA_OBJECT_ATTRIBUTES();

            IntPtr policyHandle           = IntPtr.Zero;
            IntPtr pAuditEventsInfo       = IntPtr.Zero;
            IntPtr pAuditCategoryGuid     = IntPtr.Zero;
            IntPtr pAuditSubCategoryGuids = IntPtr.Zero;
            IntPtr pAuditPolicies         = IntPtr.Zero;

            UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle);
            uint   retVal  = LsaNtStatusToWinError(lretVal);

            if (retVal != 0)
            {
                throw new System.ComponentModel.Win32Exception((int)retVal);
            }

            try
            {
                lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
                retVal  = LsaNtStatusToWinError(lretVal);
                if (retVal != 0)
                {
                    throw new System.ComponentModel.Win32Exception((int)retVal);
                }

                //  EventAuditingOptions: The index of each array element corresponds to an audit event type value in the POLICY_AUDIT_EVENT_TYPE enumeration type.
                //  Each POLICY_AUDIT_EVENT_OPTIONS variable in the array can specify the following auditing options.
                //  POLICY_AUDIT_EVENT_UNCHANGED, POLICY_AUDIT_EVENT_SUCCESS, POLICY_AUDIT_EVENT_FAILURE, POLICY_AUDIT_EVENT_NONE
                POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
                myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());

                for (UInt32 policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++)
                {
                    pAuditCategoryGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
                    if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryGuid))
                    {
                        int causingError = GetLastError();
                        throw new System.ComponentModel.Win32Exception(causingError);
                    }

                    String categoryName = String.Empty;
                    AuditLookupCategoryName(pAuditCategoryGuid, ref categoryName);

                    UInt32 status  = 0;
                    IntPtr itemPtr = new IntPtr(myAuditEventsInfo.EventAuditingOptions.ToInt64() + (Int64)policyAuditEventType * (Int64)Marshal.SizeOf(typeof(UInt32)));
                    status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType());
                    retList.Add((AuditEventPolicies)policyAuditEventType, (AuditEventStatus)(status & 0x3));

                    Marshal.FreeHGlobal(pAuditCategoryGuid);
                    pAuditCategoryGuid = IntPtr.Zero;
                }
            }
            finally
            {
                if (pAuditEventsInfo != IntPtr.Zero)
                {
                    LsaFreeMemory(pAuditEventsInfo);
                }

                if (pAuditCategoryGuid != IntPtr.Zero)
                {
                    Marshal.FreeHGlobal(pAuditCategoryGuid);
                }

                LsaClose(policyHandle);
            }

            return(retList);
        }

Beispiel #6

Datei: AuditEventPolicyHelper.cs Projekt: ywcsz/modSIC

        public virtual Dictionary<AuditEventSubcategories, AuditEventStatus> GetAuditEventSubcategoriesPolicy(TargetInfo targetInfo)
        {
            Dictionary<AuditEventSubcategories, AuditEventStatus> retList = new Dictionary<AuditEventSubcategories, AuditEventStatus>();

            string target = @"\\" + targetInfo.GetAddress();
            LSA_UNICODE_STRING systemName = string2LSAUS(target);
            LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();

            IntPtr policyHandle = IntPtr.Zero;
            IntPtr pAuditEventsInfo = IntPtr.Zero;
            IntPtr pAuditCategoryId = IntPtr.Zero;
            IntPtr pAuditSubCategoryGuids = IntPtr.Zero;
            IntPtr pAuditPolicies = IntPtr.Zero;

            UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle);
            UInt32 retVal = LsaNtStatusToWinError(lretVal);

            if (retVal == (UInt32)0)
            {
                try
                {
                    lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
                    retVal = LsaNtStatusToWinError(lretVal);

                    if (retVal == 0)
                    {
                        POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
                        myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());

                        for (var policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++)
                        {
                            pAuditCategoryId = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
                            if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryId))
                            {
                                int causingError = GetLastError();
                                throw new System.ComponentModel.Win32Exception(causingError);
                            }

                            UInt32 nSubCats = 0;
                            pAuditSubCategoryGuids = IntPtr.Zero;
                            if (!AuditEnumerateSubCategories(pAuditCategoryId, false, ref pAuditSubCategoryGuids, out nSubCats))
                            {
                                int causingError = GetLastError();
                                throw new System.ComponentModel.Win32Exception(causingError);
                            }

                            Marshal.FreeHGlobal(pAuditCategoryId);
                            pAuditCategoryId = IntPtr.Zero;

                            pAuditPolicies = IntPtr.Zero;
                            if (nSubCats > 0)
                            {

                                if (!AuditQuerySystemPolicy(pAuditSubCategoryGuids, nSubCats, out pAuditPolicies))
                                {
                                    int causingError = GetLastError();
                                    throw new System.ComponentModel.Win32Exception(causingError);
                                }

                                for (var subcategoryIndex = 0; subcategoryIndex < nSubCats; subcategoryIndex++)
                                {
                                    AUDIT_POLICY_INFORMATION currentPolicy = new AUDIT_POLICY_INFORMATION();

                                    IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (Int64)subcategoryIndex * (Int64)Marshal.SizeOf(currentPolicy));
                                    currentPolicy = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, currentPolicy.GetType());

                                    String subCategoryName = String.Empty;
                                    Marshal.StructureToPtr(currentPolicy, itemPtr, true);
                                    AuditLookupSubCategoryName(itemPtr, ref subCategoryName);

                                    AuditEventSubcategories value;
                                    if (subcategoriesDictionary.TryGetValue(subCategoryName, out value))
                                    {
                                        retList.Add(value, (AuditEventStatus)(currentPolicy.AuditingInformation & 0x3));
                                    }
                                }

                                if (pAuditPolicies != IntPtr.Zero)
                                {
                                    AuditFree(pAuditPolicies);
                                    pAuditPolicies = IntPtr.Zero;
                                }
                            }

                            if (pAuditSubCategoryGuids != IntPtr.Zero)
                            {
                                AuditFree(pAuditSubCategoryGuids);
                                pAuditSubCategoryGuids = IntPtr.Zero;
                            }

                            nSubCats = 0;
                        }
                    }
                    else
                    {
                        throw new System.ComponentModel.Win32Exception((int)retVal);
                    }
                }
                finally
                {
                    if (pAuditPolicies != IntPtr.Zero)
                    {
                        AuditFree(pAuditPolicies);
                        pAuditPolicies = IntPtr.Zero;
                    }

                    if (pAuditSubCategoryGuids != IntPtr.Zero)
                    {
                        AuditFree(pAuditSubCategoryGuids);
                        pAuditSubCategoryGuids = IntPtr.Zero;
                    }

                    if (pAuditEventsInfo != IntPtr.Zero)
                    {
                        LsaFreeMemory(pAuditEventsInfo);
                    }

                    if (pAuditCategoryId != IntPtr.Zero)
                    {
                        Marshal.FreeHGlobal(pAuditCategoryId);
                    }

                    LsaClose(policyHandle);
                }
            }
            else
            {
                throw new System.ComponentModel.Win32Exception((int)retVal);
            }

            return retList;
        }

Beispiel #7

Datei: Auditeventpolicy.cs Projekt: praveeds/jOVAL

        public static Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> GetSubcategoryPolicies()
        {
            Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> result = new Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>>();

            LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
            IntPtr hPolicy = IntPtr.Zero;
            IntPtr pInfo = IntPtr.Zero;
            IntPtr pGuid = IntPtr.Zero;
            IntPtr pAuditPolicies = IntPtr.Zero;
            IntPtr pSubcategories = IntPtr.Zero;

            UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy);
            uint code = LsaNtStatusToWinError(lrc);
            if (code != 0) {
            throw new System.ComponentModel.Win32Exception((int)code);
            }
            try {
            //
            // Query the policy
            //
            lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo);
            code = LsaNtStatusToWinError(lrc);
            if (code != 0) {
            throw new System.ComponentModel.Win32Exception((int)code);
            }
            POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO();
            info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType());

            //
            // Iterate through the event types
            //
            for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) {
            pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
            if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) {
            throw new System.ComponentModel.Win32Exception(GetLastError());
            }
            UInt32 subcategoryCount = 0;
            if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount)) {
            throw new System.ComponentModel.Win32Exception(GetLastError());
            }
            if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies)) {
            throw new System.ComponentModel.Win32Exception(GetLastError());
            }

            Dictionary<String, AuditEventStatus> dict = new Dictionary<String, AuditEventStatus>();
            AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION();
            for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++) {
            IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() +
                (long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo));
            policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType());
            dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()],
                (AuditEventStatus)policyInfo.AuditingInformation);
            }
            result.Add((AuditEventPolicy)eventType, dict);

            AuditFree(pAuditPolicies);
            pAuditPolicies = IntPtr.Zero;
            AuditFree(pSubcategories);
            pSubcategories = IntPtr.Zero;
            Marshal.FreeHGlobal(pGuid);
            pGuid = IntPtr.Zero;
            }
            } finally {
            //
            // Cleanup
            //
            if (pInfo != IntPtr.Zero) {
            LsaFreeMemory(pInfo);
            }
            if (pGuid != IntPtr.Zero) {
            Marshal.FreeHGlobal(pGuid);
            }
            if (pAuditPolicies != IntPtr.Zero) {
            AuditFree(pAuditPolicies);
            }
            if (pSubcategories != IntPtr.Zero) {
            AuditFree(pSubcategories);
            }
            LsaClose(hPolicy);
            }
            return result;
        }

Beispiel #8

Datei: Auditeventpolicy.cs Projekt: praveeds/jOVAL

        public static Dictionary<AuditEventPolicy, AuditEventStatus> GetPolicies()
        {
            Dictionary<AuditEventPolicy, AuditEventStatus> result = new Dictionary<AuditEventPolicy, AuditEventStatus>();

            LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
            IntPtr hPolicy = IntPtr.Zero;
            IntPtr pInfo = IntPtr.Zero;
            IntPtr pGuid = IntPtr.Zero;

            UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy);
            uint code = LsaNtStatusToWinError(lrc);
            if (code != 0) {
            throw new System.ComponentModel.Win32Exception((int)code);
            }
            try {
            //
            // Query the policy
            //
            lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo);
            code = LsaNtStatusToWinError(lrc);
            if (code != 0) {
            throw new System.ComponentModel.Win32Exception((int)code);
            }
            POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO();
            info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType());

            //
            // Iterate through the event types
            //
            for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) {
            pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
            if (AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) {
            IntPtr itemPtr = new IntPtr(info.EventAuditingOptions.ToInt64() +
                (Int64)eventType * (Int64)Marshal.SizeOf(typeof(UInt32)));
            UInt32 status = 0;
            status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType());
            result.Add((AuditEventPolicy)eventType, (AuditEventStatus)(status & 0x3));
            Marshal.FreeHGlobal(pGuid);
            pGuid = IntPtr.Zero;
            } else {
            throw new System.ComponentModel.Win32Exception(GetLastError());
            }
            }
            } finally {
            //
            // Cleanup
            //
            if (pInfo != IntPtr.Zero) {
            LsaFreeMemory(pInfo);
            }
            if (pGuid != IntPtr.Zero) {
            Marshal.FreeHGlobal(pGuid);
            }
            LsaClose(hPolicy);
            }
            return result;
        }