public static void UninstallApplicationEventSource(string sourceName)
        {
            if (sourceName == null)
            {
                throw new ArgumentNullException(nameof(sourceName));
            }

            if (!SourceNameValidator.IsSourceNameValid(sourceName))
            {
                throw new ArgumentException("Invalid event source name", nameof(sourceName));
            }

            RegistryKey rkApplication = null;

            try
            {
                rkApplication = Registry.LocalMachine.OpenSubKey(ApplicationKey, true);
                rkApplication.DeleteSubKey(sourceName, false);
            }
            finally
            {
                if (rkApplication != null)
                {
                    rkApplication.Close();
                }
            }
        }
        public static void InstallApplicationEventSource(string sourceName, string eventMessageFile, string parameterMessageFile)
        {
            if (sourceName == null)
            {
                throw new ArgumentNullException(nameof(sourceName));
            }

            if (!SourceNameValidator.IsSourceNameValid(sourceName))
            {
                throw new ArgumentException("Invalid event source name", nameof(sourceName));
            }

            RegistryKey rkApplication = null;
            RegistryKey rkSource      = null;

            try
            {
                rkApplication = Registry.LocalMachine.OpenSubKey(ApplicationKey, true);

                //
                // Cheap and dirty check for duplicates
                // Do it to be consistent with the security log installation logic
                // even if it means using a non-thread-safe method of doing so
                //

                rkSource = rkApplication.OpenSubKey(sourceName, true);

                if (rkSource != null)
                {
                    throw new InvalidOperationException("Event source already exists");
                }

                rkSource = rkApplication.CreateSubKey(sourceName);

                if (eventMessageFile != null)
                {
                    rkSource.SetValue("EventMessageFile", eventMessageFile /* , RegistryValueKind.ExpandString */);
                }

                if (parameterMessageFile != null)
                {
                    rkSource.SetValue("ParameterMessageFile", parameterMessageFile /* , RegistryValueKind.ExpandString */);
                }

                rkSource.SetValue("TypesSupported", 0x18);
            }
            finally
            {
                if (rkSource != null)
                {
                    rkSource.Close();
                }

                if (rkApplication != null)
                {
                    rkApplication.Close();
                }
            }
        }
        /// <summary>
        /// Register event log source
        /// </summary>
        /// <param name="sourceName">Name of the security event source</param>
        /// <param name="eventMessageFile">Full path to a resource DLL to interpret events in event viewer (optional)</param>
        /// <param name="eventSourceXmlSchemaFile"></param>
        /// <param name="eventAccessStringsFile"></param>
        /// <param name="executableImagePath">Full path to the executable file that is authorized to generate messages under this source name  (optional)</param>
        /// <param name="allowMultipleInstances">Flag indicating whether multiple instances of the process can log under this source name simultaneously</param>
        public static void InstallSecurityEventSource(
            string sourceName,
            string eventMessageFile,
            string eventSourceXmlSchemaFile,
            string eventAccessStringsFile,
            string executableImagePath,
            bool allowMultipleInstances)
        {
            if (sourceName == null)
            {
                throw new ArgumentNullException(nameof(sourceName));
            }

            if (!SourceNameValidator.IsSourceNameValid(sourceName))
            {
                throw new ArgumentException("Invalid event source name", nameof(sourceName));
            }

            try
            {
                Win32Native.AUTHZ_SOURCE_SCHEMA_REGISTRATION schema = new Win32Native.AUTHZ_SOURCE_SCHEMA_REGISTRATION();
                schema.dwFlags                          = allowMultipleInstances ? (uint)1 : (uint)0;
                schema.eventSourceName                  = sourceName;
                schema.eventMessageFile                 = eventMessageFile;
                schema.eventSourceXmlSchemaFile         = eventSourceXmlSchemaFile;
                schema.eventAccessStringsFile           = eventAccessStringsFile;
                schema.executableImagePath              = executableImagePath;
                schema.pReserved                        = IntPtr.Zero;
                schema.dwObjectTypeNameCount            = 0;
                schema.objectTypeNames.dwOffset         = 0;
                schema.objectTypeNames.szObjectTypeName = null;

                if (false == Win32Native.AuthzInstallSecurityEventSource(0, schema))
                {
                    int error = Marshal.GetLastWin32Error();

                    if (error == Win32Native.ERROR_NOT_ENOUGH_MEMORY)
                    {
                        throw new OutOfMemoryException();
                    }
                    else if (error == Win32Native.ERROR_ACCESS_DENIED)
                    {
                        throw new UnauthorizedAccessException();
                    }
                    else if (error == Win32Native.ERROR_OBJECT_ALREADY_EXISTS)
                    {
                        throw new InvalidOperationException("Event source already exists");
                    }
                    else
                    {
                        throw new Win32Exception(error);
                    }
                }
            }
            catch (EntryPointNotFoundException)
            {
                throw new NotSupportedException("Platform not supported");
            }
        }
        public static void UninstallSecurityEventSource(string sourceName)
        {
            if (sourceName == null)
            {
                throw new ArgumentNullException(nameof(sourceName));
            }

            if (!SourceNameValidator.IsSourceNameValid(sourceName))
            {
                throw new ArgumentException("Invalid event source name", nameof(sourceName));
            }

            try
            {
                if (false == Win32Native.AuthzUninstallSecurityEventSource(0, sourceName))
                {
                    int error = Marshal.GetLastWin32Error();

                    if (error == Win32Native.ERROR_NOT_ENOUGH_MEMORY)
                    {
                        throw new OutOfMemoryException();
                    }
                    else if (error == Win32Native.ERROR_ACCESS_DENIED)
                    {
                        throw new UnauthorizedAccessException();
                    }
                    else if (error == Win32Native.ERROR_FILE_NOT_FOUND)
                    {
                        // swallow this exception
                        error = 0;
                    }
                    else
                    {
                        throw new Win32Exception(error);
                    }
                }
            }
            catch (EntryPointNotFoundException)
            {
                throw new NotSupportedException("Platform not supported");
            }
        }
Ejemplo n.º 5
0
        protected AuditProvider(AuditPolicy auditPolicy, string sourceName, LogLocation location)
        {
            if (auditPolicy == null)
            {
                throw new ArgumentNullException(nameof(auditPolicy));
            }

            if (sourceName == null)
            {
                throw new ArgumentNullException(nameof(sourceName));
            }

            if (!SourceNameValidator.IsSourceNameValid(sourceName))
            {
                throw new ArgumentException("Invalid event source name", nameof(sourceName));
            }

            if (location != LogLocation.ApplicationLog &&
                location != LogLocation.SecurityLog)
            {
                throw new ArgumentOutOfRangeException(nameof(location), "Invalid enum");
            }

            this.auditPolicy = auditPolicy;

            if (location == LogLocation.SecurityLog)
            {
                Privilege privilege = new Privilege(Privilege.Audit);

                try
                {
                    privilege.Enable();

                    if (false == Win32Native.AuthzRegisterSecurityEventSource(0, sourceName, ref this.securityLogHandle))
                    {
                        int error = Marshal.GetLastWin32Error();

                        if (error == Win32Native.ERROR_NOT_ENOUGH_MEMORY)
                        {
                            throw new OutOfMemoryException();
                        }
                        else if (error == Win32Native.ERROR_INVALID_PARAMETER)
                        {
                            // Marshaling failed!
                            throw new Win32Exception(error);
                        }
                        else if (error == Win32Native.ERROR_ACCESS_DENIED)
                        {
                            throw new UnauthorizedAccessException();
                        }
                        else if (error == Win32Native.ERROR_PRIVILEGE_NOT_HELD)
                        {
                            // Privilege should be enabled by now!
                            throw new PrivilegeNotHeldException(Privilege.Audit);
                        }
                        else
                        {
                            throw new Win32Exception(error);
                        }
                    }
                }
                catch (EntryPointNotFoundException)
                {
                    throw new NotSupportedException("Platform not supported");
                }
                finally
                {
                    privilege.Revert();
                }
            }
            else // application log
            {
                this.applicationLogHandle = Win32Native.RegisterEventSource(null, sourceName);

                if (this.applicationLogHandle.Equals(IntPtr.Zero))
                {
                    int error = Marshal.GetLastWin32Error();

                    if (error == Win32Native.ERROR_NOT_ENOUGH_MEMORY)
                    {
                        throw new OutOfMemoryException();
                    }
                    else if (error == Win32Native.ERROR_INVALID_PARAMETER)
                    {
                        // Marshaling failed!
                        throw new Win32Exception(error);
                    }
                    else if (error == Win32Native.ERROR_ACCESS_DENIED)
                    {
                        throw new UnauthorizedAccessException();
                    }
                    else
                    {
                        throw new Win32Exception(error);
                    }
                }
            }
        }