private void StartButton_Click(object sender, RoutedEventArgs e) { workerConfigs configs = new workerConfigs(); configs.LogPermittedApps = PermittedsCheckBox.IsChecked.GetValueOrDefault(); configs.LogBlockedApp = BlockedsCheckBox.IsChecked.GetValueOrDefault(); configs.LiveLog = LiveLogsCheckBox.IsChecked.GetValueOrDefault(); configs.Max = FarayanUtility.TryParseInt(MaxRecordsCountTextBox.Text).GetValueOrDefault().EnsureBetween(100, 100_000); StartButton.IsEnabled = false; PermittedsCheckBox.IsEnabled = false; BlockedsCheckBox.IsEnabled = false; LiveLogsCheckBox.IsEnabled = false; TheBackgroundWorker = new BackgroundWorker(); TheBackgroundWorker.WorkerReportsProgress = true; TheBackgroundWorker.DoWork += TheBackgroundWorker_DoWork; TheBackgroundWorker.ProgressChanged += TheBackgroundWorker_ProgressChanged; TheBackgroundWorker.RunWorkerCompleted += TheBackgroundWorker_RunWorkerCompleted; TheBackgroundWorker.RunWorkerAsync(configs); }
private void TheBackgroundWorker_DoWork(object sender, DoWorkEventArgs e) { List <string> messages = new List <string>(); workerConfigs configs = (workerConfigs)e.Argument; List <string> apps = new List <string>(); Dictionary <string, List <string> > taskApps = new Dictionary <string, List <string> >(); int parsed = 0; if (!configs.LogBlockedApp && !configs.LogPermittedApps) { return; } using (var reader = new EventLogReader(@"C:\WINDOWS\System32\winevt\Logs\Security.evtx", PathType.FilePath)) { EventRecord record; while ((record = reader.ReadEvent()) != null && parsed < configs.Max) { parsed++; using (record) { string description = record.FormatDescription(); Logger.Value.Debug($"Index: {parsed}."); string message = description.SplitToNonEmptyParts('\n').FirstOrDefault(); if (message.IsUsable() && !messages.Contains(message)) { messages.Add(message); } if (configs.LiveLog) { TheBackgroundWorker.ReportProgress(parsed * 100 / configs.Max, description); } var firstLine = description.SplitToNonEmptyParts("\n\n").First(); bool firewallBlocked = description.StartsWith("The Windows Filtering Platform has blocked a connection."); bool firewallPermitted = description.StartsWith("The Windows Filtering Platform has permitted a connection."); //if (!configs.LogBlockedApp) { // if (firewallBlocked) { // Logger.Value.Debug($"Parsed: {parsed}. Skip because App bloked but config does not allow us to process blocked apps"); // continue; // } //} //if (!configs.LogPermittedApps) { // if (firewallPermitted) { // Logger.Value.Debug($"Parsed: {parsed}. Skip because App permitted but config does not allow us to process permitted apps"); // continue; // } //} var app = Regex.Match(description, "Application Name\\: (?<app>[^\n\r]*)").Groups["app"].Value; if (app.IsUsable()) { for (int counter = 0; counter < 10; counter++) { if (app.StartsWith($@"\device\harddiskvolume{counter}\")) { app = app.Substring($@"\device\harddiskvolume{counter}\".Length); char[] drives = "abcdefghijklmnopqrstuvxyz".ToArray(); foreach (var drive in drives) { if (File.Exists(drive + ":\\" + app)) { app = drive + ":\\" + app; app = new FileInfo(app).FullName; break; } } } } //if (firewallPermitted) // app = "(Permitted)\t" + app; //if (firewallBlocked) // app = "(Blocked)\t" + app; //if (!apps.Contains(app)) // apps.Add(app); if (!taskApps.ContainsKey(firstLine)) { taskApps.Add(firstLine, new List <string>()); } if (!taskApps[firstLine].Contains(app)) { taskApps[firstLine].Add(app); } Logger.Value.Info($"Parsed: {parsed}. Adding {app}"); } else { Logger.Value.Debug($"Parsed: {parsed}. App is null"); } TheBackgroundWorker.ReportProgress(parsed * 100 / configs.Max, taskApps); } } } TheBackgroundWorker.ReportProgress(100, taskApps); }