private void LogProcesses() { processList.RemoveAll(pi => DateTime.Now.Subtract(pi.CreateTime).TotalMinutes > 2); bool itemDequeued = false; do { itemDequeued = false; if (elevatedProcessList.Count > 0) { ElevatedProcessInformation nextProcess = elevatedProcessList.Peek(); if (DateTime.Now.Subtract(nextProcess.CreateTime).TotalSeconds >= 60) { // TODO: Process has been in the queue longer than 60 seconds. Log that it could not be matched, and move on. elevatedProcessList.Dequeue(); itemDequeued = true; } else { nextProcess = elevatedProcessList.Dequeue(); itemDequeued = true; processList.FindAll(p => (p.ProcessID == nextProcess.ProcessID) && (p.SessionID == nextProcess.SessionID)).ForEach(action => { LoggingProvider.Log.ElevatedProcessDetected(nextProcess.ElevationType, action); }); } } } while ((itemDequeued) && (elevatedProcessList.Count > 0)); }
private void Dynamic_All(Microsoft.Diagnostics.Tracing.TraceEvent obj) { if ((obj.Opcode == Microsoft.Diagnostics.Tracing.TraceEventOpcode.Start) && (string.Compare(obj.TaskName, "ProcessStart", true) == 0)) { int processIsElevated = 0; int processElevationType = 0; int processId = int.MinValue; int sessionId = int.MinValue; DateTime createTime = DateTime.MinValue; int index = int.MinValue; index = obj.PayloadIndex("ProcessTokenIsElevated"); if (index >= 0) { processIsElevated = (int)obj.PayloadValue(index); } if (processIsElevated == 1) { index = obj.PayloadIndex("ProcessID"); if (index >= 0) { processId = (int)obj.PayloadValue(index); } ElevatedProcessInformation elevatedProcess = new ElevatedProcessInformation { ProcessID = processId }; index = obj.PayloadIndex("ProcessTokenElevationType"); if (index >= 0) { processElevationType = (int)obj.PayloadValue(index); elevatedProcess.ElevationType = (TokenElevationType)processElevationType; } index = obj.PayloadIndex("SessionID"); if (index >= 0) { sessionId = (int)obj.PayloadValue(index); elevatedProcess.SessionID = sessionId; } index = obj.PayloadIndex("CreateTime"); if (index >= 0) { createTime = (DateTime)obj.PayloadValue(index); elevatedProcess.CreateTime = createTime; } // Determine whether the process should be logged. It should be logged if // 1. The process logging setting is set to always, or // 2. The process logging is set to "Only When Admin" and the user is in the admins group. bool processShouldBeLogged = (Settings.LogElevatedProcesses == ElevatedProcessLogging.Always); if (Settings.LogElevatedProcesses == ElevatedProcessLogging.OnlyWhenAdmin) { NetNamedPipeBinding binding = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport); ChannelFactory <IAdminGroup> namedPipeFactory = new ChannelFactory <IAdminGroup>(binding, Settings.NamedPipeServiceBaseAddress); IAdminGroup channel = namedPipeFactory.CreateChannel(); processShouldBeLogged = channel.UserSessionIsInList(elevatedProcess.SessionID); namedPipeFactory.Close(); } if (processShouldBeLogged) { elevatedProcessList.Enqueue(elevatedProcess); } } } }