private void LogProcesses()
{
processList.RemoveAll(pi => DateTime.Now.Subtract(pi.CreateTime).TotalMinutes > 2);
bool itemDequeued = false;
do
{
itemDequeued = false;
if (elevatedProcessList.Count > 0)
{
ElevatedProcessInformation nextProcess = elevatedProcessList.Peek();
if (DateTime.Now.Subtract(nextProcess.CreateTime).TotalSeconds >= 60)
{
// TODO: Process has been in the queue longer than 60 seconds. Log that it could not be matched, and move on.
elevatedProcessList.Dequeue();
itemDequeued = true;
}
else
{
nextProcess = elevatedProcessList.Dequeue();
itemDequeued = true;
processList.FindAll(p => (p.ProcessID == nextProcess.ProcessID) && (p.SessionID == nextProcess.SessionID)).ForEach(action =>
{
LoggingProvider.Log.ElevatedProcessDetected(nextProcess.ElevationType, action);
});
}
}
} while ((itemDequeued) && (elevatedProcessList.Count > 0));
}
private void Dynamic_All(Microsoft.Diagnostics.Tracing.TraceEvent obj)
{
if ((obj.Opcode == Microsoft.Diagnostics.Tracing.TraceEventOpcode.Start) && (string.Compare(obj.TaskName, "ProcessStart", true) == 0))
{
int processIsElevated = 0;
int processElevationType = 0;
int processId = int.MinValue;
int sessionId = int.MinValue;
DateTime createTime = DateTime.MinValue;
int index = int.MinValue;
index = obj.PayloadIndex("ProcessTokenIsElevated");
if (index >= 0)
{
processIsElevated = (int)obj.PayloadValue(index);
}
if (processIsElevated == 1)
{
index = obj.PayloadIndex("ProcessID");
if (index >= 0)
{
processId = (int)obj.PayloadValue(index);
}
ElevatedProcessInformation elevatedProcess = new ElevatedProcessInformation
{
ProcessID = processId
};
index = obj.PayloadIndex("ProcessTokenElevationType");
if (index >= 0)
{
processElevationType = (int)obj.PayloadValue(index);
elevatedProcess.ElevationType = (TokenElevationType)processElevationType;
}
index = obj.PayloadIndex("SessionID");
if (index >= 0)
{
sessionId = (int)obj.PayloadValue(index);
elevatedProcess.SessionID = sessionId;
}
index = obj.PayloadIndex("CreateTime");
if (index >= 0)
{
createTime = (DateTime)obj.PayloadValue(index);
elevatedProcess.CreateTime = createTime;
}
// Determine whether the process should be logged. It should be logged if
// 1. The process logging setting is set to always, or
// 2. The process logging is set to "Only When Admin" and the user is in the admins group.
bool processShouldBeLogged = (Settings.LogElevatedProcesses == ElevatedProcessLogging.Always);
if (Settings.LogElevatedProcesses == ElevatedProcessLogging.OnlyWhenAdmin)
{
NetNamedPipeBinding binding = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);
ChannelFactory <IAdminGroup> namedPipeFactory = new ChannelFactory <IAdminGroup>(binding, Settings.NamedPipeServiceBaseAddress);
IAdminGroup channel = namedPipeFactory.CreateChannel();
processShouldBeLogged = channel.UserSessionIsInList(elevatedProcess.SessionID);
namedPipeFactory.Close();
}
if (processShouldBeLogged)
{
elevatedProcessList.Enqueue(elevatedProcess);
}
}
}
}
