public static Address Probe(IPAddress address) { log.DebugFormat("Probing address {0}", address.ToString()); // this is the list of users found on that ip address Address result = new Address(); { result.IP = address; } // issue WMI request to the remote IP ManagementScope scope = new ManagementScope(@"\\" + address.ToString() + @"\root\cimv2"); ObjectQuery query = new ObjectQuery("select * from win32_process"); log.DebugFormat("Creating management searcher with scope {0}, query {1}", scope.Path, query.QueryString); using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query)) { foreach (ManagementObject mo in searcher.Get()) { string processName = mo["name"].ToString(); if (!processName.EndsWith("explorer.exe")) { continue; } User user = Prober.ConstructUser(mo); { // for debug user.DebugProbedIpAddress = address.ToString(); // log it log.DebugFormat("Found user {0}\\{1} in process {2}", user.Domain, user.Name, user.DebugProbedProcessPath); } result.Users.Add(user); } } // log it again log.DebugFormat("Address {0} probed successfully, found {1} users.", address.ToString(), result.Users.Count); // and return nicely return(result); }
private void HandleLogonEvent(EventLogEntry entry) { // get the activity LoggedOn activity = new LoggedOn(); { var parser = new ActivityParser(); { if (!parser.ParseLogon(entry, activity)) { return; } } } // local activities are not interesting if (activity.Local) { return; } // when there is a logon, we *always* do probing Address address = Prober.Probe(activity.Network_Address); if (address != null) { // we probed successfully, update the storage _storage.Insert(address); } // and trace it Trace.TraceInformation( "Updater - processed logon activity of {0}\\{1} on {2}", activity.Account_Domain, activity.Account_Name, activity.Network_Address ); }
public static List <Address> Probe(Workstation workstation) { // this is the result List <Address> result = new List <Address>(); try { log.DebugFormat("Resolving workstation {0}", workstation.DnsHostName); // get host entry (this clears DNS cache in .net too) var hostenry = Dns.GetHostEntry(workstation.DnsHostName); // get addresses var addresses = hostenry.AddressList; { log.DebugFormat("Workstation {0} was resolved into {1} IP addresses", workstation.DnsHostName, addresses.Length); foreach (IPAddress ip in addresses) { log.DebugFormat("Workstation {0} has address {1}", workstation.DnsHostName, ip.ToString()); } } // resolve the workstation name, get all addresses from it foreach (IPAddress ip in addresses) { Address address = Prober.Probe(ip); if (address.Users.Count == 0) { // log it log.DebugFormat("Probing of address {0} for workstation {1} indicated the number of logged in users are 0, skipping it.", ip.ToString(), workstation.DnsHostName); // there are no one logged on on that IP, skip it then continue;; } // debug check we have filled in the address itself Debug.Assert(address.IP == ip); Debug.Assert(address.Users.Count > 0); // assign some other fields for reference address.DistinguishedName = workstation.DistinguishedName; address.CommonName = workstation.CommonName; address.DnsHostName = workstation.DnsHostName; address.LastLogon = workstation.LastLogon; address.Name = workstation.Name; // log it log.DebugFormat("Address {0} was probed successfully, {1} users found. Adding it to the storage.", ip.ToString(), address.Users.Count); // and add this address result.Add(address); } } catch (Exception e) { log.WarnFormat("Probe failed for workstation {0}. Error: {1}", workstation.DnsHostName, e.Message); } // and return (possibly empty) list return(result); }