WindowsDefenderDetail GetDetail(string queryString)
{
var query = new EventLogQuery("Microsoft-Windows-Windows Defender/Operational", PathType.LogName, queryString);
using (var reader = new EventLogReader(query))
{
EventRecord eventInstance = reader.ReadEvent();
try
{
while (eventInstance != null)
{
var instance = reader.ReadEvent();
if (instance == null)
{
break;
}
eventInstance = instance;
}
return(ParseData(eventInstance));
}
finally
{
if (eventInstance != null)
{
eventInstance.Dispose();
}
}
}
}
private void tabControl1_Selected(object sender, TabControlEventArgs e)
{
if (tabControl1.SelectedIndex == 1 && dataGridView1.Rows.Count == 0)
{
Cursor.Current = Cursors.WaitCursor;
EventLogQuery elQuery = new EventLogQuery("Application", PathType.LogName, "*[System/Provider/@Name=\"Raccine\"]");
elQuery.ReverseDirection = true;
using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery))
{
List <EventRecord> eventList = new List <EventRecord>();
EventRecord eventInstance = elReader.ReadEvent();
try
{
while (eventInstance != null)
{
eventInstance = elReader.ReadEvent();
if (eventInstance != null)
{
if (eventInstance.TimeCreated != null)
{
TimeSpan ts = ((DateTime)eventInstance.TimeCreated - DateTime.Now);
if (ts.TotalDays < 1)
{
eventList.Add(eventInstance);
}
else
{
break;
}
}
}
}
}
finally
{
if (eventInstance != null)
{
eventInstance.Dispose();
}
}
dataGridView1.Columns.Add("TimeCreated", "TimeCreated");
dataGridView1.Columns.Add("EventData", "EventData");
foreach (EventRecord evt in eventList)
{
int rowId = dataGridView1.Rows.Add();
// Grab the new row!
DataGridViewRow row = dataGridView1.Rows[rowId];
// Add the data
row.Cells["TimeCreated"].Value = evt.TimeCreated;
row.Cells["EventData"].Value = evt.FormatDescription();
}
}
Cursor.Current = Cursors.Default;
}
}
private static void TestEventRead()
{
string LogName = "Application", SearchString = null, XPathQuery = null;
int MaxEvents = 100;
bool SearchUseRegExp = false;
using (EventLogSession eventLogSession = new EventLogSession())
{
EventLogQuery eventLogQuery = string.IsNullOrWhiteSpace(XPathQuery) ?
new EventLogQuery(LogName, PathType.LogName)
{
Session = eventLogSession,
TolerateQueryErrors = true,
ReverseDirection = true
} :
new EventLogQuery(LogName, PathType.LogName, XPathQuery)
{
Session = eventLogSession,
TolerateQueryErrors = true,
ReverseDirection = true
};
int eventReadCounter = MaxEvents;
using (EventLogReader eventLogReader = new EventLogReader(eventLogQuery))
{
eventLogReader.Seek(System.IO.SeekOrigin.Begin, 0);
do
{
if (eventReadCounter <= 0)
{
break;
}
EventRecord eventData = eventLogReader.ReadEvent();
if (eventData == null)
{
break;
}
if (string.IsNullOrWhiteSpace(SearchString))
{
Console.WriteLine($"{eventData.TimeCreated}: {eventData.FormatDescription()}, {eventData.KeywordsDisplayNames}");
eventReadCounter--;
}
else
{
if (Regex.IsMatch(eventData.FormatDescription(), SearchUseRegExp ? SearchString : Regex.Escape(SearchString), RegexOptions.IgnoreCase))
{
Console.WriteLine($"{eventData.TimeCreated}: {eventData.FormatDescription()}");
eventReadCounter--;
}
}
eventData.Dispose();
} while (true);
}
return;
}
}
static void Main(string[] args)
{
string[] queryString = new string[]
{
"*[System[(EventID=4624)] and EventData[Data[@Name=\"TargetUserName\"]=\"{0}\"]]",
"*[System[(EventID=4624)] and EventData[Data[@Name=\"TargetDomainName\"]=\"{0}\"]]",
"*[EventData[Data[@Name=\"IpAddress\"] and(Data=\"{0}\")]]"
};
string search = args[1];
if (!Enum.IsDefined(typeof(Options), args[0]))
{
Console.WriteLine("Invalid Option: username, domain, ip");
return;
}
Console.WriteLine("Searching for '{0}'", search);
int index = (int)Enum.Parse(typeof(Options), args[0]);
string query = String.Format(queryString[index], search);
Console.WriteLine("Querying: {0}", query);
foreach (DomainController target in Domain.GetCurrentDomain().DomainControllers)
{
try
{
Console.WriteLine("Parsing {0} ({1}) logs", target.IPAddress, target.Name);
EventLogSession els = new EventLogSession(target.Name);
EventLogQuery logQuery = new EventLogQuery("Security", PathType.LogName, query);
logQuery.Session = els;
EventLogReader elr = new EventLogReader(logQuery);
while (true)
{
EventRecord er = elr.ReadEvent();
if (er == null)
{
break;
}
Console.WriteLine(er.FormatDescription() + "\r\n-----------------------------------\r\n");
if (er != null)
{
er.Dispose();
}
}
}
catch (Exception e)
{
Console.WriteLine("Error: {0}", e.Message);
}
}
}
public static void DoWork()
{
EventLogQuery elQuery = new EventLogQuery("Application", PathType.LogName, "*[System/Provider/@Name=\"Raccine\"]");
elQuery.ReverseDirection = true;
using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery))
{
EventRecord eventInstance = null;
try
{
eventInstance = elReader.ReadEvent();
if (eventInstance != null)
{
if (eventInstance.TimeCreated != null)
{
TimeSpan ts = ((DateTime)eventInstance.TimeCreated - DateTime.Now);
if (ts.TotalDays < 2) // it should be recent
{
// if we already saw an event, don't show it again. wait for a new one.
if ((WatcherThread.lastEventTimeGenerated == null) ||
WatcherThread.lastEventTimeGenerated != null &&
(((TimeSpan)(WatcherThread.lastEventTimeGenerated - (DateTime)eventInstance.TimeCreated)).TotalMinutes > 0))
{
frmAlert frmAlertInstance = new frmAlert(eventInstance);
//WatcherThread.lastEventTimeGenerated = eventInstance.TimeCreated;
frmAlertInstance.ShowDialog();
}
}
}
}
}
finally
{
if (eventInstance != null)
{
eventInstance.Dispose();
}
}
}
}
static void Main(string[] args)
{
var dirInfo = new DirectoryInfo(virtualPath);
var fileList = dirInfo.GetFiles();
FileStream outputStream = null;
StreamWriter outputWriter = null;
try
{
outputStream = new FileStream("Events.xml", FileMode.Create, FileAccess.ReadWrite);
outputWriter = new StreamWriter(outputStream);
outputWriter.WriteLine("<?xml version=\"1.0\" encoding=\"UTF-8\"?>");
outputWriter.WriteLine("<Logs>");
foreach (var logFile in fileList)
{
EventLogQuery logQuery = null;
EventLogReader logReader = null;
EventRecord logRecord = null;
List <string> xmlRecords = null;
try
{
logQuery = new EventLogQuery(string.Format("{0}{1}", actualPath, logFile.Name), PathType.FilePath, queryString);
logReader = new EventLogReader(logQuery);
xmlRecords = new List <string>();
while ((logRecord = logReader.ReadEvent()) != null)
{
xmlRecords.Add(logRecord.ToXml());
}
}
catch (UnauthorizedAccessException ex)
{
Console.ForegroundColor = ConsoleColor.DarkRed;
Console.Write(ex.GetType());
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(": {1}", ex.GetType(), ex.Message);
Console.WriteLine();
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("This program requires administrative rights in order to function.", ex.Message);
Console.WriteLine("Please right click on the executable and select Run as Administrator.", ex.Message);
Console.ForegroundColor = ConsoleColor.Gray;
break;
}
catch (EventLogException ex)
{
Console.ForegroundColor = ConsoleColor.DarkRed;
Console.Write(ex.GetType());
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(": {1}", ex.GetType(), ex.Message);
Console.ForegroundColor = ConsoleColor.Gray;
}
finally
{
if (logRecord != null)
{
logRecord.Dispose();
logRecord = null;
}
if (logReader != null)
{
logReader.Dispose();
logReader = null;
}
if (xmlRecords.Any())
{
outputWriter.WriteLine("\t<EventLog LogName=\"{0}\">", logFile.Name.Replace(logFile.Extension, string.Empty).Replace("%4", "/"));
xmlRecords.ForEach(i =>
{
outputWriter.WriteLine("\t\t{0}", i);
outputWriter.Flush();
});
outputWriter.WriteLine("\t</EventLog>");
outputWriter.Flush();
}
xmlRecords.Clear();
xmlRecords = null;
}
}
outputWriter.WriteLine("</Logs>");
outputWriter.Flush();
}
finally
{
if (outputStream != null)
{
outputStream.Flush();
outputStream.Close();
outputStream.Dispose();
outputStream = null;
}
}
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("This program has created a file called Events.xml, located within the same folder you ran this program from.");
Console.WriteLine("You'll need to send me the xml file.");
Console.WriteLine();
Console.ForegroundColor = ConsoleColor.Gray;
Console.Write("Press any key to exit.");
Console.Read();
}
protected override EventListDataItem[] GetOutputData(DataItemBase[] inputDataItems)
{
try
{
using (EventLogSession eventLogSession = new EventLogSession())
{
EventLogQuery eventLogQuery = string.IsNullOrWhiteSpace(XPathQuery) ?
new EventLogQuery(LogName, PathType.LogName)
{
Session = eventLogSession,
TolerateQueryErrors = true,
ReverseDirection = true
} :
new EventLogQuery(LogName, PathType.LogName, XPathQuery)
{
Session = eventLogSession,
TolerateQueryErrors = true,
ReverseDirection = true
};
int returnedEventsCounter = MaxEvents;
int searchedEventsCounter = MaxSearchEvents;
List <EventInfo> eventList = new List <EventInfo>(MaxEvents);
using (EventLogReader eventLogReader = new EventLogReader(eventLogQuery))
{
eventLogReader.Seek(System.IO.SeekOrigin.Begin, 0); // from latest event to the past. ReverseDirection swaps End and Begin for seek method
do
{
if (returnedEventsCounter <= 0 || searchedEventsCounter <= 0)
{
break;
}
EventRecord eventData = eventLogReader.ReadEvent();
searchedEventsCounter--;
if (eventData == null)
{
break;
}
if (string.IsNullOrWhiteSpace(SearchString))
{
eventList.Add(CreateEventInfo(eventData));
returnedEventsCounter--;
}
else
{
if (Regex.IsMatch(eventData.FormatDescription() ?? "", SearchUseRegExp ? SearchString : Regex.Escape(SearchString), RegexOptions.IgnoreCase))
{
eventList.Add(CreateEventInfo(eventData));
returnedEventsCounter--;
}
}
eventData.Dispose();
} while (true);
}
return(new EventListDataItem[]
{
new EventListDataItem(new EventList
{
Events = eventList,
ErrorCode = 0,
ErrorMessage = ""
})
});
}
}
catch (Exception e)
{
ModuleErrorSignalReceiver(ModuleErrorSeverity.DataLoss, ModuleErrorCriticality.Continue, e, $"Failed to query local {LogName ?? "NULL"} event log using {XPathQuery ?? "NULL"} XPath query: {e.Message}");
return(new EventListDataItem[]
{
new EventListDataItem(new EventList
{
Events = new List <EventInfo>(),
ErrorCode = e.HResult,
ErrorMessage = $"Failed to query local {LogName} event log using {XPathQuery ?? "NULL"} XPath query: {e.Message}"
})
});
}
}
