public static Dictionary <AuditEventPolicy, AuditEventStatus> GetPolicies() { Dictionary <AuditEventPolicy, AuditEventStatus> result = new Dictionary <AuditEventPolicy, AuditEventStatus>(); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr hPolicy = IntPtr.Zero; IntPtr pInfo = IntPtr.Zero; IntPtr pGuid = IntPtr.Zero; UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy); uint code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } try { // // Query the policy // lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo); code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO(); info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType()); // // Iterate through the event types // for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) { pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) { IntPtr itemPtr = new IntPtr(info.EventAuditingOptions.ToInt64() + (Int64)eventType * (Int64)Marshal.SizeOf(typeof(UInt32))); UInt32 status = 0; status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType()); result.Add((AuditEventPolicy)eventType, (AuditEventStatus)(status & 0x3)); Marshal.FreeHGlobal(pGuid); pGuid = IntPtr.Zero; } else { throw new System.ComponentModel.Win32Exception(GetLastError()); } } } finally { // // Cleanup // if (pInfo != IntPtr.Zero) { LsaFreeMemory(pInfo); } if (pGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pGuid); } LsaClose(hPolicy); } return(result); }
public static Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > GetSubcategoryPolicies() { Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > result = new Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> >(); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr hPolicy = IntPtr.Zero; IntPtr pInfo = IntPtr.Zero; IntPtr pGuid = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; IntPtr pSubcategories = IntPtr.Zero; UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy); uint code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } try { // // Query the policy // lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo); code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO(); info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType()); // // Iterate through the event types // for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) { pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } UInt32 subcategoryCount = 0; if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } Dictionary <String, AuditEventStatus> dict = new Dictionary <String, AuditEventStatus>(); AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION(); for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++) { IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo)); policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType()); dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()], (AuditEventStatus)policyInfo.AuditingInformation); } result.Add((AuditEventPolicy)eventType, dict); AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; AuditFree(pSubcategories); pSubcategories = IntPtr.Zero; Marshal.FreeHGlobal(pGuid); pGuid = IntPtr.Zero; } } finally { // // Cleanup // if (pInfo != IntPtr.Zero) { LsaFreeMemory(pInfo); } if (pGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pGuid); } if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); } if (pSubcategories != IntPtr.Zero) { AuditFree(pSubcategories); } LsaClose(hPolicy); } return(result); }
public virtual Dictionary<AuditEventPolicies, AuditEventStatus> GetAuditEventPolicies(TargetInfo targetInfo) { Dictionary<AuditEventPolicies, AuditEventStatus> retList = new Dictionary<AuditEventPolicies, AuditEventStatus>(); LSA_UNICODE_STRING systemName = string2LSAUS(targetInfo.GetAddress()); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr policyHandle = IntPtr.Zero; IntPtr pAuditEventsInfo = IntPtr.Zero; IntPtr pAuditCategoryGuid = IntPtr.Zero; IntPtr pAuditSubCategoryGuids = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle); uint retVal = LsaNtStatusToWinError(lretVal); if (retVal != 0) { throw new System.ComponentModel.Win32Exception((int)retVal); } try { lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo); retVal = LsaNtStatusToWinError(lretVal); if (retVal != 0) { throw new System.ComponentModel.Win32Exception((int)retVal); } // EventAuditingOptions: The index of each array element corresponds to an audit event type value in the POLICY_AUDIT_EVENT_TYPE enumeration type. // Each POLICY_AUDIT_EVENT_OPTIONS variable in the array can specify the following auditing options. // POLICY_AUDIT_EVENT_UNCHANGED, POLICY_AUDIT_EVENT_SUCCESS, POLICY_AUDIT_EVENT_FAILURE, POLICY_AUDIT_EVENT_NONE POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO(); myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType()); for (UInt32 policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++) { pAuditCategoryGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryGuid)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } String categoryName = String.Empty; AuditLookupCategoryName(pAuditCategoryGuid, ref categoryName); UInt32 status = 0; IntPtr itemPtr = new IntPtr(myAuditEventsInfo.EventAuditingOptions.ToInt64() + (Int64)policyAuditEventType * (Int64)Marshal.SizeOf(typeof(UInt32))); status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType()); retList.Add((AuditEventPolicies)policyAuditEventType, (AuditEventStatus)(status & 0x3)); Marshal.FreeHGlobal(pAuditCategoryGuid); pAuditCategoryGuid = IntPtr.Zero; } } finally { if (pAuditEventsInfo != IntPtr.Zero) { LsaFreeMemory(pAuditEventsInfo); } if (pAuditCategoryGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pAuditCategoryGuid); } LsaClose(policyHandle); } return retList; }
public virtual Dictionary <AuditEventPolicies, AuditEventStatus> GetAuditEventPolicies(TargetInfo targetInfo) { Dictionary <AuditEventPolicies, AuditEventStatus> retList = new Dictionary <AuditEventPolicies, AuditEventStatus>(); LSA_UNICODE_STRING systemName = string2LSAUS(targetInfo.GetAddress()); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr policyHandle = IntPtr.Zero; IntPtr pAuditEventsInfo = IntPtr.Zero; IntPtr pAuditCategoryGuid = IntPtr.Zero; IntPtr pAuditSubCategoryGuids = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle); uint retVal = LsaNtStatusToWinError(lretVal); if (retVal != 0) { throw new System.ComponentModel.Win32Exception((int)retVal); } try { lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo); retVal = LsaNtStatusToWinError(lretVal); if (retVal != 0) { throw new System.ComponentModel.Win32Exception((int)retVal); } // EventAuditingOptions: The index of each array element corresponds to an audit event type value in the POLICY_AUDIT_EVENT_TYPE enumeration type. // Each POLICY_AUDIT_EVENT_OPTIONS variable in the array can specify the following auditing options. // POLICY_AUDIT_EVENT_UNCHANGED, POLICY_AUDIT_EVENT_SUCCESS, POLICY_AUDIT_EVENT_FAILURE, POLICY_AUDIT_EVENT_NONE POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO(); myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType()); for (UInt32 policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++) { pAuditCategoryGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryGuid)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } String categoryName = String.Empty; AuditLookupCategoryName(pAuditCategoryGuid, ref categoryName); UInt32 status = 0; IntPtr itemPtr = new IntPtr(myAuditEventsInfo.EventAuditingOptions.ToInt64() + (Int64)policyAuditEventType * (Int64)Marshal.SizeOf(typeof(UInt32))); status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType()); retList.Add((AuditEventPolicies)policyAuditEventType, (AuditEventStatus)(status & 0x3)); Marshal.FreeHGlobal(pAuditCategoryGuid); pAuditCategoryGuid = IntPtr.Zero; } } finally { if (pAuditEventsInfo != IntPtr.Zero) { LsaFreeMemory(pAuditEventsInfo); } if (pAuditCategoryGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pAuditCategoryGuid); } LsaClose(policyHandle); } return(retList); }
public virtual Dictionary<AuditEventSubcategories, AuditEventStatus> GetAuditEventSubcategoriesPolicy(TargetInfo targetInfo) { Dictionary<AuditEventSubcategories, AuditEventStatus> retList = new Dictionary<AuditEventSubcategories, AuditEventStatus>(); string target = @"\\" + targetInfo.GetAddress(); LSA_UNICODE_STRING systemName = string2LSAUS(target); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr policyHandle = IntPtr.Zero; IntPtr pAuditEventsInfo = IntPtr.Zero; IntPtr pAuditCategoryId = IntPtr.Zero; IntPtr pAuditSubCategoryGuids = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle); UInt32 retVal = LsaNtStatusToWinError(lretVal); if (retVal == (UInt32)0) { try { lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo); retVal = LsaNtStatusToWinError(lretVal); if (retVal == 0) { POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO(); myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType()); for (var policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++) { pAuditCategoryId = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryId)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } UInt32 nSubCats = 0; pAuditSubCategoryGuids = IntPtr.Zero; if (!AuditEnumerateSubCategories(pAuditCategoryId, false, ref pAuditSubCategoryGuids, out nSubCats)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } Marshal.FreeHGlobal(pAuditCategoryId); pAuditCategoryId = IntPtr.Zero; pAuditPolicies = IntPtr.Zero; if (nSubCats > 0) { if (!AuditQuerySystemPolicy(pAuditSubCategoryGuids, nSubCats, out pAuditPolicies)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } for (var subcategoryIndex = 0; subcategoryIndex < nSubCats; subcategoryIndex++) { AUDIT_POLICY_INFORMATION currentPolicy = new AUDIT_POLICY_INFORMATION(); IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (Int64)subcategoryIndex * (Int64)Marshal.SizeOf(currentPolicy)); currentPolicy = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, currentPolicy.GetType()); String subCategoryName = String.Empty; Marshal.StructureToPtr(currentPolicy, itemPtr, true); AuditLookupSubCategoryName(itemPtr, ref subCategoryName); AuditEventSubcategories value; if (subcategoriesDictionary.TryGetValue(subCategoryName, out value)) { retList.Add(value, (AuditEventStatus)(currentPolicy.AuditingInformation & 0x3)); } } if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; } } if (pAuditSubCategoryGuids != IntPtr.Zero) { AuditFree(pAuditSubCategoryGuids); pAuditSubCategoryGuids = IntPtr.Zero; } nSubCats = 0; } } else { throw new System.ComponentModel.Win32Exception((int)retVal); } } finally { if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; } if (pAuditSubCategoryGuids != IntPtr.Zero) { AuditFree(pAuditSubCategoryGuids); pAuditSubCategoryGuids = IntPtr.Zero; } if (pAuditEventsInfo != IntPtr.Zero) { LsaFreeMemory(pAuditEventsInfo); } if (pAuditCategoryId != IntPtr.Zero) { Marshal.FreeHGlobal(pAuditCategoryId); } LsaClose(policyHandle); } } else { throw new System.ComponentModel.Win32Exception((int)retVal); } return retList; }
public static Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> GetSubcategoryPolicies() { Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> result = new Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>>(); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr hPolicy = IntPtr.Zero; IntPtr pInfo = IntPtr.Zero; IntPtr pGuid = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; IntPtr pSubcategories = IntPtr.Zero; UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy); uint code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } try { // // Query the policy // lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo); code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO(); info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType()); // // Iterate through the event types // for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) { pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } UInt32 subcategoryCount = 0; if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } Dictionary<String, AuditEventStatus> dict = new Dictionary<String, AuditEventStatus>(); AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION(); for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++) { IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo)); policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType()); dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()], (AuditEventStatus)policyInfo.AuditingInformation); } result.Add((AuditEventPolicy)eventType, dict); AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; AuditFree(pSubcategories); pSubcategories = IntPtr.Zero; Marshal.FreeHGlobal(pGuid); pGuid = IntPtr.Zero; } } finally { // // Cleanup // if (pInfo != IntPtr.Zero) { LsaFreeMemory(pInfo); } if (pGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pGuid); } if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); } if (pSubcategories != IntPtr.Zero) { AuditFree(pSubcategories); } LsaClose(hPolicy); } return result; }
public static Dictionary<AuditEventPolicy, AuditEventStatus> GetPolicies() { Dictionary<AuditEventPolicy, AuditEventStatus> result = new Dictionary<AuditEventPolicy, AuditEventStatus>(); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr hPolicy = IntPtr.Zero; IntPtr pInfo = IntPtr.Zero; IntPtr pGuid = IntPtr.Zero; UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy); uint code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } try { // // Query the policy // lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo); code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO(); info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType()); // // Iterate through the event types // for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) { pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) { IntPtr itemPtr = new IntPtr(info.EventAuditingOptions.ToInt64() + (Int64)eventType * (Int64)Marshal.SizeOf(typeof(UInt32))); UInt32 status = 0; status = (UInt32)Marshal.PtrToStructure(itemPtr, status.GetType()); result.Add((AuditEventPolicy)eventType, (AuditEventStatus)(status & 0x3)); Marshal.FreeHGlobal(pGuid); pGuid = IntPtr.Zero; } else { throw new System.ComponentModel.Win32Exception(GetLastError()); } } } finally { // // Cleanup // if (pInfo != IntPtr.Zero) { LsaFreeMemory(pInfo); } if (pGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pGuid); } LsaClose(hPolicy); } return result; }