none
API, ETW: Query Names of Object IDs generated by FileIO Events RRS feed

 > 

  • Frage

  • Question
    Anmelden
    0
    Anmelden

    Hi,

    In our project we need to track write-access to certain files on the whole system. I figgured out that ETW (Event Trace 4 Windows) could help us doing that.

    I got the TraceEvent lib from http://bcl.codeplex.com/ to track those system events.

    It turned out out that the file events only contain an integer representation of the file itself. The kernel parser returns it as "FileKey". There is also an "FileObject" property.

    The documentation says that one of both must be mapped to names retrieved by other events containing a file name. I tried this, but it seems that i only get very few of those file names. The TraceEvent library itself uses a similar mapping and also doesn't retrieve all of those names.

    Is there any way to retrieve the name of a certain FileObject manually?



    • Bearbeitet Vittel Montag, 26. September 2011 09:25
    Montag, 26. September 2011 09:06
    |

Antworten

  • Question
    Anmelden
    0
    Anmelden

    Hi,

    I'm not at all familiar with the tool you mentioned (I'll take a look tomorrow though), but if you want to track object access, such as logging when users write to a certain file, you'll have to enable object access auditing on you Windows system (first enable object access auditing in the security policy, then define your auditing rules as needed). After doing so, you'll find events with the id 560 in the security event log (). The event log entry comprises the name of the modified file (s. object name) and the performed access (s. accesses). If you want some more control use event id 567. "For this event to be useful - that is to identify the object accessed - you must find the preceding event 560 with the corresponding Handle ID."

    Event-ID 560: Object Open
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=560

    Event-ID 567: Object Access Attempt
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=567

    How to set up and manage operation-based auditing for Windows Server 2003, Enterprise Edition
    http://support.microsoft.com/kb/325898/en-us

     

    EDIT: I had a quick look at the tool and also found Vance Morrison's http://bcl.codeplex.com/discussions/274260 response to your question:

    "Current these events are only generated at 'rundown' when an ETL file closes and there is no way of triggering this in a realtime provider. This has been fixed in Windows 8, but until then you must use a file to track File I/O."

    It looks like you currently need to pass a tracing file as an argument to the constructor of the TraceEventSession class.

    Marcel

    Dienstag, 4. Oktober 2011 14:53
    |
    Moderator

Alle Antworten