none
Save in a file the EVENTLOG of a server, related to a certain folder RRS feed

  • Question

  • I need help, I'm stuck

    I have to keep track of all access to certain folders on a server, know who is trying to delete files or open them with or without permission to do so, etc.

    I have made a program in Vb.Net that using EventLogEntry I go through the registry entries and I keep them

    the problem is that:

    - Many duplicate entries come out, I carry out a process that erases the ones that are the same, but in any case they keep coming out enough

    - I just go through the recent entries in the registry, since sometimes when I start going through them, from the most recent, I get an error because I have already deleted the entries

    - The data that I am interested in searching for (Account name, Object name, access, etc ...) are in the field: Eventlog.Entries (n) .Message that is a String from which I can only extract the data through indexof and substring

    my questions are:

    - Is there any way to access the stored records?

    - Could I create a custom view in the event viewer and access my personalized view from my program?

    - You can access the event log, which I think is in XML and from there get all the information

    - I can extract the data of the message (Name of the account, name of the Object, accesses, etc ...) directly, without having to search for strings in a string

    - Is there any way to review the entries with a Select, instead of sequentially, as I do?

    In advance thank you very much for the help
    Thursday, April 19, 2018 8:57 AM

All replies

  • AFAIK the files are all in use and can not be copied or opened. On Win7 (you can search Google to find where they are on your system(s)) they are in Root\Windows\System32\Config.

    I could not open with notepad running as admin or copy with admin priviliges.

    I have no idea if you could access event viewer from your app but there's numerous API's that would probably let you access an event viewers windows to do stuff. Very difficult IMO though.

    It's possible your evenlogs paths are located in this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog. Update:The file for security log in this key is at %SystemRoot%\System32\winevt\Logs\Security.evtx and is some strange type of file. It can be copied but it is not an XML file. I don't know if the other Security Log files locked are XML files or not.


    La vida loca

    Thursday, April 19, 2018 10:34 PM
  • Well I copied the unlocked security log .EVTX file to my desktop. Then found C# code here Read Event log file from path while researching. And found they used EventLogReader Class. I couldn't find any samples though. The file Security.evtx on my desktop is about 97.something MB.

    The code below I guess read the first entry from it. I don't know how to traverse through the file but there's plenty of methods at the EventLogReader Class link to use. Don't know if this will help you or not.

    Don't believe it matters but I had previously compiled my app to x.64 and run it with admin privileges. If you attempt to read directly from the path that the .evtx files are in without being compiled to x64 you may get a redirect as I did trying to access the actual .Log files in the other directory that are locked as I mentioned in my other post.

    Option Strict On
    
    Imports System.Diagnostics.Eventing.Reader
    
    Public Class Form1
    
        Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
            Me.Location = New Point(CInt((Screen.PrimaryScreen.WorkingArea.Width / 2) - (Me.Width / 2)), CInt((Screen.PrimaryScreen.WorkingArea.Height / 2) - (Me.Height / 2)))
        End Sub
    
        Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            TextBox1.Clear()
            Using OFD As New OpenFileDialog
                With OFD
                    .InitialDirectory = Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory)
                    .Multiselect = False
                End With
                If OFD.ShowDialog = Windows.Forms.DialogResult.OK Then
                    Using rdr As New EventLogReader(OFD.FileName, PathType.FilePath)
                        Dim record = rdr.ReadEvent
                        TextBox1.Text = record.LogName & " | " & record.LevelDisplayName & " | " & record.FormatDescription
                    End Using
                End If
            End Using
        End Sub
    
    End Class


    La vida loca

    Thursday, April 19, 2018 11:50 PM
  • There is also a record.ToXML method in the code below and the retrieved XML is below that.

    Option Strict On
    
    Imports System.Diagnostics.Eventing.Reader
    
    Public Class Form1
    
        Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
            Me.Location = New Point(CInt((Screen.PrimaryScreen.WorkingArea.Width / 2) - (Me.Width / 2)), CInt((Screen.PrimaryScreen.WorkingArea.Height / 2) - (Me.Height / 2)))
        End Sub
    
        Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            TextBox1.Clear()
            Using OFD As New OpenFileDialog
                With OFD
                    .InitialDirectory = Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory)
                    .Multiselect = False
                End With
                If OFD.ShowDialog = Windows.Forms.DialogResult.OK Then
                    Using rdr As New EventLogReader(OFD.FileName, PathType.FilePath)
                        Dim record = rdr.ReadEvent
                        TextBox1.Text = record.ToXml
                    End Using
                End If
            End Using
        End Sub
    
    End Class

    <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4656</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2018-04-13T15:49:54.694617400Z'/><EventRecordID>38803949</EventRecordID><Correlation/><Execution ProcessID='600' ThreadID='620'/><Channel>Security</Channel><Computer>Acer</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>ACER$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>PlugPlayManager</Data><Data Name='ObjectType'>Security</Data><Data Name='ObjectName'>PlugPlaySecurityObject</Data><Data Name='HandleId'>0x0</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='AccessList'>%%1553
    				</Data><Data Name='AccessReason'>-</Data><Data Name='AccessMask'>0x2</Data><Data Name='PrivilegeList'>-</Data><Data Name='RestrictedSidCount'>0</Data><Data Name='ProcessId'>0x2f0</Data><Data Name='ProcessName'>C:\Windows\System32\svchost.exe</Data></EventData></Event>


    La vida loca

    Thursday, April 19, 2018 11:55 PM