Re: Win32_NtLogEvent Where LogFile is Security Question

Look up OpenThreadToken and AdjustTokenPrivileges in MSDN.
This is how it's done in C++.

hth


"Matt" <anonmous@xxxxxxxxxxxxx> wrote in message
news:BC095ED7-2CB3-4311-AD73-4BC5F2A67139@xxxxxxxxxxxxxxxx
Hello,
In C++ code, I need to know how I can be a consumer of Security Event
Log
events. In all scenarios, please assume that I am running with Domain
Admin
privileges. Here is my current CoInitializeSecurity call:


hr = CoInitializeSecurity(0, -1, 0, 0, RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, 0, EOAC_NONE, 0);

Here is my IWbemLocator::ConnectServer call:

hr = ConnectServer(qualifiedNamespace, L"", L"", L"", 0, L"", 0,
ppNamespace);

Note: I do not call CosSetProxyBlanket() on the resulting connection
under
any circumstance.

Now, all bad practices aside that may exist in the manner that these calls
are made, it works for now in Win2000 SP2 and above all the way through
Win2003 SP1 where the remote peers and local servers consist of just about
all combinations of those operating systems.

Now, here's the problem: Event registrations from the Application and
System logs using ExecNotificationQueryAsync work great. However, this
event
registration WQL string:

"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA
"Win32_NTLogEvent" AND TargetInstance.LogFile="Security" AND
TargetInstance.SourceName="Security" AND TargetInstance.Type="Success
Audit"
AND TargetInstance.EventCode="560""

does not work, and by "does not work" does not mean I get an error. The
ExecNotificationQueryAsync call does not return an error. I've seen some
posts using VB script that talk about enabling the SeSecurityPrivilege
privilege. My questions related to this are as follows:

-How do I accomplish this using C++?
-What, if anything differs between a solution that works when accessing
the
local security event log, as opposed to a remote security event log,
keeping
all other factors the same?
-Are there any problems/differences that exist for the operating systems
that I outline above?

Also, strangely enough, when logged in as an administrator on my local
machine, using that WQL string results in an 'Access Denied' error
(0x80041003). This occurs even after I have checked the "Enable all
Privileges" checkbox.


Thanks,

Matt


.

Relevant Pages

  • Re: Login Problems
    ... Please send me the Security Event log on SBS server and I need to check ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Event Viewer/Security
    ... Event ID 576 Fills the Security Event Log When Auditing ... and Many Event ID 576 Entries Are Logged to ... MS-MVP Windows Shell/User ...
    (microsoft.public.windowsxp.security_admin)
  • Security Policy / Auditing / Event Logs - Please Help!
    ... The Security event log on this machine has hundreds of 'Success Audit' ...
    (microsoft.public.windows.server.general)
  • Security Event Log Blank
    ... Win2K Server SP4 Security Event log is blank even though ... I have setup all GPOs to log security events. ... records action taken when logged locally as admin. ...
    (microsoft.public.win2000.security)
  • Security Event Log Blank
    ... Win2K Server SP4 Security Event log is blank even though ... I have setup all GPOs to log security events. ... records action taken when logged locally as admin. ...
    (microsoft.public.win2000.security)