Is there an API to remotely read a Windows machine's audit configuration?_问答_开发者

Is there an API to remotely read a Windows machine's audit configuration?

开发者 https://www.devze.com 2022-12-31 05:43 出处：网络

I need to know, for each subcategory, whether it\'ll be audited on success, on failure, both, or none. This information is available locally via AuditEnumerateSubCategories, however there does not app

I need to know, for each subcategory, whether it'll be audited on success, on failure, both, or none. This information is available locally via AuditEnumerateSubCategories, however there does not appear to be a means to access this same information remotely. Below is an example of the information I need to collect.

Can I get this through WMI? Or if not, by other means, assuming I have proper (admin) credentials to the target machine?

Again, to clarify, it's not the event log I need to read, it's the logging configuration.

  <security_state_change>AUDIT_SUCCESS</security_state_change>
  <security_system_extension>AUDIT_NONE</security_system_extension>
  <system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
  <ipsec_driver>AUDIT_NONE</ipsec_driver>
  <other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
  <logon>AUDIT_SUCCESS</logon>
  <logoff>AUDIT_SUCCESS</logoff>
  <account_lockout>AUDIT_SUCCESS</account_lockout>
  <ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
  <ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
  <ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
  <special_logon>AUDIT_SUCCESS</special_logon>
  <other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
  <file_system>AUDIT_NONE</file_system>
  <registry>AUDIT_NONE</registry>
  <kernel_object>AUDIT_NONE</kernel_object>
  <sam>AUDIT_NONE</sam>
  <certification_services>AUDIT_NONE</certification_services>
  <application_generated>AUDIT_NONE</application_generated>
  <handle_manipulation>AUDIT_NONE</handle_manipulation>
  <file_share>AUDIT_NONE</file_share>
  <filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
  <filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
  <other_object_access_events>AUDIT_NONE</other_object_access_events>
  <sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
  <non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
  <other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
  <process_creation>AUDIT_NONE</process_creation>
  <process_termination>AUDIT_NONE</process_termination>
  <dpapi_activity>AUDIT_NONE</dpapi_activity>
  <rpc_events>AUDIT_NONE</rpc_events>
  <audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
  <authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
  <authorization_policy_change>AUDIT_NONE</authorization_policy_change>
  <mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
  <filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
  <other_policy_change_events>AUDIT_NONE</other_policy_change_events>
  <user_account_management>AUDIT_SUCCESS</user_account_management>
  <computer_account_management>AUDIT_NONE</computer_account_management>
  <security_group_management>AUDIT_SUCCESS</security_group_management>
  <distribution_group_management>AUDIT_NONE</distribution_group_management>
  <application_group_management>AUDIT_NONE</application_group_management>
  <other_account_management_events>AUDIT_NONE</other_account_management_events>
  <directory_service_access>AUDIT_NONE</directory_service_access>
  <directory_service_changes>AUDIT_NONE</directory_service_changes>
  <directory_service_r开发者_如何学Goeplication>AUDIT_NONE</directory_service_replication>
  <detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
  <credential_validation>AUDIT_NONE</credential_validation>
  <kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
  <other_account_logon_events>AUDIT_NONE</other_account_logon_events>

A few suggestions for you to look into are:

The RSOP_AuditPolicy WMI class - It provides access to the settings related to auditing various types of events. One caveat, which may not be an issue for you, is that it is only supported on Windows XP and higher.

LSA Policy Functions - A set of Windows API functions that allow you to query policy information, including auditing, on a local or remote machine. The LsaQueryInformationPolicy function will be of interest.

Audit Policy Functions - They are only available in Windows Vista and higher. See this Code Project article for more information.