I'm writing a simple desktop application in C# that displays a line of text in a Textbox whenever someone logs on or off the Active Directory. It is destined to run on the same machine as AD, under Windows Server 2008 and Windows Server 2003. So far so good, for S200开发者_如何学编程8 I've managed to get triggered by a ManagementEventWatcher
whenever an event with the (EventCode = 4624 OR EventCode = 4634)
is triggered.
Here is the WMI query I am currently using:
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance isa "Win32_NTLogEvent" AND (TargetInstance.EventCode = '4624' OR TargetInstance.EventCode = '4634')
and then I am parsing eventArgs.Properties["TargetInstance"].Properties["Message"]
looking for the User and IP address of the client.
The odd thing is that even when a user logs off, I still only get one event with EventCode 4624. What is happening to the 4634 event? How do I catch logoffs?
(I'm also looking for a work-around on SU: How to get event info in application launched by Task Scheduler?)
The Windows Server 2008 machine started behaving like that after only a few hours of uptime. A reboot fixed the problem. It is only a hunch, but it may have been caused by trying to launch my application on the S2008 machine too many times and with too many errors, messing up the operating system's configuration.
You can use system log off and log on events. Every activity in system is monitored by windows operating system and available in event logs.
You can use .Net classes to get those saved events. like to get system events
EventLog log = new EventLog("System");
精彩评论