My task is to make real-time ETW users events provided by Microsoft Windows Security Audit.
I made a simple controller and consumer application based on this example http://msdn.microsoft.com/en-us/library/windows/desktop/ee441325%28v=vs.85%29.aspx and changing flags to work in mode real time.
The main function is as follows:
LPTSTR SessionName = L"hahahaaa"; ULONG status = ERROR_SUCCESS; PEVENT_TRACE_PROPERTIES pSessionProperties = NULL; EVENT_TRACE_LOGFILE trace; TRACEHANDLE hTrace = 0; TRACEHANDLE hSession = 0; const GUID providerId = { 0x54849625, 0x5478, 0x4994, { 0xA5, 0xBA, 0x3E, 0x3B, 0x03, 0x28, 0xC3, 0x0D } }; //const GUID providerId = { 0xA68CA8B7, 0x004F, 0xD7B6, { 0xA6, 0x98, 0x07, 0xE2, 0xDE, 0x0F, 0x1F, 0x5D } }; HANDLE hToken = NULL; HANDLE hProcess = NULL; hProcess = GetCurrentProcess(); if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE) { printf("Error: Couldn't open the process token\n"); goto cleanup; } if(!SetPrivilege(hToken, SE_SECURITY_NAME, TRUE)) goto cleanup; if (!pSessionProperties) { const size_t buffSize = sizeof(EVENT_TRACE_PROPERTIES)+(_tcslen(SessionName) + 1) * sizeof(TCHAR); pSessionProperties = reinterpret_cast<EVENT_TRACE_PROPERTIES *>(malloc(buffSize)); ZeroMemory(pSessionProperties, buffSize); pSessionProperties->Wnode.BufferSize = buffSize; pSessionProperties->Wnode.ClientContext = 1; pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID; pSessionProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE; pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES); } // Create the trace session. status = StartTrace(&hSession, SessionName, pSessionProperties); if (ERROR_SUCCESS != status) { wprintf(L"StartTrace() failed with %lu\n", status); goto cleanup; } status = EnableTraceEx2(hSession, &providerId, EVENT_CONTROL_CODE_ENABLE_PROVIDER, TRACE_LEVEL_VERBOSE, 0, 0, 0, NULL); if (ERROR_SUCCESS != status) { wprintf(L"EnableTrace() failed with %lu\n", status); goto cleanup; } ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILE)); trace.LogFileName = NULL; trace.LoggerName = SessionName; trace.CurrentTime = 0; trace.BuffersRead = 0; trace.BufferSize = 0; trace.Filled = 0; trace.EventsLost = 0; trace.Context = NULL; trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD; trace.EventRecordCallback = (PEVENT_RECORD_CALLBACK)(ProcessEvent); hTrace = OpenTrace(&trace); if (INVALID_PROCESSTRACE_HANDLE == hTrace) { wprintf(L"OpenTrace failed with %lu\n", GetLastError()); goto cleanup; } status = ProcessTrace(&hTrace, 1, 0, 0); if (status != ERROR_SUCCESS && status != ERROR_CANCELLED) { wprintf(L"ProcessTrace failed with %lu\n", status); goto cleanup; }
An application at the point "ProcessTrace ()" should wait for incoming events and write its metadata to stdout. But this is simply not. All events that I created (i.e., I enable detailed tracking - creating a process and launching an application) are displayed in EventViewer, but my program does not show anything.
I thought this might be a problem with some privileges, and using this example http://msdn.microsoft.com/en-us/library/windows/desktop/aa446619%28v=vs.85%29.aspx I set the privilege SE_SECURITY_NAME and, of course, launched the application in Administrator Mode. But nothing has changed.
Another attempt was the name of the session. Perhaps this is the same problem as for Windows Kernel Trace, which can only be logged in to the NT Kernel Logger system session. The only thing I found is that Microsoft Windows Security Audit is related to the Eventlog-Security session, but when I set the session name, I got the "Access Denied" error. I do not know what additional privilege I should set for this.
The last attempt was to use "logman" and collect the events into a file, but everything was the same. When I set the session name to "Eventlog-Security", I got "Access Denied". On the other hand, when I installed it with something else, I received only one event provided by "MSNT_SystemTrace", which is an abstract class for other events.
If I changed the provider to ie "Microsoft Windows Kernel General" (commented on the GUID) and generated an event (update the system clock), everything will work (both in my application and using "logman").
I work on Windows 7 Professional x64 and Visual Studio Ultimate 2013.
My question is: what can I do to receive events from a Microsoft Windows Security Auditing service provider?
Thanks for any help!
EDIT As I wrote in a comment, if we set SessionName in Eventlog-Security, the application will be shortened to OpenTrace () and ProcessTrace ().
EDIT 2 As Luke suggested in the comment, I started the application with LocalSystem privileges, and it all started with work.