Logon Type 2 – Interactive

This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such. 

Logon Type 3 – Network

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)

Logon Type 4 – Batch

When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Other job scheduling systems, depending on their design, may also generate logon events with logon type 4 when starting jobs. Logon type 4 events are usually just innocent scheduled tasks startups but a malicious user could try to subvert security by trying to guess the password of an account through scheduled tasks. Such attempts would generate a logon failure event where logon type is 4. But logon failures associated with scheduled tasks can also result from an administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password.

Logon Type 5 – Service

Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account has been changed without updating the service but there’s always the possibility of malicious users at work too. However this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal.

Logon Type 7 – Unlock

Hopefully the workstations on your network automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.

Logon Type 8 – NetworkCleartext

This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.

Logon Type 9 – NewCredentials

If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. When you start a program with RunAs using /netonly, the program executes on your local computer as the user you are currently logged on as but for any connections to other computers on the network, Windows connects you to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the logon event with logon type 2.

Logon Type 10 – RemoteInteractive

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.

Logon Type 11 – CachedInteractive

Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to the your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.

 

整理后的Xml是这种样子
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
  <Event>
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4624</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2010-09-23T02:09:22.030125300Z" />
      <EventRecordID>14583</EventRecordID>
      <Correlation />
      <Execution ProcessID="616" ThreadID="708" />
      <Channel>Security</Channel>
      <Computer>dc10101-PC</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-5-18</Data>
      <Data Name="SubjectUserName">DC10101-PC$</Data>
      <Data Name="SubjectDomainName">WORKGROUP</Data>
      <Data Name="SubjectLogonId">0x3e7</Data>
      <Data Name="TargetUserSid">S-1-5-18</Data>
      <Data Name="TargetUserName">SYSTEM</Data>
      <Data Name="TargetDomainName">NT AUTHORITY</Data>
      <Data Name="TargetLogonId">0x3e7</Data>
      <Data Name="LogonType">5</Data>
      <Data Name="LogonProcessName">Advapi</Data>
      <Data Name="AuthenticationPackageName">Negotiate</Data>
      <Data Name="WorkstationName" />
      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x240</Data>
      <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
      <Data Name="IpAddress">-</Data>
      <Data Name="IpPort">-</Data>
    </EventData>
    <RenderingInfo Culture="zh-CN">
      <Level>Information</Level>
      <Task>Logon</Task>
      <Opcode>Info</Opcode>
      <Channel>Security</Channel>
      <Provider>Microsoft Windows security auditing.</Provider>
      <Keywords>
        <Keyword>Audit Success</Keyword>
      </Keywords>
    </RenderingInfo>
  </Event>
  <Event>
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4624</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2010-09-23T13:09:22.802965700Z" />
      <EventRecordID>14589</EventRecordID>
      <Correlation />
      <Execution ProcessID="616" ThreadID="8644" />
      <Channel>Security</Channel>
      <Computer>dc10101-PC</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-5-18</Data>
      <Data Name="SubjectUserName">DC10101-PC$</Data>
      <Data Name="SubjectDomainName">WORKGROUP</Data>
      <Data Name="SubjectLogonId">0x3e7</Data>
      <Data Name="TargetUserSid">S-1-5-21-1970735100-597249049-2926331685-1000</Data>
      <Data Name="TargetUserName">dc10101</Data>
      <Data Name="TargetDomainName">dc10101-PC</Data>
      <Data Name="TargetLogonId">0x26358257</Data>
      <Data Name="LogonType">7</Data>
      <Data Name="LogonProcessName">User32</Data>
      <Data Name="AuthenticationPackageName">Negotiate</Data>
      <Data Name="WorkstationName">DC10101-PC</Data>
      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x280</Data>
      <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
      <Data Name="IpAddress">127.0.0.1</Data>
      <Data Name="IpPort">0</Data>
    </EventData>
    <RenderingInfo Culture="zh-CN">
      <Level>Information</Level>
      <Task>Logon</Task>
      <Opcode>Info</Opcode>
      <Channel>Security</Channel>
      <Provider>Microsoft Windows security auditing.</Provider>
      <Keywords>
        <Keyword>Audit Success</Keyword>
      </Keywords>
    </RenderingInfo>
  </Event>
</Events>

 

using System;
using System.Collections.Generic;
using System.Windows.Forms;
using System.Text.RegularExpressions;
using System.Xml;

namespace WindowsServerLogonAnalyse
{
    public class LogonEventRecord
    {
        public int EventRecordID { get; set; }
        public DateTime TimeStamp { get; set; }
        public int LogonType { get; set; }
        public string UserName { get; set; }
        public string ComputerName { get; set; }
    }

    public partial class Form1 : Form
    {
        List<LogonEventRecord> logList = new List<LogonEventRecord>();
        int[] logonTypeArray = new int[] {2,3,4,5,7,8,9,10,11};
        string xmlLogFilePath = string.Empty;

        public Form1(string xmlLogFilePath)
        {
            InitializeComponent();

            this.xmlLogFilePath = xmlLogFilePath;
        }

        private string ConvertToValidXml(string rawXml)
        {
            string ret = rawXml;
            
            // 用IE打开,最前面有空格,违反xml格式约定须去掉
            ret = ret.TrimStart(' ');

            // 用IE打开,有折叠横线,须去掉
            ret = Regex.Replace(ret, Environment.NewLine + "- <", Environment.NewLine + "<");

            // Message里包含破坏xml的非法字符
            ret = Regex.Replace(ret, @"<Message>.*?</Message>", string.Empty);

            // 若不去掉命名空间,用XPath时会遇到麻烦
            ret = ret.Replace(@"xmlns=""http://schemas.microsoft.com/win/2004/08/events/event""", string.Empty);
            return ret;
        }

        private void Form1_Load(object sender, EventArgs e)
        {
            webBrowser1.Navigate(this.xmlLogFilePath);
        }

        private void webBrowser1_DocumentCompleted(object sender, WebBrowserDocumentCompletedEventArgs e)
        {
            WebBrowser browser = (WebBrowser)sender;
            if (browser.ReadyState == WebBrowserReadyState.Complete)
            {
                try
                {
                    string xmlContent = browser.Document.Body.OuterText;
                    xmlContent = ConvertToValidXml(xmlContent);

                    XmlDocument doc = new XmlDocument();
                    doc.LoadXml(xmlContent);

                    //foreach
                    foreach (int LogonType in this.logonTypeArray)
                    {
                        logList.AddRange(GetRecordsByLogonType(doc, LogonType));
                    }
                }
                catch (Exception ex)
                {
                    // 在WebBrowser的事件处理函数中发生异常,程序会继续执行,所以要在这里加个断点以便查看错误
                    MessageBox.Show(ex.Message);
                    throw;
                }
            }
        }

        private List<LogonEventRecord> GetRecordsByLogonType(XmlDocument doc, int LogonType)
        {
            List<LogonEventRecord> ret = new List<LogonEventRecord>();
            // 找出所有满足条件的Event,条件是其子元素满足EventData/Data/@Name='LogonType'并且EventData/Data=要找的LogonType
            XmlNodeList logonEventList = doc.SelectNodes(string.Format("/Events/Event[EventData/Data/@Name='LogonType'][EventData/Data={0}]",LogonType));
            foreach (XmlNode node in logonEventList)
            {
                LogonEventRecord record = new LogonEventRecord();
                record.LogonType = LogonType;
                record.UserName = node.SelectSingleNode("EventData/Data[@Name='TargetUserName']").InnerText;
                record.TimeStamp = DateTime.Parse(node.SelectSingleNode("System/TimeCreated").Attributes["SystemTime"].Value);
                record.ComputerName = node.SelectSingleNode("System/Computer").InnerText;
                record.EventRecordID = int.Parse(node.SelectSingleNode(@"System/EventRecordID").InnerText);
                ret.Add(record);
            }
            return ret;
        }
    }
}
posted on 2010-09-24 16:19  MainTao  阅读(6699)  评论(1编辑  收藏  举报