ReadEventLog 日志读取

前言:域控拿到了之后每次都需要查询用户登录日志,这边的话简单做个笔记,学习下通过ReadEventLog读取日志作为ReadEventLog相关API的学习。

C代码实现

在C代码实现的过程中,自己不能通过ReadEventLog来进行完整的日志读取

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <cstdio>
#include <time.h>
#include <TCHAR.h>
#include <sddl.h>
 
void DisplayEntries()
{
	HANDLE h;
	EVENTLOGRECORD* pevlr;
	TCHAR* pChar;
	TCHAR szSubmitTime[32];
	TCHAR szWriteTime[32];
	TCHAR szBuffer[4096] = { 0 };
	DWORD dwRead, dwNeeded, cRecords = 0;
	time_t t_time;
	SID_NAME_USE sidNameUse = SidTypeUser;
	
	TCHAR szNameBuffer[64];
	TCHAR pRefDomainName[64];
	DWORD cbName = _MAX_PATH + 1;
	DWORD cbRefDomainName = _MAX_PATH + 1;
	PSID pUserSID = NULL;
 
	// Open the Application event log. 
	/*Windows 日志:
	应用程序          对应于OpenEventLog(NULL,"Application")
	安全              对应于OpenEventLog(NULL,"Security")
	setup
	系统              对应于OpenEventLog(NULL,"System")*/
 
	h = OpenEventLog(NULL, "Security");
	if (h == NULL)
	{
		printf("Could not open the Application event log.");
	}
 
	pevlr = (EVENTLOGRECORD *)&szBuffer;
	
 
	while (ReadEventLog(h,                // event log handle 
		EVENTLOG_FORWARDS_READ |  // reads forward 
		EVENTLOG_SEQUENTIAL_READ, // sequential read 
		0,            // ignored for sequential reads 
		pevlr,        // pointer to buffer 
		4096,  // size of buffer 
		&dwRead,      // number of bytes read 
		&dwNeeded))   // bytes in next record 
	{
		while (dwRead > 0)
		{
			memset(szSubmitTime, 0, 32);
			memset(szWriteTime, 0, 32);
			memset(szNameBuffer, 0, 64);
			memset(pRefDomainName, 0, 64);
 
			if ((SHORT)pevlr->EventID == (SHORT)4624){
				// get event id,type
				_tprintf("Event ID: %08d EventType: %d Source: %s\n",
					(SHORT)pevlr->EventID,
					pevlr->EventType,
					(LPCTSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD)));
 
				// get machine name
				pChar = (TCHAR*)pevlr + sizeof(EVENTLOGRECORD);
				pChar += (lstrlen(pChar) + 1);
				_tprintf("\t NACHINENAME: %s$\n", pChar);
 
				// get user name
				if (pevlr->UserSidLength > 0)
				{
					pUserSID = (SID *)GlobalAlloc(GPTR, pevlr->UserSidLength);
					memcpy(pUserSID, (PSID)((LPBYTE)pevlr + pevlr->UserSidOffset), pevlr->UserSidLength);
					if (LookupAccountSid(NULL, pUserSID, szNameBuffer, &cbName, pRefDomainName, &cbRefDomainName, &sidNameUse))
					{
						_tprintf("\t domainName: %s\n", pRefDomainName);
						_tprintf("\t userName: %s\n", szNameBuffer);
					}
					free(pUserSID);
					pUserSID = NULL;
				}
 
				// get login name
				t_time = pevlr->TimeGenerated;
				strftime(szSubmitTime, sizeof(szSubmitTime), "%Y-%m-%d %H:%M:%S\n", localtime(&t_time));
				_tprintf("\t login Time: %s\n", szSubmitTime);
 
				// get infor
				/*
				if (pevlr->DataOffset > pevlr->StringOffset)
				{
					for (short j = 0; j < pevlr->NumStrings; j++)
					{
						pChar += strlen(pChar) + 1;
						printf("%s ", pChar);
					}
				}*/
				
			}
			
			dwRead -= pevlr->Length;
			pevlr = (EVENTLOGRECORD *)((LPBYTE)pevlr + pevlr->Length);
		}
 
		pevlr = (EVENTLOGRECORD *)&szBuffer;
	}
 
	CloseEventLog(h);
}
 
int main(){
	DisplayEntries();
	return 0;
}

posted @   zpchcbd  阅读(1231)  评论(0编辑  收藏  举报
相关博文:
· java jdwp协议
· 保护模式阶段测试
· 读取更新的日志
· C#如何查看/写入日志到Windows事件查看器
· 如何通过Java读取到Windows系统日志evtx文件
阅读排行:
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
点击右上角即可分享
微信分享提示