Writing to the Windows Security Log with C++

2019-09-03 10:31发布

I have been tasked with writing entries to the Windows security log. The entire project is Win32 C++ code. I have already written (with help from various online resources) a logging class that handles registration, deregistration, and code for executing the ReportEvent() call. Also, I've done the mc.exe and rc.exe steps for my event logging, if that helps establish where I'm at in the project.

My question is a multi-parter:

  1. I've noticed at Filling Windows XP Security Event Log that there are some who believe this is not allowed by Windows. Others ( How to write log to SECURITY event Log in C#? ) imply otherwise. Possible or not?
  2. If it is possible, how to get it to write to the security log. Is it as simple as specifying "Security" as my source name when calling RegisterEventSource()?
  3. As far as deregistration, when should that occur? When the app is uninstalled? When the app closes? When the log entry is written?
  4. How do I look up my log entries? I look in the Windows Event Viewer, but I don't see the entries I add with my test app, despite all the appropriate return values from the system calls. Where would I look up the events that I specified with a source name of "yarp" when I made my call to RegisterEventSource()?

1条回答
Anthone
2楼-- · 2019-09-03 10:45

For the moment, I'll just deal with the first question, because the answer to that probably renders the rest irrelevant.

Only Local Security Authority (lsass.exe) can write to the security log. This isn't a matter that something else attempting to get the privilege will fail -- it's a matter of there not being a way for anything else to even request the privilege at all (and this is by design).

From there, about the only answer to your other questions is "Sorry!"

查看更多
登录 后发表回答