如何使用C ++读取XP中的审核帐户登录事件 [英] How to read Audit Account Logon Events in xp using c++
问题描述
嗨.
我在XP platfrom中工作.
我想阅读通过编程将审核帐户登录事件"设置为成功还是失败.
是可用的任何API..
Hi.
i am working in xp platfrom.
i want to read the Audit Account Logon Events is set to success or failure via programmatically .
is any API available to find this..
推荐答案
下面是一些代码,可从安全性"事件日志中读取事件记录. 底部是指向MS文章的链接,该文章描述了如何解码"登录/注销事件日志记录,这比读取记录还要复杂.由于您甚至都没有提到获得记录,因此我在此处包括了代码.如果您无法解码
Below is some code to read the event records from the "Security" event log.
At the bottom is a link to an MS article describing how to ''decode'' the Logon/Logoff event log records, which is even more complicated than reading the records. Since you made no mention of even obtaining the records, I included the code here. If you cannot decode the
EVENTLOGRECORD,那么也请告知我们,我们将使用单独的函数来做到这一点.
没有人声称这是最佳"代码,但是它将完成记录读取工作.
我在Visual Studio 6中生成了一个简单的Win32应用程序,并测试了下面的代码...
, then also let us know, and we will work on a separate function to do that.
There is no claim that this is ''optimal'' code, but it will get the record-reading job done.
I generated a simple Win32 application in Visual Studio 6 and tested the code below...
#include "stdafx.h"
#include "stdlib.h"
#define EL_BUFF_SIZE 0x000FFFF
int APIENTRY WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
){
HANDLE hEventLog = OpenEventLog(NULL, "Security");
if( hEventLog )
{
LPBYTE pBuffer = (LPBYTE)malloc( EL_BUFF_SIZE );
// how many events?
DWORD nNumberOfRecords = 0;
if( pBuffer && GetNumberOfEventLogRecords(hEventLog, &nNumberOfRecords) &&
(nNumberOfRecords > 0) )
{
BOOL bReadSuccess = FALSE;
DWORD nBytesRead = 0;
DWORD nNumberOfBytesToRead;
DWORD nMinNumberOfBytesNeeded;
DWORD nRecordProcessed = 0;
do{
nNumberOfBytesToRead = EL_BUFF_SIZE;
nMinNumberOfBytesNeeded = 0;
nBytesRead = 0;
memset( pBuffer, 0, sizeof(EL_BUFF_SIZE) );
bReadSuccess = ReadEventLog(
hEventLog,
EVENTLOG_SEQUENTIAL_READ|EVENTLOG_FORWARDS_READ,
0,
pBuffer,
nNumberOfBytesToRead,
&nBytesRead,
&nMinNumberOfBytesNeeded
);
if( bReadSuccess && nBytesRead )
{
DWORD nSpaceUsed = 0;
EVENTLOGRECORD* pRecord = NULL;
do{
pRecord = (EVENTLOGRECORD*)((DWORD)pBuffer + nSpaceUsed);
// see this article for decoding records
// http://technet.microsoft.com/en-us/library/bb742436.aspx
// some decoding must be done to figure out if it is a logon or logoff event
if( EVENTLOG_AUDIT_FAILURE == pRecord->EventType )
{
}
else if(EVENTLOG_AUDIT_SUCCESS == pRecord->EventType )
{
}
nSpaceUsed += pRecord->Length;
nRecordProcessed++;
}while( nSpaceUsed < nBytesRead );
}
}while( bReadSuccess && nBytesRead );
}
free( pBuffer );
if( nNumberOfRecords == nRecordProcessed )
{
// we looked at everything
}
CloseEventLog(hEventLog);
}
return 0;
}
http://technet.microsoft.com/en-us/library/bb742436.aspx [ ^ ]
http://technet.microsoft.com/en-us/library/bb742436.aspx[^]
这篇关于如何使用C ++读取XP中的审核帐户登录事件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
