使用C＃以编程方式检测Windows登录尝试 [英] Detect windows logon attempts programmatically using C#

问题描述

我想开发一个Windows窗体应用程序来监视我的网络计算机的登录，注销和登录尝试详细信息，并根据检测执行某些操作。 （例如，向管理员发送一些通知）

I want to develop a windows forms application to monitor my network computers login, logoff and login attempts details and do something based on detection. (For example send some notification for admin)

我尝试过的操作：

我了解了Windows服务， Windows Task Scheduler和使用Task Scheduler进行事件审核但是我想务实地做到这一点。所以我的问题是如何使用C＃以编程方式检测Windows登录尝试？

I read about windows service, Windows Task Scheduler and Event auditing using Task Scheduler But I want to do it pragmatically. So my question is How can I detect windows logon attempts programmatically using C#?

推荐答案

要检测登录尝试，您可以依靠Windows安全性事件。 在这里，您可以看到安全事件及其含义的列表。 您可能感兴趣的常见事件是：

To detect logon attempts you can rely on windows security events. Here you can see a list of security events and their meanings. Common events which you may be interested in are:

4624: An account was successfully logged on.
4625: An account failed to log on.
4648: A logon was attempted using explicit credentials.
4675: SIDs were filtered.

使用应用程序/服务检测事件

您可以使用 EventLog 类并处理其 EntryWritten 事件。下面的代码示例仅将事件记录在文件中，以显示可以通知您事件并使用它。您可以通过电子邮件发送通知或运行应用程序或执行其他操作，而无需写入文件。

You can detect logon attempts yourself by code using EventLog class and handling its EntryWritten event. The code sample below just logs the event in a file to show you can be informed of event and use it. Instead of writing in a file, you can send notification by email or run an application or do something else.

要测试代码，您应该以管理员身份运行。同样在真实环境中，您应该使其像服务一样，或者将其配置为在用户登录之前运行。

To test the code you should Run as Administrator. Also in a real environment you should make it like a service or configure it to run before user login.

private void Form1_Load(object sender, EventArgs e)
{
    EventLog logListener = new EventLog("Security");
    logListener.EntryWritten += logListener_EntryWritten;
    logListener.EnableRaisingEvents = true;
}
void logListener_EntryWritten(object sender, EntryWrittenEventArgs e)
{
    //4624: An account was successfully logged on.
    //4625: An account failed to log on.
    //4648: A logon was attempted using explicit credentials.
    //4675: SIDs were filtered.
    var events = new int[] { 4624, 4625, 4648, 4675 };
    if (events.Contains(e.Entry.EventID))
        System.IO.File.AppendAllLines(@"d:\log.txt", new string[] {
            string.Format("{0}:{1}",  e.Entry.EventID, e.Entry.Message)
        });
}

注意：正如您在问题中所说您可以使用Windows Scheduled Task在发生事件时执行某些操作。

Note: As also you said in the question you can use Windows Scheduled Task to do something when an Event Occurred.

当检测到登录尝试失败时，可以要求Windows为您执行某些操作，例如运行应用程序（发送电子邮件或其他内容）。为此，请使用Windows Task Scheduler并说该任务在发生特定事件时运行，并指定适当的事件源和ID。另请参阅完整步骤的示例，请参见在事件日志触发器上通过电子邮件获取事件日志内容。

You can ask the Windows to do something for you when an unsuccessful logon attempt detected, for example run an application (which sends an email or somethings else). To do so, use Windows Task Scheduler and say the task run when an specific event occurred and specify suitable event source and Id. Also to see an example of complete steps see Getting event log contents by email on an event log trigger.

这篇关于使用C＃以编程方式检测Windows登录尝试的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！