修改审核策略(组策略) [英] Modify audit policy (group policy)

问题描述

我想通过vb.net更改对象审核策略.就像启用对象访问审核一样.那可能吗?如果没有，是否可以选择powershell?我知道我可以在任何版本的Windows上运行gpedit，但我希望能够以编程方式更改设置.

I'd like to change object audit policy with vb.net. Like enabling Object Access auditing. Is that possible? If not, is powershell an option? I know I can get gpedit running on any version of Windows, but I want to be able to change the setting programmatically.

此外，我确实知道注册表可以更改某些设置，但是我没有看到用于审核策略的设置.

Also, I do know some settings can be changed by Registry, but I haven't seen one for audit policy.

http://www .lshift.net/blog/2013/03/25/programmatically-updating-local-policy-in-windows/

我找到了，但是稍后会尝试一下.

I found this, but will give it a try in a little while.

推荐答案

更新:可以通过VB(或可能是任何其他语言)通过REG IMPORT导入.确保将.REG文件放在系统可以访问它的位置(系统没有与管理员相同的特权).您必须启动作为系统运行的单独应用程序，并在加载时导入注册表项.您可以使用Sysinternals中的PSTools(psexec)作为系统运行.您也可以通过创建服务，运行服务然后删除服务来做到这一点:运行应用程序作为系统(没有PSTools)

Update: It is possible to import, via VB (or probably any other language), but using REG IMPORT. Make sure you're putting the .REG file where System can access it (System does not have the same privileges as Administrator). You'd have to launch a separate app that runs as System and, on load, imports a registry key. You can run as System using PSTools (psexec), from Sysinternals. You can also do it by creating a service, running the service, then deleting the service: Running application as System (without PSTools)

我意识到我以为所有的链接都是答案，而不是答案.他们都更改了审核策略"选项卡，而我已经可以通过编程方式完成此操作.我要更改的是全局审核策略，该策略仅在组策略(gpedit.msc)中可用.当然，您可以在任何版本的Windows上安装"它，但是我想要一个不需要最终用户设置它的解决方案(也就是不使用gpedit.msc).

I realized all the links I thought were the answer, were not. They all change the Audit Policy tab, and I can already do that programmatically. What I want to change is the global audit policy, which is only available in Group Policy (gpedit.msc). Of course, you can "install" it on any version of Windows, but I want a solution that doesn't require the end user to have to set it (aka not use gpedit.msc).

我知道Process Monitor可以监视几乎所有在后台发生的事情，并且我评论中的一个链接也正在使用Process Monitor(OP的评论).因此，我认为这确实是我唯一的方法.自然，您会认为mmc.exe是要寻找的对象，但事实并非如此.它会执行 TON 注册表打开/查询/枚举/关闭操作.但是，没有设置或删除.我决定在大型mmc操作之前和之后进行一些检查(当然，当然也可以介于两者之间).任何不是mmc的事情，都是在确切的时间范围内发生的.我发现lsass已经进行了一些设置和删除.它正在更改System拥有的注册表项的值.我使用PSTools作为系统运行regedit，因此可以访问该密钥.然后，我使用gpedit来回切换(从无审核"到成功")，并发现它总是设置相同的值(例如，关闭时为0，开启时为1).当我更改gpedit中的值时，我导出了密钥，然后将它们导入进行测试.我可以通过在导入后重新打开gpedit来确认它可以工作，并且值会更改.我还可以通过在文件夹上启用审核并在事件查看器中查看日志来简单地确认.

I knew that Process Monitor could monitor virtually anything going on in the background, and one link in my comments also was using Process Monitor (comments of my OP). So, I figured that was really my only way. Naturally, you'd think mmc.exe is the one to look for, but it's not. It does a TON of registry open/query/enum/closes. However, no setting or deleting. I decided to look a little before and after the large block of mmc operations (well and of course anywhere in between). Anything that wasn't mmc but happened in the exact timeframe. I found lsass had done some setting and deleting. It was changing the value of a Registry key that is owned by System. I used PSTools to run regedit as System, so I could access the key. I then used gpedit to switch back and forth (from No Auditing to Success), and found it always set the same values (something like 0 for off and 1 for on). I exported the keys when I changed the values in gpedit, and then imported them to test. I can confirm it works by reopening gpedit after importing, and the value changes. I can also confirm simply by enabling Auditing on a folder, and seeing logs in Event Viewer.

tl; dr

1. HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv\(Default)是您想要的.
2. 在此处下载.reg文件
3. 在提升权限的命令提示符下运行此命令:psexec -i -s regedit
4. 导入所需的.reg文件.
5. 通过重新打开gpedit.msc并检查事件查看器(安全性)来确认

1. HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv\(Default) is the you want.
2. Download the .reg files here
3. Run this in an elevated command prompt: psexec -i -s regedit
4. Import the .reg file you need.
5. Confirm by reopening gpedit.msc and checking Event Viewer (Security)

不信任.reg文件?如果您希望自己创建这些值，则可以使用这些值.值类型为REG_NONE，所以@=hex(0).

Don't trust the .reg files? Here are the values you if you'd rather create them yourself. Value type is REG_NONE, so @=hex(0).

没有审核:00010000090000007e00000001000000030000000300010001000100000001000000000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000100000000000000000001000000010000000000000000000000000000000000000000000000fe7f05000a000e00030004000600060004000400

成功:00010000090000007e00000001000000030000000300010001000100000001000000000000000300000001000100010001000100010001000100010001000100010001000100000000000000000000000000000001000100000000000000000001000000010000000000000000000000000000000000000000000000fe7f05000a000e00030004000600060004000400

这篇关于修改审核策略(组策略)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！