使用C ++编写Windows安全日志 [英] Writing to the Windows Security Log with C++

问题描述

我的任务是将条目写入Windows安全日志。整个项目是Win32 C ++代码。我已经写了（在各种在线资源的帮助下）一个记录类，它处理注册，注销和执行ReportEvent（）调用的代码。此外，我已经为我的事件日志记录做了mc.exe和rc.exe步骤，如果这有助于确定我在项目中的位置。



我的问题是多重程式：

I have been tasked with writing entries to the Windows security log. The entire project is Win32 C++ code. I have already written (with help from various online resources) a logging class that handles registration, deregistration, and code for executing the ReportEvent() call. Also, I've done the mc.exe and rc.exe steps for my event logging, if that helps establish where I'm at in the project.

My question is a multi-parter:

1. 我在填充Windows XP安全事件日志，有一些人认为这是Windows不允许的。其他（如何写入日志到SECURITY事件登录C＃ ？）。是否可以？
   


2. 如果可以，如何让它写入安全日志。在调用RegisterEventSource（）时，指定Security作为我的源名称是否很简单？
   


3. 至于注销，何时应该发生？应用程式卸载后？应用关闭时？何时写入日志条目？
   


4. 如何查找我的日志条目？我在Windows事件查看器，但我看不到我添加与我的测试应用程序的条目，尽管所有适当的返回值从系统调用。当我调用RegisterEventSource（）时，我在哪里查找我指定的源名为yarp的事件？

1. I've noticed at Filling Windows XP Security Event Log that there are some who believe this is not allowed by Windows. Others ( How to write log to SECURITY event Log in C#? ) imply otherwise. Possible or not?
   
2. If it is possible, how to get it to write to the security log. Is it as simple as specifying "Security" as my source name when calling RegisterEventSource()?
   
3. As far as deregistration, when should that occur? When the app is uninstalled? When the app closes? When the log entry is written?
   
4. How do I look up my log entries? I look in the Windows Event Viewer, but I don't see the entries I add with my test app, despite all the appropriate return values from the system calls. Where would I look up the events that I specified with a source name of "yarp" when I made my call to RegisterEventSource()?

推荐答案

目前，我只处理第一个问题，因为可能的答案使其余的不相关。

For the moment, I'll just deal with the first question, because the answer to that probably renders the rest irrelevant.

只有本地安全机构（lsass.exe）可以写入安全日志。这不是一件尝试获得特权的东西会失败的事情 - 这是一个问题，没有任何其他人甚至要求的特权（而且这是设计）。

Only Local Security Authority (lsass.exe) can write to the security log. This isn't a matter that something else attempting to get the privilege will fail -- it's a matter of there not being a way for anything else to even request the privilege at all (and this is by design).

从那里，关于您其他问题的唯一答案是对不起！

From there, about the only answer to your other questions is "Sorry!"

这篇关于使用C ++编写Windows安全日志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！