Windows PowerShell AuditQuerySystemPolicy:审核策略的值 处境
我需要Windows中审核策略的值,例如,Windows PowerShell AuditQuerySystemPolicy:审核策略的值 处境,windows,powershell,Windows,Powershell,我需要Windows中审核策略的值,例如,0cce9240-69ae-11d9-bed3-505054503→ 成功或1。 因此,我必须使用PowerShell。 由于auditpol依赖于语言,因此我正在寻找一种独立于语言的方法。 因此,我看到了一篇关于使用Win32.Advapi32模块的有用文章 代码 问题 一方面,Write Host语句的输出是Kerberos服务票证操作,因此,我假设常规导入工作正常。 另一方面,$test\u out始终为0,无论我将Kerberos服务票证操作配置
0cce9240-69ae-11d9-bed3-505054503
→ <代码>成功或1
。
因此,我必须使用PowerShell。
由于auditpol
依赖于语言,因此我正在寻找一种独立于语言的方法。
因此,我看到了一篇关于使用Win32.Advapi32
模块的有用文章
代码
问题
一方面,Write Host
语句的输出是Kerberos服务票证操作
,因此,我假设常规导入工作正常。
另一方面,$test\u out
始终为0,无论我将Kerberos服务票证操作配置为哪个值
问题:
我做错什么了吗?
导入(例如,公共静态外部布尔AuditQuerySystemPolicy
)是否存在缺陷?
我是否必须以不同的方式初始化传递的参数
谢谢你的帮助 AuditQuerySystemPolicy的签名有点错误
下面是一个完整的工作示例。我主要依靠C#完成pinvoke和指针到结构的转换。
请确保以管理员身份运行它,否则它将返回-1作为错误结果
$TypeDefinition = @'
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace Audit
{
public class AuditPol
{
[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditQuerySystemPolicy(
[MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1), In]
Guid[] pSubCategoryGuids,
uint dwPolicyCount,
out IntPtr ppAuditPolicy);
public static IEnumerable<AUDIT_POLICY_INFORMATION> AuditQuerySystemPolicy([In] Guid[] pSubCategoryGuids)
{
IntPtr ppAuditPolicy;
if (!AuditQuerySystemPolicy(pSubCategoryGuids, (uint) pSubCategoryGuids.Length, out ppAuditPolicy))
return new AUDIT_POLICY_INFORMATION[0];
return ToIEnum<AUDIT_POLICY_INFORMATION>(ppAuditPolicy, pSubCategoryGuids.Length);
}
public static IEnumerable<T> ToIEnum<T>(IntPtr ptr, int count, int prefixBytes = 0)
{
if (count != 0 && !(ptr == IntPtr.Zero))
{
int stSize = Marshal.SizeOf(typeof(T));
for (int i = 0; i < count; ++i)
yield return ToStructure<T>(new IntPtr(ptr.ToInt64() + prefixBytes + i * stSize));
}
}
public static T ToStructure<T>(IntPtr ptr, long allocatedBytes = -1)
{
Type type = typeof(T).IsEnum ? Enum.GetUnderlyingType(typeof(T)) : typeof(T);
if (allocatedBytes < 0L || allocatedBytes >= (long) Marshal.SizeOf(type))
{
return (T) Marshal.PtrToStructure(ptr, type);
}
throw new InsufficientMemoryException();
}
public struct AUDIT_POLICY_INFORMATION
{
public Guid AuditSubCategoryGuid;
public AuditCondition AuditingInformation;
public Guid AuditCategoryGuid;
}
public enum AuditCondition : uint
{
/// <summary>Do not change auditing options for the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_UNCHANGED = 0,
/// <summary>Audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_SUCCESS = 1,
/// <summary>Audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_FAILURE = 2,
/// <summary>Do not audit the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_NONE = 4,
/// <summary>Do not change auditing options for the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_POLICY_UNCHANGED = 0,
/// <summary>Audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_SUCCESS_INCLUDE = POLICY_AUDIT_EVENT_SUCCESS, // 0x00000001
/// <summary>Do not audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_SUCCESS_EXCLUDE = POLICY_AUDIT_EVENT_FAILURE, // 0x00000002
/// <summary>Audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_FAILURE_INCLUDE = POLICY_AUDIT_EVENT_NONE, // 0x00000004
/// <summary>Do not audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_FAILURE_EXCLUDE = 8,
/// <summary>Do not audit the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_NONE = 16, // 0x00000010
}
public static int GetPolicy(String uid)
{
var guid = new Guid(uid);
var result = AuditQuerySystemPolicy(new[] {guid});
foreach (var info in result)
{
return (int) info.AuditingInformation;
}
return -1;
}
}
}
'@
Add-Type -TypeDefinition $TypeDefinition -Language CSharp
$result = [Audit.AuditPol]::GetPolicy("0CCE9211-69AE-11D9-BED3-505054503030")
$success = ($result -band 1) -ne 0;
$failure = ($result -band 2) -ne 0;
$none = ($result -band 4) -ne 0;
Write-Output "Success: $success, Failure: $failure, None: $none";
$TypeDefinition=@'
使用制度;
使用System.Collections.Generic;
使用System.Runtime.InteropServices;
命名空间审核
{
公共类审计政策
{
[DllImport(“advapi32.dll”,SetLastError=true)]
[返回:Marshallas(UnmanagedType.U1)]
公共静态外部布尔审核查询系统临时策略(
[Marshallas(UnmanagedType.LPArray,SizeParamIndex=1),In]
Guid[]PSUBCategoryGUID,
单位数,
out IntPtr ppAuditPolicy);
公共静态IEnumerable AuditQuerySystemPolicy([In]Guid[]pSubCategoryGuids)
{
IntPtr PPA审计政策;
if(!AuditQuerySystemPolicy(pSubCategoryGuids,(uint)pSubCategoryGuids.Length,out ppAuditPolicy))
返回新的审核策略信息[0];
返回到枚举(ppAuditPolicy,pSubCategoryGuids.Length);
}
公共静态IEnumerable ToIEnum(IntPtr ptr,int count,int prefixBytes=0)
{
if(count!=0&&!(ptr==IntPtr.Zero))
{
int stSize=Marshal.SizeOf(typeof(T));
对于(int i=0;i=(长)封送处理大小(类型))
{
return(T)Marshal.ptr结构(ptr,type);
}
抛出新的InsufficientMemoryException();
}
公共结构审核策略信息
{
公共Guid审核子类别Guid;
公共审计条件;审计信息;
公共Guid AuditCategoryGuid;
}
公共枚举审核条件:uint
{
///不要更改指定事件类型的审核选项。
///此值对AuditSetSystemPolicy和AuditQuerySystemPolicy函数有效。
策略\u审核\u事件\u未更改=0,
///审核指定事件类型的成功事件。
///此值对AuditSetSystemPolicy和AuditQuerySystemPolicy函数有效。
策略\审核\事件\成功=1,
///试图导致指定事件类型的审核失败。
///此值对AuditSetSystemPolicy和AuditQuerySystemPolicy函数有效。
策略\审核\事件\失败=2,
///不要审核指定的事件类型。
///此值对AuditSetSystemPolicy和AuditQuerySystemPolicy函数有效。
策略\u审核\u事件\u无=4,
///不要更改指定事件类型的审核选项。
///此值对AuditSetPerUserPolicy和AuditQueryPerUserPolicy函数有效。
每用户策略未更改=0,
///审核指定事件类型的成功事件。
///此值对AuditSetPerUserPolicy和AuditQueryPerUserPolicy函数有效。
每用户审核成功包含=策略审核事件成功,//0x00000001
///不要审核指定事件类型的成功事件。
///此值对AuditSetPerUserPolicy和AuditQueryPerUserPolicy函数有效。
每用户审核成功排除=策略审核事件失败,//0x00000002
///试图导致指定事件类型的审核失败。
///此值对AuditSetPerUserPolicy和AuditQueryPerUserPolicy函数有效。
每用户\u审核\u失败\u包含=策略\u审核\u事件\u无,//0x00000004
///不审核导致指定事件类型的失败尝试。
///此值对AuditSetPerUserPolicy和AuditQueryPerUserPolicy函数有效。
每用户审核失败排除=8,
///不要审核指定的事件类型。
///此值对AuditSetPerUserPolicy和AuditQueryPerUserPolicy函数有效。
每用户审核次数=16,//0x00000010
}
公共静态整型GetPolicy(字符串uid)
{
var guid=新guid(uid);
var result=AuditQuerySystemPolicy(新[]{guid});
foreach(结果中的var信息)
{
返回(int)信息审核信息;
}
返回-1;
}
}
}
'@
添加类型-TypeDefinition$TypeDefinition-Language CSharp
$result=[Audit.AuditPol]::GetPolicy(“0
$TypeDefinition = @'
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace Audit
{
public class AuditPol
{
[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditQuerySystemPolicy(
[MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1), In]
Guid[] pSubCategoryGuids,
uint dwPolicyCount,
out IntPtr ppAuditPolicy);
public static IEnumerable<AUDIT_POLICY_INFORMATION> AuditQuerySystemPolicy([In] Guid[] pSubCategoryGuids)
{
IntPtr ppAuditPolicy;
if (!AuditQuerySystemPolicy(pSubCategoryGuids, (uint) pSubCategoryGuids.Length, out ppAuditPolicy))
return new AUDIT_POLICY_INFORMATION[0];
return ToIEnum<AUDIT_POLICY_INFORMATION>(ppAuditPolicy, pSubCategoryGuids.Length);
}
public static IEnumerable<T> ToIEnum<T>(IntPtr ptr, int count, int prefixBytes = 0)
{
if (count != 0 && !(ptr == IntPtr.Zero))
{
int stSize = Marshal.SizeOf(typeof(T));
for (int i = 0; i < count; ++i)
yield return ToStructure<T>(new IntPtr(ptr.ToInt64() + prefixBytes + i * stSize));
}
}
public static T ToStructure<T>(IntPtr ptr, long allocatedBytes = -1)
{
Type type = typeof(T).IsEnum ? Enum.GetUnderlyingType(typeof(T)) : typeof(T);
if (allocatedBytes < 0L || allocatedBytes >= (long) Marshal.SizeOf(type))
{
return (T) Marshal.PtrToStructure(ptr, type);
}
throw new InsufficientMemoryException();
}
public struct AUDIT_POLICY_INFORMATION
{
public Guid AuditSubCategoryGuid;
public AuditCondition AuditingInformation;
public Guid AuditCategoryGuid;
}
public enum AuditCondition : uint
{
/// <summary>Do not change auditing options for the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_UNCHANGED = 0,
/// <summary>Audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_SUCCESS = 1,
/// <summary>Audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_FAILURE = 2,
/// <summary>Do not audit the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_NONE = 4,
/// <summary>Do not change auditing options for the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_POLICY_UNCHANGED = 0,
/// <summary>Audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_SUCCESS_INCLUDE = POLICY_AUDIT_EVENT_SUCCESS, // 0x00000001
/// <summary>Do not audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_SUCCESS_EXCLUDE = POLICY_AUDIT_EVENT_FAILURE, // 0x00000002
/// <summary>Audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_FAILURE_INCLUDE = POLICY_AUDIT_EVENT_NONE, // 0x00000004
/// <summary>Do not audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_FAILURE_EXCLUDE = 8,
/// <summary>Do not audit the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_NONE = 16, // 0x00000010
}
public static int GetPolicy(String uid)
{
var guid = new Guid(uid);
var result = AuditQuerySystemPolicy(new[] {guid});
foreach (var info in result)
{
return (int) info.AuditingInformation;
}
return -1;
}
}
}
'@
Add-Type -TypeDefinition $TypeDefinition -Language CSharp
$result = [Audit.AuditPol]::GetPolicy("0CCE9211-69AE-11D9-BED3-505054503030")
$success = ($result -band 1) -ne 0;
$failure = ($result -band 2) -ne 0;
$none = ($result -band 4) -ne 0;
Write-Output "Success: $success, Failure: $failure, None: $none";