Is there an API to remotely read a Windows machine's audit configuration?

Posted by JCCyC on Stack Overflow See other posts from Stack Overflow or by JCCyC
Published on 2010-05-24T18:05:26Z Indexed on 2010/05/26 4:31 UTC
Read the original article Hit count: 291

Filed under:
|
|
|

I need to know, for each subcategory, whether it'll be audited on success, on failure, both, or none. Below is an example of the information I need to collect.

Can I get this through WMI? Or if not, by other means, assuming I have proper (admin) credentials to the target machine?

Again, to clarify, it's not the event log I need to read, it's the logging configuration.

  <security_state_change>AUDIT_SUCCESS</security_state_change>
  <security_system_extension>AUDIT_NONE</security_system_extension>
  <system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
  <ipsec_driver>AUDIT_NONE</ipsec_driver>
  <other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
  <logon>AUDIT_SUCCESS</logon>
  <logoff>AUDIT_SUCCESS</logoff>
  <account_lockout>AUDIT_SUCCESS</account_lockout>
  <ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
  <ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
  <ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
  <special_logon>AUDIT_SUCCESS</special_logon>
  <other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
  <file_system>AUDIT_NONE</file_system>
  <registry>AUDIT_NONE</registry>
  <kernel_object>AUDIT_NONE</kernel_object>
  <sam>AUDIT_NONE</sam>
  <certification_services>AUDIT_NONE</certification_services>
  <application_generated>AUDIT_NONE</application_generated>
  <handle_manipulation>AUDIT_NONE</handle_manipulation>
  <file_share>AUDIT_NONE</file_share>
  <filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
  <filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
  <other_object_access_events>AUDIT_NONE</other_object_access_events>
  <sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
  <non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
  <other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
  <process_creation>AUDIT_NONE</process_creation>
  <process_termination>AUDIT_NONE</process_termination>
  <dpapi_activity>AUDIT_NONE</dpapi_activity>
  <rpc_events>AUDIT_NONE</rpc_events>
  <audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
  <authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
  <authorization_policy_change>AUDIT_NONE</authorization_policy_change>
  <mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
  <filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
  <other_policy_change_events>AUDIT_NONE</other_policy_change_events>
  <user_account_management>AUDIT_SUCCESS</user_account_management>
  <computer_account_management>AUDIT_NONE</computer_account_management>
  <security_group_management>AUDIT_SUCCESS</security_group_management>
  <distribution_group_management>AUDIT_NONE</distribution_group_management>
  <application_group_management>AUDIT_NONE</application_group_management>
  <other_account_management_events>AUDIT_NONE</other_account_management_events>
  <directory_service_access>AUDIT_NONE</directory_service_access>
  <directory_service_changes>AUDIT_NONE</directory_service_changes>
  <directory_service_replication>AUDIT_NONE</directory_service_replication>
  <detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
  <credential_validation>AUDIT_NONE</credential_validation>
  <kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
  <other_account_logon_events>AUDIT_NONE</other_account_logon_events>

© Stack Overflow or respective owner

Related posts about Windows

Related posts about wmi