Is there an API to remotely read a Windows machine's audit configuration?
- by JCCyC
I need to know, for each subcategory, whether it'll be audited on success, on failure, both, or none. Below is an example of the information I need to collect.
Can I get this through WMI? Or if not, by other means, assuming I have proper (admin) credentials to the target machine?
Again, to clarify, it's not the event log I need to read, it's the logging configuration.
<security_state_change>AUDIT_SUCCESS</security_state_change>
<security_system_extension>AUDIT_NONE</security_system_extension>
<system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
<ipsec_driver>AUDIT_NONE</ipsec_driver>
<other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
<logon>AUDIT_SUCCESS</logon>
<logoff>AUDIT_SUCCESS</logoff>
<account_lockout>AUDIT_SUCCESS</account_lockout>
<ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
<ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
<ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
<special_logon>AUDIT_SUCCESS</special_logon>
<other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
<file_system>AUDIT_NONE</file_system>
<registry>AUDIT_NONE</registry>
<kernel_object>AUDIT_NONE</kernel_object>
<sam>AUDIT_NONE</sam>
<certification_services>AUDIT_NONE</certification_services>
<application_generated>AUDIT_NONE</application_generated>
<handle_manipulation>AUDIT_NONE</handle_manipulation>
<file_share>AUDIT_NONE</file_share>
<filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
<filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
<other_object_access_events>AUDIT_NONE</other_object_access_events>
<sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
<non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
<other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
<process_creation>AUDIT_NONE</process_creation>
<process_termination>AUDIT_NONE</process_termination>
<dpapi_activity>AUDIT_NONE</dpapi_activity>
<rpc_events>AUDIT_NONE</rpc_events>
<audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
<authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
<authorization_policy_change>AUDIT_NONE</authorization_policy_change>
<mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
<filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
<other_policy_change_events>AUDIT_NONE</other_policy_change_events>
<user_account_management>AUDIT_SUCCESS</user_account_management>
<computer_account_management>AUDIT_NONE</computer_account_management>
<security_group_management>AUDIT_SUCCESS</security_group_management>
<distribution_group_management>AUDIT_NONE</distribution_group_management>
<application_group_management>AUDIT_NONE</application_group_management>
<other_account_management_events>AUDIT_NONE</other_account_management_events>
<directory_service_access>AUDIT_NONE</directory_service_access>
<directory_service_changes>AUDIT_NONE</directory_service_changes>
<directory_service_replication>AUDIT_NONE</directory_service_replication>
<detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
<credential_validation>AUDIT_NONE</credential_validation>
<kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
<other_account_logon_events>AUDIT_NONE</other_account_logon_events>