问题描述
我想获得当前的高级安全审计使用 PowerShell 的策略.我可以使用 auditpol.exe
,但它的输出因操作系统语言而异,这使得解析变得困难.
I want get the current Advanced Security Audit Policy using PowerShell. I could use auditpol.exe
, but its ouput is different per OS language, which makes it difficult to parse.
设置 存储在 HKEY_Local_Machine\Security\Policy\PolAdtEv
中的 REG_NONE 值中.我可以尝试在 那个非官方结构表的帮助下解析该值.但是,我的首选方法是使用 advapi32.dll
的 Windows API 函数 AuditQuerySystemPolicy
.
The settings are stored in a REG_NONE value in HKEY_Local_Machine\Security\Policy\PolAdtEv
. I could try to parse the value with the help of that unofficial structure table. My preferred approach, however, is to use the Windows API function AuditQuerySystemPolicy
of advapi32.dll
.
在这个 文章,我在 PowerShell 中创建了一个类型,如下所示.
With the great help of this article, I created a Type in PowerShell as follows.
$MemberDefinition = @'
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool AuditEnumerateCategories(
out IntPtr ppAuditCategoriesArray,
out uint pCountReturned);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool AuditLookupCategoryName(
ref Guid pAuditCategoryGuid,
out StringBuilder ppszCategoryName);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool AuditEnumerateSubCategories(
ref Guid pAuditCategoryGuid,
bool bRetrieveAllSubCategories,
out IntPtr ppAuditSubCategoriesArray,
out uint pCountReturned);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool AuditLookupSubCategoryName(
ref Guid pAuditSubCategoryGuid,
out StringBuilder ppszSubCategoryName);
[DllImport("advapi32.dll")]
public static extern void AuditFree(
IntPtr buffer);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool AuditQuerySystemPolicy(
Guid pSubCategoryGuids,
uint PolicyCount,
out IntPtr ppAuditPolicy);
'@
$Advapi32 = Add-Type -MemberDefinition $MemberDefinition -Name 'Advapi32' -Namespace 'Win32' -UsingNamespace System.Text -PassThru
类型已成功创建,但我的第一步失败了 - 获取所有审计类别的 GUID.我对不同类型有问题.我试过例如
The Type is created successfuly, but I fail with the first step - to get the GUIDs of all audit categories. I have issues with the different types. I tried for example
$guid = [Guid].MakeByRefType()
$count = [IntPtr]::Zero
[Win32.Advapi32]::AuditEnumerateCategories([ref]$guid, [ref]$count)
# Exception calling "AuditEnumerateCategories" with 2 Arguments: "The value "System.Guid&" of the type "System.RuntimeType" cannot be coverted to "System.IntPtr".
我还尝试将 AuditEnumerateCategories
定义输出从 IntPtr
更改为 Guid
.ppAuditCategoriesArray
的输出是
I also tried to change the AuditEnumerateCategories
definition output from IntPtr
to Guid
. The output of ppAuditCategoriesArray
is
指向单个缓冲区的指针,该缓冲区包含指向 GUID 结构的指针数组和结构本身.
不幸的是,我不知道如何在 PowerShell 中处理它.
Unfortunately I have no idea how to handle that in PowerShell.
推荐答案
着手Marshal.PtrToStructure
方法 (.NET代码>).例如,
PtrToStructure(IntPtr, Type)
将数据从非托管内存块编组到新分配的指定类型的托管对象,请参阅以下注释代码片段:
Take up a Marshal.PtrToStructure
Method (.NET
). For instance, PtrToStructure(IntPtr, Type)
marshals data from an unmanaged block of memory to a newly allocated managed object of the specified type, see the following commented code snippet:
### (unchanged)
### $MemberDefinition = …
### $Advapi32 = Add-Type …
$guid = [System.Int64]::MinValue ### or ### [System.Int64]0
$count = [System.Int32]::MaxValue ### or ### [System.Int64]0
$aux = [Win32.Advapi32]::AuditEnumerateCategories([ref]$guid, [ref]$count)
$guidArr = @() ### array to store GUIDs
$guidPtr = [int64]$guid ### pointer to next GUID
$guidOff = [System.Runtime.InteropServices.Marshal]::SizeOf([type][guid])
$ppszCategoryName = [System.Text.StringBuilder]::new()
for ( $i=0; $i -lt $count; $i++ ) {
$guidAux = [System.Runtime.InteropServices.Marshal]::
PtrToStructure( [System.IntPtr]$guidPtr,[type][guid] )
$guidArr += $guidAux ### update array of GUIDs for future use
$guidPtr += $guidOff ### shift pointer to next GUID
### debugging: try another method of [Win32.Advapi32] Runtime Type
$foo = [Win32.Advapi32]::AuditLookupCategoryName([ref]$guidAux,[ref]$ppszCategoryName)
### debugging: show partial results
Write-Host $('{0} {1,4} {2,4}' -f $guidAux.Guid,
$ppszCategoryName.Capacity, $ppszCategoryName.Length)
}
这篇关于如何在 PowerShell 中使用 Windows API AuditEnumerateCategories 函数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!