Irongeek Posted April 15, 2009 Share Posted April 15, 2009 (edited) Anyone else having problems with using the EventLog.au3 UDF in Vista? The description of events (13 in the array) comes out as one hard to parse single line string, like: S-1-5-18LAPTOP$WORKGROUP0x3e7S-1-5-18SYSTEMNT AUTHORITY0x3e75Advapi Negotiate{00000000-0000-0000-0000-000000000000}--00x244C:\Windows\System32\services.exe-- I was trying to write a tool to parse login records. Here is some sample code: expandcollapse popup;4624 ;4672 ;4647 #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Version=beta #AutoIt3Wrapper_icon=pebkac.ico #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** ;Irongeek's sloppy code for the PEBKAC Attack on the Windows Security Event Log, http://irongeek.com #include <EventLog.au3> #include <String.au3> #include <array.au3> _Main() Func _Main() Local $hEventLog ConsoleWrite ("Irongeek's PEBKAC Attack on the Windows Security Event Log ver .1" & @CRLF) ; Get log to work on if $CmdLine[0] > 0 then $box=$CmdLine[1] ConsoleWrite ("Working on " & $box & "..." & @CRLF) else $box="" endif $hEventLog = _EventLog__Open( $box, "Security") ;$hEventLog = _EventLog__OpenBackup("", "c:\WINDOWS\system32\config\security") $x=_EventLog__Count ($hEventLog) ;Iterate through log For $i=0 To $x $aEvent = _EventLog__Read($hEventLog) ;if $aEvent[6] = "4624" then for $j=0 to 14 ConsoleWrite($j & ": " & $aEvent[$j] & @CRLF ) next ;msgbox(0,"",$aEvent[13] & @CRLF ) ;$gooduser=GrabUsername ($aEvent[13]) ;ConsoleWrite ("Successful Login (" & $aEvent[1] & "): " & $gooduser & @CRLF) ;endif next _EventLog__Close($hEventLog) EndFunc ;==>_Main Func GrabUsername($eventdescription) $aArray =_StringBetween($eventdescription,"User Name:", @cr) If IsArray($aArray) Then return StringStripWS($aArray[0], 1) EndIf EndFunc In XP, at least the description looks like what you see in event viewer. Ideas? Edited April 15, 2009 by Irongeek Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now