How to read Audit Account Logon Events in xp using c++

Question

0.00/5 (No votes)

See more:

Hi.

i am working in xp platfrom.
i want to read the Audit Account Logon Events is set to success or failure via programmatically .
is any API available to find this..

Posted 13-May-12 21:47pm

@BangIndia

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Blake Miller · Answer 1 · 2012-06-15T13:04:00

Below is some code to read the event records from the "Security" event log.
At the bottom is a link to an MS article describing how to 'decode' the Logon/Logoff event log records, which is even more complicated than reading the records. Since you made no mention of even obtaining the records, I included the code here. If you cannot decode the

C++

EVENTLOGRECORD

, then also let us know, and we will work on a separate function to do that.

There is no claim that this is 'optimal' code, but it will get the record-reading job done.

I generated a simple Win32 application in Visual Studio 6 and tested the code below...

C++

#include "stdafx.h"
#include "stdlib.h"

#define EL_BUFF_SIZE    0x000FFFF

int APIENTRY WinMain(
    HINSTANCE hInstance,
    HINSTANCE hPrevInstance,
    LPSTR     lpCmdLine,
    int       nCmdShow
){
    HANDLE hEventLog = OpenEventLog(NULL, "Security");

    if( hEventLog )
    {
        LPBYTE pBuffer = (LPBYTE)malloc( EL_BUFF_SIZE );
        
        // how many events?
        DWORD nNumberOfRecords = 0;
        if( pBuffer && GetNumberOfEventLogRecords(hEventLog, &nNumberOfRecords) && 
            (nNumberOfRecords > 0) )
        {

            BOOL  bReadSuccess = FALSE;
            DWORD nBytesRead   = 0;
            DWORD nNumberOfBytesToRead;
            DWORD nMinNumberOfBytesNeeded;
            DWORD nRecordProcessed = 0;  
            
            do{

                nNumberOfBytesToRead    = EL_BUFF_SIZE;
                nMinNumberOfBytesNeeded = 0;  
                nBytesRead              = 0;

                memset( pBuffer, 0, sizeof(EL_BUFF_SIZE) );
                
                bReadSuccess = ReadEventLog(
                                hEventLog,
                                EVENTLOG_SEQUENTIAL_READ|EVENTLOG_FORWARDS_READ,
                                0,
                                pBuffer,
                                nNumberOfBytesToRead,
                                &nBytesRead,
                                &nMinNumberOfBytesNeeded
                                );
                
                if( bReadSuccess && nBytesRead )
                {
                    DWORD nSpaceUsed = 0;
                    EVENTLOGRECORD* pRecord = NULL;
                    
                    do{
                    
                        pRecord = (EVENTLOGRECORD*)((DWORD)pBuffer + nSpaceUsed);
                        
                        // see this article for decoding records
                        // http://technet.microsoft.com/en-us/library/bb742436.aspx
                        // some decoding must be done to figure out if it is a logon or logoff event
                        
                        if( EVENTLOG_AUDIT_FAILURE == pRecord->EventType )
                        {
                        
                        } 
                        else if(EVENTLOG_AUDIT_SUCCESS == pRecord->EventType )
                        {
                        
                        }
                        
                        nSpaceUsed += pRecord->Length;
                    
                        nRecordProcessed++;

                    }while( nSpaceUsed < nBytesRead );
                }
        
            }while( bReadSuccess && nBytesRead );

        }

        free( pBuffer );

        if( nNumberOfRecords == nRecordProcessed )
        {
            // we looked at everything
        }
        
        CloseEventLog(hEventLog);
    }

	return 0;
}

http://technet.microsoft.com/en-us/library/bb742436.aspx[^]