none
Enabling global SACL events without them getting into windows security log (c++) RRS feed

  • Question

  • Hello,

    I would like to enable global SACL to receive files and registry events, but I don't want them to get into windows security log.

    I tried to enable global SACL's and consume 'Eventlog-Security' session, everything works great, but as soon as I enable these global SACL's, Windows Security Log is getting these events as well.

    What i did:

    1. called 'AdjustTokenPrivileges' to set 'SE_SECURITY_NAME' and 'SE_AUDIT_NAME' privileges

    2. called 'OpenTrace' to open "Eventlog-Security" session

    3. called 'ProcessTrace'

    It's important to note that 'Eventlog-Security' session uses Microsoft-Windows-Security-Auditing Provider ({54849625-5478-4994-A5BA-3E3B0328C30D}), I tried to use 'StartTrace' and 'EnableTraceEx2' to open another session with this provider, all Windows API calls succeed but my callback is never called.

    Thanks,

    John

    Wednesday, December 19, 2018 3:31 PM

Answers

All replies