none
Utilizing WinAPI to create custom security logs RRS feed

  • Question

  • I've looked at the forum https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/25/use-powershell-to-interact-with-the-windows-api-part-1/, but unfortunately the function I intend to use was not on the provided website, http://www.pinvoke.net/ . The function https://docs.microsoft.com/en-us/windows/desktop/api/authz/nf-authz-authzreportsecurityevent is the only way I found to write custom security logs but I found little to no examples online and very little help elsewhere.

    If I can get a headstart or someway to implement this, I would appreciate it because I don't have a clue where to start. Just FYI, this is not for malicious purposes. I'm using this to generate custom logs in event viewer for forensic exercises. My script already does so for Application and System and I just need to fill the gap left by Security. Thank you!
    • Moved by Bill_Stewart Wednesday, December 12, 2018 10:23 PM This is not "research things for me" forum
    Sunday, September 16, 2018 10:23 PM

All replies

  • Start with this:

    HELP write-event -full
    help New-EventLog -full


    \_(ツ)_/


    • Edited by jrv Sunday, September 16, 2018 10:31 PM
    Sunday, September 16, 2018 10:30 PM
  • I should also probably warn you that you cannot create "security" logs.  The "Security" log is owned by the Windows system and should not be changed or added to by applications.  THe "Application" is the classic (old style) log for application use.  If you need to add app messages of critical importance to this log then add a source to the Application log and use that source as an identifier.

    Write-EventLog -LogName Application -Source MySource -EntryType Warning -Message 'My app waring message' -EventId 50001

    You also need to be careful of the ID as it should be an unused ID in the user custom ID range.

    0xc000 - 0xffff or 49152 - 65535

    All other are reserved by Microsoft or by registered OEM sources.

    See: https://docs.microsoft.com/en-us/windows/desktop/winauto/allocation-of-winevent-ids


    \_(ツ)_/


    • Edited by jrv Monday, September 17, 2018 12:07 AM
    Monday, September 17, 2018 12:06 AM
  • Example of creating a log and sources:

    <#	
    	.NOTES
            To gain full control of custom events, soure and logs ou will need to use the full C API
            THe API allows creating custom messge files and categories
    	.DESCRIPTION
    		Create and delete custom event log
        .LINKS
            https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.createeventsource
            https://docs.microsoft.com/en-us/windows/desktop/winauto/allocation-of-winevent-ids
    #>
    
    # create or add source to custom event log.
    $customLogname = 'MyNewLog'
    $customSource1 = 'MyApplication'
    if(![System.Diagnostics.EventLog]::Exists($customSource)){
        [System.Diagnostics.EventLog]::CreateEventSource($customSource1,$customLogname)
    }
    
    # add another "source" to the custom log
    $customSource2 = 'MySubsystem'
    if(![System.Diagnostics.EventLog]::Exists($customSource2)){
        [System.Diagnostics.EventLog]::CreateEventSource($customSource2,$customLogname)
    }
    # delete the custom event log
    [System.Diagnostics.EventLog]::Delete('MyNewLog')



    \_(ツ)_/




    • Edited by jrv Monday, September 17, 2018 12:17 AM
    Monday, September 17, 2018 12:15 AM