As we know, windows event logs are different at below Vista (XP and below) and Vista and up, see here Windows Event Logs . On Vista, I am able to understand the API about how to retrieve all event logs.
On the windows XP, I am able to run this sample code. Two things we need to fill in there are:
#define PROVIDER_NAME L"MyEventProvider"
#define RESOURCE_DLL L"<path>\\Provider.dll"
However the question would be there where to get the provider name and its resource dll.
One way I could think of is to iterate through all the sub key under registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
From those subkeys, we could get the provider name and its EventMessageFile (although I found out that some subkey doesn't have the EventMessageFile, rather it hasParameterMessageFile).
Is this the only way to do this? Or is there any other better approach?
If you are using WinAPI, than iterating through registry is the only way, as far as I know. And yes, some of providers don't have EventMessageFile, it's normal. Maybe they are just place their insert strings without any message into event log (I can't say exactly).
But, if you can use a .Net, that there is a good EventLog Class, that offers you a bunch of really good methods.
Related
A similar question got asked by others here at least twice already (see links below) but never properly answered, perhaps because it wasn't put the right way. Let me have a go:
I have a process running under the local account on Windows and I need locale information about the user who is logged into the interactive session if there is one or any interactive session if there is more than one.
I need to know the user's language and country settings and it has to work on all kinds of Windows starting XP Service Pack 3.
I very much appreciate your answers!
The previous related questions that didn't really get answered:
C# window xp current user when using run as
https://stackoverflow.com/questions/5778378/creating-a-process-as-logged-on-user
I would do it in the following way:
Enumerate logon sessions using LsaEnumerateLogonSessions
Call LsaGetLogonSessionData to get logged on user SID identifier.
Call ConvertSidToStringSid function to get a string representation of a sid.
Look up registry setting HKEY_USERS[USER_SID_STRING]\Control Panel\International
This key has all sorts of information needed, and looks like all listed WINAPI finctions are available starting at Windows XP.
So this should work.
I've been asked by a client to solve the following pesky issue. They have a custom software that has a tendency of displaying message boxes "left and right" without any apparent reason. For instance, the software itself is an accounting program, and when they take a customer's payment, the message box may be displayed about 3 or 4 times in a row. Each message box plays Windows default sound. Unfortunately the way this software was programmed, the type of sounds it plays is completely wrong. For instance, it may display a warning message box and play the warning system sound when the message itself is just an information. All this is quite annoying for the staff who uses the software.
I tried to contact the vendor who distributes the software, but I hit a deadend with them. So now I am looking for ways to mitigate this issue.
My easiest solution was to suggest to mute the speakers, but unfortunately, they require sound to be present to be able to hear incoming emails, and most importantly, be able to play voice mail from them later. So my solution was to somehow mute message box sounds just for a single process.
From my experience, I know that there're two APIs that may be producing these sounds: MessageBeep and an older Beep.
I also found this article that explains how to use AppInit_DLLs to hook to system APIs. It works great, except that both of the APIs that I need to hook to come from User32.dll and not from kernel32.dll like the author suggests.
There's also this post in the questions section that kinda gives approximate steps to hooking to an API from User32.dll, but when I tried to implement them, there's not enough information (for my knowledge to do it.)
So my questions is, does anyone know how to hook to an API in the User32.dll module?
EDIT: PS. Forgot to mention. This software is installed on Windows 7 Professional, with UAC disabled -- because it is not compatible with UAC :)
As an alternative you can patch you application. Find calls to MessageBeep and overwrite them with nop.
This is the hard way of doing it: if your app is supposed to be running as Administrator on a pre-Vista Windows, you could get the address of the API via ::GetProcAddress(), give yourself privileges to write to its memory page, and overwrite the beginning of the API's code with a "jmp" assembly instruction jumping into the address of your override function. Make sure your overwrite function takes the same arguments and is declared as __cdecl.
Expanded answer follows.
The "standard" technique for API hooking involves the following steps:
1: Inject your DLL into the target process
This is usually accomplished by first allocating memory in the target process for a string containing the name/path of your DLL (e.g. "MyHook.dll"), and then creating a remote thread in the target process whose entry point is kernel32::LoadLibraryA() passing the name of your DLL as argument. This page has an implementation of this technique. You'll have to wrestle a bit with privileges, but it's guaranteed to work 100% on Windows XP and earlier OSes. I'm not sure about Vista and post-Vista, Address Space Layout Randomization might make this tricky.
2. Hook the API
Once your DLL is loaded into the target process, its DllMain() will be executed automatically, giving you a chance to run anything you want in the target process. From within your DllMain, use ::LoadLibraryA() to get the HMODULE of the library containing the API you want to hook (e.g. "user32.dll") and pass it to ::GetProcAddress() together with the name of the API you want to hook (e.g. "MessageBeep") to get the address of the API itself. Eventaully give yourself privileges to write to that address' page, and overwrite the beginning of the API with a jmp instruction jumping into your detour (i.e. into your "version" of the API to hook). Note that your detour needs to have the same signature and calling convention (usually _cdecl) as the API you want to hook, or else monsters will be awakened.
As described here, this technique is somewhat destructive: you can't call back into the original API from the detour, as the original API has been modified to jump into yours and you'll end up with a very tight and nice infinite loop. There are many different techniques that would allow you to preserve and/or call back into the original API, one of which is hooking the ...A() versions of the API and then calling into the ...W() versions (most if not all of the ...A() Windows API's convert ASCII strings into UNICODE strings and end up calling into their ...W() counterparts).
No need to spend time on a custom program to do this.
You can mute a particular application when it's running, and that setting will be remembered the next time you open the application. See https://superuser.com/questions/37281/how-to-disable-sound-of-certain-applications.
There's also the Windows Sound Sentry that will turn off most system sounds, although I'm not aware of any per-application settings for Sound Sentry.
You can use Deviare API hook and solve the hook in a couple of C# lines. Or you can use EasyHook that is a bit more difficult and less stable.
I have been tasked with writing entries to the Windows security log. The entire project is Win32 C++ code. I have already written (with help from various online resources) a logging class that handles registration, deregistration, and code for executing the ReportEvent() call. Also, I've done the mc.exe and rc.exe steps for my event logging, if that helps establish where I'm at in the project.
My question is a multi-parter:
I've noticed at Filling Windows XP Security Event Log that there are some who believe this is not allowed by Windows. Others ( How to write log to SECURITY event Log in C#? ) imply otherwise. Possible or not?
If it is possible, how to get it to write to the security log. Is it as simple as specifying "Security" as my source name when calling RegisterEventSource()?
As far as deregistration, when should that occur? When the app is uninstalled? When the app closes? When the log entry is written?
How do I look up my log entries? I look in the Windows Event Viewer, but I don't see the entries I add with my test app, despite all the appropriate return values from the system calls. Where would I look up the events that I specified with a source name of "yarp" when I made my call to RegisterEventSource()?
For the moment, I'll just deal with the first question, because the answer to that probably renders the rest irrelevant.
Only Local Security Authority (lsass.exe) can write to the security log. This isn't a matter that something else attempting to get the privilege will fail -- it's a matter of there not being a way for anything else to even request the privilege at all (and this is by design).
From there, about the only answer to your other questions is "Sorry!"
I want to monitor when a key is changed/added/deleted to the registry whenever application is being installed or removed. I have tested the sample code from the msdn(link) and it works fine.
But the problem is that it does not tell me which key has actually been modified/added/deleted. How can i retrieve this information using c++?
There are only 3 ways, none of which is both easy and adequate:
RegNotifyChangeKeyValue:
Doesn't give you the info you need, but is very easy to use.
EVENT_TRACE_FLAG_REGISTRY which is part of Event Tracing for Windows
which is what ProcMon uses. It works well, but it's quite difficult to use.
I'm not sure exactly how to use it myself, but if I figure it out I'll post it here.
CmRegisterCallback:
Requires kernel-mode driver, which is a pain in 64-bit.
But it's the most perfect solution otherwise.
Unfortunately Event Tracing for Windows (EWT) does not allow to see full key path in the event. You get only a partial key name and a strange handle with is actually a key control block. It's not so simple to get information from this block.
Yes the process monitor uses EWT, but it does not use Windows Kernel Trace as a provider.
What I want to achieve:
I would like to count the instances of my application to a fixed number.
if more instances of the application are started, it should only work as a "Viewer"
Her is the code of the sample application
boost named_semaphore example
The problem:
it works fine if all processe are started from only one user
But I get a Security exception if I start the application with another user!!
(Access not allowed)
Somebody can point me in the right direction, the boost documentation is a little bit lacking on this topic ;-)
What permissions must be set to allow access from every other logged on user?
I found the solution
Looks like the docu for Boost isn't that bad :-/
http://www.boost.org/doc/libs/1_47_0/doc/html/boost/interprocess/permissions.html
Just have to pass the permission and set it to "unrestricted"
boost::interprocess::permissions permtest;
permtest.set_unrestricted();
_getch();
boost::interprocess::named_semaphore
the_semphore(boost::interprocess::open_or_create,"test_semaphore",3,permtest);
Unfortunately boost uses default security attributes for semaphore and there is no way to change it. Use ATL::CSemaphore or CSemaphore from MFC or even CreateSemaphore from WinApi and construct security descriptor which allows access for everyone.
I'm not exactly a Windows expert, so I can't tell you the answer by heart, but you need to know how named_semaphores are implemented (see "Some basic explanations" documentation of boost.interprocess) and then look up the permission policy for this resource to grant system-wide access. So, read the boost.named_semaphore code, and if they use a file, update that file's permissions, and if they use a system call, read the Windows API documentation for that system call.