Click here to Skip to main content
Click here to Skip to main content

Query the New Windows Audit Policies Programmatically

, 26 Feb 2010 CPOL
Rate this:
Please Sign up or sign in to vote.
This sample show how to access the information retrieved by running Auditpol.

Introduction

In Windows 7 and Windows Server 2008, administrators have potentially more control over the individual audit policy than in earlier versions of Windows Operating Systems. Additional categories and subcategories have been added on these platforms for more granular auditing control.

Existing Tool

Unfortunately, these new subcategories are not exposed in the Group Policy Management Console (GPMC) interface. The GPMC interface only allows us to configure audit policy at the category level. Administrators must use the Windows built-in Auditpol command-line tool to cope with custom audit policy for Windows 7-based and Windows Server 2008-based computers.

The Auditpol policy command-line tool can be used to:

  • Set and query the system audit policy
  • Set and query the per-user audit policy
  • Set and query the auditing options
  • Set and query the security descriptor used to delegate access to an audit policy
  • Report or back up an audit policy to a CSV file
  • Load an audit policy from a CSV file
  • Clears the audit policy
  • Removes all per-user audit policy settings
  • Disables all system audit policy settings

autipol_at_the_prompt.png

Windows auditing can be very verbose. Using subcategories, administrators have better control to auditing very specific events. This reduces the generation of a huge number of irrelevant events and hiding important ones. Combined with the Windows Event Collector service, we can build a detection tool that aggregates only the most important events suitable for a specific intrusion detection task.

The snapshot above shows Auditpol in action to retrieve all subcategories and their audit policy. Similarly, we can use the Auditpol /set command to enable granular auditing. For more help, just type Auditpol /? at the prompt.

Sample

The tool presented here, which I call Audit Policy Browser, partly fills the gap of a missing User Interface for the new audit policy subcategories. Using this tool, administrators can enumerate all available Audit Policy categories and their associated subcategories. For any subcategory selected, the corresponding audit policy settings (No Audit - Audit successful attempts - Audit failed attempts) are shown.

Audit_Policy_Browser_in_action.png

This tool does not use the full potential of Auditpol which is also available in the API mentioned later. This exercise is left to the readers.

Programmatic Model

In my knowledge, the only available API to manage this new Audit Policy framework is the so called Authorization Functions which is part of the Audit Policy Functions which can be found at http://msdn.microsoft.com/en-us/library/aa375742(VS.85).aspx.

Only a part of the Authorization Functions has been made available in .NET. The Audit Policy Functions are not (yet) available in .NET or in COM.

To implement this project, I wrapped the available Windows API in a set of C++ classes that manage the different logical levels of the Audit Policy infrastructure. The error handling is not shown in the snapshot below.

The object model below shows the classes hierarchy.

Classes_Hierarchy.png

Access to the subcategories policy is made in three steps:

  1. Enumerate the Audit Policy categories:
  2. // Enumerate the categories 
    GUID* pGuid = NULL;
    ULONG uCount = 0;
    AuditEnumerateCategories(&pGuid, &uCount)
    GUID* pCurrentGuid = pGuid;
    for(ULONG i=0; i<uCount; i++)
    {
        m_vAuditPolicyCategories.push_back(
                new CAuditPolicyCategory(pCurrentGuid));
        pCurrentGuid++;
    }
  3. Enumerate the Audit Policy subcategories:
  4. // Enumerate the subcategories.
    GUID* pGuid = NULL;
    ULONG uCount = 0;
    AuditEnumerateSubCategories(
    m_pGuid, 
    /*return only the Subcategories for this Category*/
    FALSE , 
    &pGuid, 
    &uCount);
    GUID* pCurrent = pGuid;
    for(ULONG i=0; i<uCount; i++)
    {
        m_vAuditPolicySubCategories.push_back(
                new CAuditPolicySubCategory(pCurrent));
        pCurrent++;
    }
  5. Retrieve the subcategories associated policy:
  6. // Enumerate the System Policy for the given subcategory GUID.
    ULONG uCount = 1;
    PAUDIT_POLICY_INFORMATION pAudit_Policy_Information = NULL;
    AuditQuerySystemPolicy(m_pGuid, uCount, &pAudit_Policy_Information);
    m_policy = new CAuditPolicy(m_pGuid, 
      pAudit_Policy_Information->AuditingInformation);

Environment

The code has been developed using Visual Studio 2008 and tested on Windows 7.

Because of the fact that the application reads administrative related information, User Account Control (UAC) expects it to run with an elevated token. For this reason, the application's manifest has been tagged as requiring administrative credentials. When launching the application, it will thus ask to elevate when started from a non-administrative account. Don't be afraid, this tool only inquires the system. No modification whatsoever is made by this tool to the system although this is potentially possible using the Microsoft API.

As a matter of fact, administrative credential is also expected when retrieving the policy settings with Auditpol /get /category:*

auditpol_required_privilege.png

Suggestions

The following items could be implemented in order to use the full potential of this technology:

  • Manage potential runtime errors when invoking the API
  • Export the content to an XML file in order to be consumed by other components
  • Retrieve the effective user-policies
  • Modify the user and system policy settings

Links

History

  • 26 Feb. 2010: First version.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

marc ochsenmeier
Software Developer (Senior) winitor
Germany Germany
Marc Ochsenmeier is the author of PEStudio (www.winitor.com) and works as developer with the focus on Windows Hardening.
 
PEStudio is on twitter at: https://twitter.com/ochsenmeier

Comments and Discussions

 
QuestionRemote machines PinmemberDavid Homer2-Jun-14 0:05 
AnswerRe: Remote machines Pinmembermarc ochsenmeier4-Jun-14 3:24 
GeneralError when running the demo tool PinmemberTrey.jonn19-Apr-10 21:15 
GeneralRe: Error when running the demo tool Pinmembermarc ochsenmeier19-Apr-10 21:47 
Hi,
 
I just downloaded the demo code and tested it on Windows 7 Ultimate and Home edition. Everything works fine...The front-end of this demo has been built using the MFC libraries. As a matter of fact, the error shown indicates a problem with this library. Could it be that this library (MSVCP90.DLL and indirectly MSVCR90.DLL ) is not available on a Windows 7 Enterprise Edition? Somehow, hard to believe. Did you try it on another W7 like Ultimate?
 
Instead of using the MFC as shared DLL libraries, I could used MFC as Static libraries. This would make the code bigger but more transportable.
 
Please keep me informed, whether you have more hints about this failure..
 
Thanks for your help
Marc
GeneralRe: Error when running the demo tool PinmemberPeter Tracy6-Oct-10 7:24 
GeneralRe: Error when running the demo tool Pinmembermarc ochsenmeier6-Oct-10 8:58 
GeneralMy vote of 1 Pinmemberbituc4546792-Mar-10 21:40 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.141030.1 | Last Updated 26 Feb 2010
Article Copyright 2010 by marc ochsenmeier
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid