Syncio Blog - VB.NET

EventCollector: Intercepting the Forwarded Events log with System.Diagnostics.Eventlog class (Post 2)

Chris — Wed, 16 Jul 2008 15:21:58 GMT

Otto's recent post on event log triggers explains how to: start a program, send an email or show a message on the occurence of an event in the Event Log. This is a great step forward, however, some might feel that it is not enough to deploy a large scale logging and notification environment with a focus on autonomy.

The alternative is to develop a piece of code that will subscribe to the __InstanceCreationEvent of the Forwarded Events log. The obstacle to using the existing System.Diagnostics.Eventlog class is that the class does not interface with the channeled structure of the new Event Log in Vista/2008. (The Forwarded Event log is not visible to Eventlog.GetEventLogs() because it is a channel.)

The following steps rectify this shortcoming:

1. Create an overlapping ForwardedEvents classic log.

EventLog.CreateEventSource("ForwardedEvents", "ForwardedEvents")

2. Export and Remove ForwardedEvents channel from registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents

3. Recreate the Source Initiated subscription on the server.

4. Restart the Windows Event Collector service on the server.

5. Restart the WINRM service on the client.

If everything worked, you should see incoming events in the ForwardedEvents log. Notice that the log name does not contain a space anymore. This was done to match the full name of our new event log to that of the removed channel.

ForwardedEvents log will now be part of the Eventlog.GetEventLogs() array. You can deploy a ManagementEventWatcher to successfully intercept, parse and take action on incoming events.

Stopping Malware with ISA 2006

Chris — Wed, 23 Apr 2008 01:09:16 GMT

I recently came across MalwareDomains.com. They provide a list of domain names that have been associated with malware. The list contains over 21000 valid entries and I have decided to integrate it with ISA 2006 since it's rare to find such a free resource that is actually kept up to date.

The import tool is available here: http://sync-io.net/IsaTools.aspx

Basically, you're able to import the domain.txt file into ISA as a URL or DNS set. Then you just set your deny access rule and away you go. This utility can run as a scheduled task.

CreateProcessAsUser from System Service (VB.NET)

Chris — Thu, 27 Mar 2008 21:00:07 GMT

The following code has been tested on Windows 2003 SP2. The calling user account must have 'Assign Primary Token' and 'Increase Quota' permissions to properly execute CreateProcessAsUser; see MS KB285879.

Public Function RunProc(ByVal CMD As String, ByVal ARG As String) As String Dim er As Int16 Dim exitCode As System.UInt32 = Convert.ToUInt32(123) Dim saThreadAttributes As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES
saThreadAttributes.nLength = Marshal.SizeOf(saThreadAttributes) Dim impToken As System.IntPtr = IntPtr.Zero Dim priToken As System.IntPtr = IntPtr.Zero If LogonUser("DomainUser", "Domain", "Passwd",
LogonType.LOGON32_LOGON_INTERACTIVE, _ LogonProvider.LOGON32_PROVIDER_DEFAULT, impToken) Then If DuplicateTokenEx(impToken,
&H2000000, Nothing,
SecurityImpersonationLevel.SecurityDelegation, TOKEN_TYPE.TokenPrimary, priToken) Then Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION Dim si As STARTUPINFO = New STARTUPINFO
si.cb = Marshal.SizeOf(si)
si.lpDesktop = IntPtr.Zero Dim saProcessAttributes As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES
saProcessAttributes.nLength = Marshal.SizeOf(saProcessAttributes) If Not CreateProcessAsUser(priToken,
CMD, CMD & "
" & ARG, saProcessAttributes, _ saThreadAttributes, False,
0, IntPtr.Zero, "c:\",
si, pi) Then er = Marshal.GetLastWin32Error
RunProc = ("err
runas " & er) Else WaitForSingleObject(pi.hProcess,
Infinite) GetExitCodeProcess(pi.hProcess, exitCode) End If CloseHandle(priToken)
CloseHandle(impToken) CloseHandle(pi.hProcess) CloseHandle(pi.hThread) End If End If End Function