Otto's recent post on event log triggers explains how to: start a program, send an email or show a message on the occurence of an event in the Event Log.  This is a great step forward, however, some might feel that it is not enough to deploy a large scale logging and notification environment with a focus on autonomy. 

The alternative is to develop a piece of code that will subscribe to the __InstanceCreationEvent of the Forwarded Events log.  The obstacle to using the existing System.Diagnostics.Eventlog class is that the class does not interface with the channeled structure of the new Event Log in Vista/2008.  (The Forwarded Event log is not visible to Eventlog.GetEventLogs() because it is a channel.) 

The following steps rectify this shortcoming:

If everything worked, you should see incoming events in the ForwardedEvents log.  Notice that the log name does not contain a space anymore.  This was done to match the full name of our new event log to that of the removed channel.

ForwardedEvents log will now be part of the Eventlog.GetEventLogs() array.  You can deploy a ManagementEventWatcher to successfully intercept, parse and take action on incoming events.

I recently came across MalwareDomains.com.  They provide a list of domain names that have been associated with malware.  The list contains over 21000 valid entries and I have decided to integrate it with ISA 2006 since it's rare to find such a free resource that is actually kept up to date.

The import tool is available here: http://sync-io.net/IsaTools.aspx

Basically, you're able to import the domain.txt file into ISA as a URL or DNS set.  Then you just set your deny access rule and away you go.  This utility can run as a scheduled task.

The following code has been tested on Windows 2003 SP2.  The calling user account must have 'Assign Primary Token' and 'Increase Quota' permissions to properly execute CreateProcessAsUser; see MS KB285879. 

Public Function RunProc(ByVal CMD As String, ByVal ARG As String) As String
        Dim er As Int16
        Dim exitCode As System.UInt32 = Convert.ToUInt32(123)
        
        Dim saThreadAttributes As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES
        saThreadAttributes.nLength = Marshal.SizeOf(saThreadAttributes)

        Dim impToken As System.IntPtr = IntPtr.Zero
        Dim priToken As System.IntPtr = IntPtr.Zero

        If LogonUser("DomainUser", "Domain", "Passwd", LogonType.LOGON32_LOGON_INTERACTIVE, _
               LogonProvider.LOGON32_PROVIDER_DEFAULT, impToken) Then
            If DuplicateTokenEx(impToken, &H2000000, Nothing, SecurityImpersonationLevel.SecurityDelegation, TOKEN_TYPE.TokenPrimary, priToken) Then

                Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION
                Dim si As STARTUPINFO = New STARTUPINFO
   si.cb = Marshal.SizeOf(si)
                si.lpDesktop = IntPtr.Zero

                Dim saProcessAttributes As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES
                saProcessAttributes.nLength = Marshal.SizeOf(saProcessAttributes)

                If Not CreateProcessAsUser(priToken, CMD, CMD & " " & ARG, saProcessAttributes, _
                saThreadAttributes, False, 0, IntPtr.Zero, "c:\", si, pi) Then

                    er = Marshal.GetLastWin32Error
                    RunProc = ("err runas  " & er)

                Else
                    WaitForSingleObject(pi.hProcess, Infinite)
                    GetExitCodeProcess(pi.hProcess, exitCode)
                End If
                CloseHandle(priToken)
                CloseHandle(impToken)
                CloseHandle(pi.hProcess)
                CloseHandle(pi.hThread)
           End If
        End If
End Function