How retrieve from Python win32evtlog rest of info?

Asked
Active3 hr before
Viewed126 times

7 Answers

retrievepythonwin32evtlog
90%

This month’s new module for the MCAS Windows Forensic Gatherer queries the Windows Security event log to gather information on the user’s logon and logoff activities, helping us to determine exactly when they were using the system,,The MCAS Windows Forensic Gatherer can now parse Prefetch data, gather information on deleted files from the Recycle Bin, and find out when a user logged on and logged off from their computer

Example_snippet/controller/utility/_retrieve.js/ global username hand = win. . .
global username
hand = win32evtlog.OpenEventLog("localhost", "Security")
flags = win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
event_no = 1
print "Accessing Windows Security event log."
load more v
88%

You may also want to check out all available functions/classes of the module win32evtlog , or try the search function ,

Example_snippet/controller/utility/_retrieve.js/ def ReadLog(computer, logType=. . .
def ReadLog(computer, logType = "Application", dumpEachRecord = 0):
   # read the entire log back.
h = win32evtlog.OpenEventLog(computer, logType)
numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
# print "There are %d records" % numRecords

num = 0
while 1:
   objects = win32evtlog.ReadEventLog(h, win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not objects:
   break
for object in objects:
   # get it
for testing purposes, but dont print it.
msg = win32evtlogutil.SafeFormatMessage(object, logType)
if object.Sid is not None:
   try:
   domain, user, typ = win32security.LookupAccountSid(computer, object.Sid)
sidDesc = "%s/%s" % (domain, user)
except win32security.error:
   sidDesc = str(object.Sid)
user_desc = "Event associated with user %s" % (sidDesc, )
else :
   user_desc = None
if dumpEachRecord:
   print "Event record from %r generated at %s" % (object.SourceName, object.TimeGenerated.Format())
if user_desc:
   print user_desc
try:
print msg
except UnicodeError:
   print "(unicode error printing message: repr() follows...)"
print repr(msg)

num = num + len(objects)

if numRecords == num:
   print "Successfully read all", numRecords, "records"
else :
   print "Couldn't get all records - reported %d, but found %d" % (numRecords, num)
print "(Note that some other app may have written records while we were running!)"
win32evtlog.CloseEventLog(h)
load more v
72%

This question is quite similar to How retrieve from Python win32evtlog rest of info? but the solution there didn't answer the critical bit of how we convert the object to XML,,I can get up to the following and use it to display data the LogObject has such as LogObject

Example_snippet/controller/utility/_retrieve.js/ Log = win32evtlog.OpenEventLog. . .
Log = win32evtlog.OpenEventLog('localhost', 'Application')
while 1:
   LogObjects = winev32tlog.ReadEventLog(Log, win32evtlog.EVENTLOG_BACKWARDS_READ | wine32vtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not LogObjects:
   break
for LogObject in LogObjects:
Step 2 continued with LogObjectXML = win32evtlog.Evt. . .
LogObjectXML = win32evtlog.EvtRender(LogObject, 1)
Step 3 continued with TypeError: The object is not a. . .
TypeError: The object is not a PyHANDLE object
Step 4 continued with Updated Windows Defender statu. . .
Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON.
Step 5 continued with - <Event xmlns="http://schemas. . .
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   - <System>
      <Provider Name="SecurityCenter" />
      <EventID Qualifiers="0">15</EventID>
      <Level>4</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2017-05-23T07:36:27.627108000Z" />
      <EventRecordID>49419</EventRecordID>
      <Channel>Application</Channel>
      <Computer>Name.domain.here</Computer>
      <Security />
   </System>
   - <EventData>
      <Data>Windows Defender</Data>
      <Data>SECURITY_PRODUCT_STATE_ON</Data>
   </EventData>
</Event>
load more v
65%

Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers ,Thanks for contributing an answer to Stack Overflow!, Meta Stack Overflow , Stack Overflow Public questions & answers

Example_snippet/controller/utility/_retrieve.js/ from bs4 import BeautifulSoup . . .
from bs4
import BeautifulSoup

soup = BeautifulSoup(event_log_as_xml)

print soup.find("channel").text
print soup.find("eventrecordid").text
print soup.find("computer").text
print soup.find("binary").text
load more v
75%

这个问题与How retrieve from Python win32evtlog rest of info?非常相似,但是那里的解决方案没有回答我们如何将对象转换为XML的关键问题。,我有一个应用程序使用win32evtlog获取和显示不同的事件,我希望将显示限制为特定级别的事件,但win32evtlog不返回此值。似乎您可以将事件转换为XML,然后提取此信息,但我无法确定如何将事件从循环获取为XML。,If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file,

Example_snippet/controller/utility/_python.js/ Log = win32evtlog.OpenEventLog. . .
Log = win32evtlog.OpenEventLog('localhost', 'Application')
while 1:
   LogObjects = winev32tlog.ReadEventLog(Log, win32evtlog.EVENTLOG_BACKWARDS_READ | wine32vtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not LogObjects:
   break
for LogObject in LogObjects:
load more v
40%

关于python - 将Python win32evtlog对象转换为xml,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow,com/questions/43911616/ ,我有一个使用win32evtlog来获取和显示不同事件的应用程序,我想将显示限制为特定级别的事件,但是win32evtlog不会返回此事件。看来您可以将事件转换为XML,然后提取此信息,但是我无法弄清楚如何将事件从循环转换为XML。我可以进行以下操作,并使用它来显示LogObject具有的数据,例如LogObject

Example_snippet/controller/utility/_python.js/ Log = win32evtlog.OpenEventLog. . .
Log = win32evtlog.OpenEventLog('localhost', 'Application')
while 1:
   LogObjects = winev32tlog.ReadEventLog(Log, win32evtlog.EVENTLOG_BACKWARDS_READ | wine32vtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not LogObjects:
   break
for LogObject in LogObjects:
load more v
22%

I can get up to the following and use it to display data the LogObject has such as LogObject,TimeGenerated,This question is quite similar to How retrieve from Python win32evtlog rest of info? but the solution there didn't answer the critical bit of how we convert the object to XML

Example_snippet/controller/utility/_python.js/ Log = win32evtlog.OpenEventLog. . .
Log = win32evtlog.OpenEventLog('localhost', 'Application')
while 1:
   LogObjects = winev32tlog.ReadEventLog(Log, win32evtlog.EVENTLOG_BACKWARDS_READ | wine32vtlog.EVENTLOG_SEQUENTIAL_READ, 0)
if not LogObjects:
   break
for LogObject in LogObjects:
load more v