[C#]通过日志查看最后一次登录的用户!
win7下的4624事件表示登录,若是登录类型2、10表示本机或远程桌面等登录。
winxp的528表示登录事件
win7的登录帐户如下(powershell查看)
EventID : 4624
MachineName : dn1935.usenet.com
Data : {}
Index : 7437962
Category : (12544)
CategoryNumber : 12544
EntryType : SuccessAudit
Message : 已成功登录帐户。
主题:
安全 ID: S-1-5-21-3758797738-1457090885-3022922289-500
帐户名: Administrator
帐户域: dn1935
登录 ID: 0x4af5a
登录类型: 2
新登录:
安全 ID: S-1-5-21-650913034-2112300590-677931608-19234
帐户名: 244971
帐户域: USENET
登录 ID: 0x2541499
登录 GUID: {15A12A0B-1F84-7BC3-AFD6-9D1C11000EB9}
进程信息:
进程 ID: 0x36c
进程名: C:\Windows\System32\svchost.exe
网络信息:
工作站名: DN1935
源网络地址: ::1
源端口: 0
详细身份验证信息:
登录进程: seclogo
身份验证数据包: Negotiate
传递服务: -
数据包名(仅限 NTLM): -
密钥长度: 0
在创建登录会话后在被访问的计算机上生成此事件。
“主题”字段指明本地系统上请求登录的帐户。这通常是一个服务(例如 Server 服务)或本地进程(例如 Winlog
on.exe 或 Services.exe)。
“登录类型”字段指明发生的登录种类。最常见的类型是 2 (交互式)和 3 (网络)。
“新登录”字段会指明新登录是为哪个帐户创建的,即登录的帐户。
“网络”字段指明远程登录请求来自哪里。“工作站名”并非总是可用,而且在某些情况下可能会留为空白。
“身份验证信息”字段提供关于此特定登录请求的详细信息。
-“登录 GUID”是可以用于将此事件与一个 KDC 事件关联起来的唯一标识符。
-“传递服务”指明哪些直接服务参与了此登录请求。
- “数据包名”指明在 NTLM 协议之间使用了哪些子协议。
-“密钥长度”指明生成的会话密钥的长度。如果没有请求会话密钥则此字段为 0。
Source : Microsoft-Windows-Security-Auditing
ReplacementStrings : {S-1-5-21-3758797738-1457090885-3022922289-500, Administrator, dn1935, 0x4af5a...}
InstanceId : 4624
TimeGenerated : 2011/10/11 14:04:12
TimeWritten : 2011/10/11 14:04:12
UserName :
Site :
Container :
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Diagnostics;
using System.Text.RegularExpressions;
using System.Runtime.InteropServices;
namespace readlog
{
public partial class Form1 : Form
{
//private EventLog rEvent;
private int winsystem;
[StructLayout(LayoutKind.Sequential)]
public class OSVersionInfo
{
public int OSVersionInfoSize;
public int MajorVersion;
public int MinorVersion;
public int BuildNumber;
public int PlatformId;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)]
public String versionString;
}
[StructLayout(LayoutKind.Sequential)]
public struct OSVersionInfo2
{
public int OSVersionInfoSize;
public int MajorVersion;
public int MinorVersion;
public int BuildNumber;
public int PlatformId;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)]
public String versionString;
}
public class LibWrap
{
[DllImport("kernel32")]
public static extern bool GetVersionEx([In, Out] OSVersionInfo osvi);
[DllImport("kernel32", EntryPoint = "GetVersionEx")]
public static extern bool GetVersionEx2(ref OSVersionInfo2 osvi);
}
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
comboBox1.Items.AddRange(new String[] { "Application", "Security", "System" });
comboBox1.SelectedIndex = 0;
}
private void button1_Click(object sender, EventArgs e)
{
OSVersionInfo osvi = new OSVersionInfo();
osvi.OSVersionInfoSize = Marshal.SizeOf(osvi);
LibWrap.GetVersionEx(osvi);
//MessageBox.Show( OpSysName(osvi.MajorVersion, osvi.MinorVersion, osvi.PlatformId));
getLoginForLog(osvi.MajorVersion, osvi.MinorVersion);
//GetSystemLog();
//EventLog test = new EventLog();
//MessageBox.Show(test.Log);
}
public void GetSystemLog()
{
EventLog rEvent = new EventLog();
rEvent.Log = "Security";
//rEvent.MachineName = "dn0351";
listBox1.Items.Clear();
int eid = 528;
foreach (EventLogEntry entry in rEvent.Entries)
{
//listBox1.Items.Add(entry.Index);
if (entry.EventID == eid && checkMessageLogin(entry.Message))
{
listBox1.Items.Add(entry.Index+" " +entry.EventID + " " +entry.UserName + " " +entry.MachineName + " " + entry.TimeGenerated);
}
}
//Console.WriteLine("\tEntry: " + entry.Message);
}
public Boolean checkMessageLogin(String Msg)
{
Regex check = new Regex(@"登录类型:\s*(?:2|10)",RegexOptions.IgnoreCase);
if (check.IsMatch(Msg))
{
return true;
}
else {
return false;
}
}
/*
public void checkwin7(String msg)
{
Regex check = new Regex(@"登录类型:\s*(?:2|10)", RegexOptions.IgnoreCase);
if (check.IsMatch(msg))
{
Regex cReg = new Regex(@"(?s)新登录:.*?帐户名:(.*?)帐户域:(.*?)登录");
//foreach (Match m in cReg.Matches(msg))
//{
//for (int i = 1; i < m.Groups.Count; i++)
//{
// MessageBox.Show(m.Groups[i].Value);
//}
//}
Match m = cReg.Match(msg);
if (m.Success)
{
String user = m.Groups[1].Value;
String domail = m.Groups[2].Value;
MessageBox.Show(user.Trim(), domail.Trim());
MessageBox.Show(domail.Trim());
//listBox1.Items.Add(entry.Index + " " + entry.InstanceId + " " + user+"\\"+ domail + " " + entry.MachineName + " " + entry.TimeGenerated);
}
}
}
*/
public void getWin7log()
{
EventLog rEvent = new EventLog();
rEvent.Log = "Security";
//rEvent.MachineName = "dn0351";
long wlogin = 4624;
Regex check = new Regex(@"登录类型:\s*(?:2|10)", RegexOptions.IgnoreCase);
Regex cReg = new Regex(@"(?s)新登录:.*?帐户名:(.*?)帐户域:(.*?)登录");
listBox1.Items.Clear();
foreach (EventLogEntry entry in rEvent.Entries)
{
if (entry.InstanceId == wlogin)
{
//checkwin7(entry.Message);
//MessageBox.Show(entry.InstanceId.ToString());
if (check.IsMatch(entry.Message))
{
//checkwin7(entry.Message);
Match m = cReg.Match(entry.Message);
if (m.Success)
{
//MessageBox.Show("0");
String user = m.Groups[1].Value.Trim();
String domail = m.Groups[2].Value.Trim();
//MessageBox.Show(user.Trim(), domail.Trim());
//MessageBox.Show(domail.Trim());
listBox1.Items.Add(entry.Index + " " + entry.InstanceId + " " + user+"\\"+ domail + " " + entry.MachineName + " " + entry.TimeGenerated);
}
}
}
}
}
public void getLoginForLog(int MajorVersion,int MinorVersion)
{
String str_opn = String.Format("{0}.{1}", MajorVersion, MinorVersion);
switch (str_opn)
{
case "4.0":
break;
case "4.10":
break;
case "4.90":
break;
case "3.51":
break;
case "5.0":
//2000
GetSystemLog();
break;
case "5.1":
//xp
GetSystemLog();
break;
case "5.2":
//2003
GetSystemLog();
break;
case "6.1":
//w7
getWin7log();
break;
}
}
public static String OpSysName(int MajorVersion, int MinorVersion, int PlatformId)
{
String str_opn = String.Format("{0}.{1}", MajorVersion, MinorVersion);
switch (str_opn)
{
case "4.0":
return win95_nt40(PlatformId);
case "4.10":
return "Windows 98";
case "4.90":
return "Windows Me";
case "3.51":
return "Windows NT 3.51";
case "5.0":
return "Windwos 2000";
case "5.1":
return "Windwos XP";
case "5.2":
return "Windows Server 2003 family";
case "6.1":
return "Windows 7";
default:
return "This windows version is not distinguish!";
}
}
public static String win95_nt40(int PlatformId)
{
switch (PlatformId)
{
case 1:
return "Windows 95";
case 2:
return "Windows NT 4.0";
default:
return "This windows version is not distinguish!";
}
}
/*
16,384 0 OverwriteAsNeeded 1,471 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
8,192 0 OverwriteAsNeeded 0 Media Center
16,384 0 OverwriteAsNeeded 0 ODiag
16,384 0 OverwriteAsNeeded 50 OSession
16,384 0 OverwriteAsNeeded 24,319 Security
16,384 0 OverwriteAsNeeded 4,806 System
15,360 0 OverwriteAsNeeded 565 Windows PowerShell
*/
}
}
浙公网安备 33010602011771号