WMI query to Read 'Microsoft-Windows-AppLocker/EXE and DLL' C#

会有一股神秘感。 提交于 2020-07-06 09:51:05

问题


I have created an agent to read windows event using WMI. I ma using the agent from last 3 years to collect events. It is used in a SEIM product. The query looks like

SELECT * FROM Win32_NTLogEvent where LogFile = 'System' or logFile='Active Directory Web Services'

I am able to get the events properly. But Now I want to read apploacker events 'Microsoft-Windows-AppLocker/EXE and DLL' (Application and Security Logs -> Microsoft -> Windows -> AppLocker -> Exe And DLL).

I tried the below query but it returns zero record though I have 40+ records in it. I can see the record in event viewer.

SELECT * FROM Win32_NTLogEvent where LogFile = 'Microsoft-Windows-AppLocker/EXE and DLL'

I have tried with "wbemtest" but no record with no error.

I am not sure if this can be achieved by any other way using WMI. I know Powershell has a cmdlet and through which I am able to read 'Microsoft-Windows-AppLocker/EXE and DLL' events. But I want to read it using WMI.

Any pointers will be highly appreciated.

Thanks in advance to all viewers.


回答1:


It seems that the WMI Query parses the registry location HKLM\SYSTEM\CurrentControlSet\Services\EventLog for available event logs (see MSDN Forum post). Check the list you find there with the result of the query Select * FROM Win32_NTEventLogFile.

To add a logfile for WMI operations, add a new key under the above registry location with the name of the log ('Microsoft-Windows-AppLocker/EXE and DLL' in your case). Now it should return that log with your WMI query.




回答2:


Depending on the PowerShell version, you could use the "Get-WinEvent" command to simplify what you're doing.

https://msdn.microsoft.com/en-us/powershell/reference/5.0/microsoft.powershell.diagnostics/get-winevent

Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL"



来源:https://stackoverflow.com/questions/34940107/wmi-query-to-read-microsoft-windows-applocker-exe-and-dll-c-sharp

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!