获取审核策略
#include <windows.h>
#include "Ntsecapi.h"
LSA_HANDLE GetPolicyHandle()
{
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR SystemName[256] = {0};
ULONG SystemNameLength = sizeof(SystemName)/sizeof(SystemName[0]);
LSA_UNICODE_STRING lusSystemName;
NTSTATUS ntsResult;
LSA_HANDLE lsahPolicyHandle;
GetComputerNameW(SystemName, &SystemNameLength);
// Object attributes are reserved, so initialize to zeros.
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
//Initialize an LSA_UNICODE_STRING to the server name.
SystemNameLength = wcslen(SystemName);
lusSystemName.Buffer = SystemName;
lusSystemName.Length = SystemNameLength * sizeof(WCHAR);
lusSystemName.MaximumLength = (SystemNameLength+1) * sizeof(WCHAR);
// Get a handle to the Policy object.
ntsResult = LsaOpenPolicy(
&lusSystemName, //Name of the target system.
&ObjectAttributes, //Object attributes.
POLICY_ALL_ACCESS, //Desired access permissions.
&lsahPolicyHandle //Receives the policy handle.
);
if (ntsResult != ERROR_SUCCESS)
{
// An error occurred. Display it as a win32 error code.
wprintf(L"OpenPolicy returned %lu\n",
LsaNtStatusToWinError(ntsResult));
return NULL;
}
return lsahPolicyHandle;
}
BOOL GetAccountDomainInfo(LSA_HANDLE PolicyHandle)
{
NTSTATUS ntsResult = ERROR_SUCCESS;
PPOLICY_AUDIT_EVENTS_INFO pPAEInfo = NULL;
PWCHAR name = NULL;
ntsResult = LsaQueryInformationPolicy(
PolicyHandle, // Open handle to a Policy object.
PolicyAuditEventsInformation, // The information to get.
(PVOID *)&pPAEInfo // Storage for the information.
);
if (ntsResult == ERROR_SUCCESS)
{
// There is no guarantee that the LSA_UNICODE_STRING buffer
// is null terminated, so copy the name to a buffer that is.
wprintf(L"auditingMode = %d\n", pPAEInfo->AuditingMode);
wprintf(L"AuditCategorySystem = %d\n", pPAEInfo->EventAuditingOptions[AuditCategorySystem]);
wprintf(L"AuditCategoryLogon = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryLogon]);
wprintf(L"AuditCategoryObjectAccess = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryObjectAccess]);
wprintf(L"AuditCategoryPrivilegeUse = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryPrivilegeUse]);
wprintf(L"AuditCategoryDetailedTracking = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryDetailedTracking]);
wprintf(L"AuditCategoryPolicyChange = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryPolicyChange]);
wprintf(L"AuditCategoryAccountManagement = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryAccountManagement]);
wprintf(L"AuditCategoryDirectoryServiceAccess = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryDirectoryServiceAccess]);
wprintf(L"AuditCategoryAccountLogon = %d\n", pPAEInfo->EventAuditingOptions[AuditCategoryAccountLogon]);
if (ERROR_SUCCESS != LsaFreeMemory(pPAEInfo))
wprintf(L"LsaFreeMemory error\n");
}
else
{
// Show the corresponding win32 error code.
wprintf(
L"Error obtaining account domain information - (win32) %lu\n",
LsaNtStatusToWinError(ntsResult));
}
return !ntsResult;
}
int main(int argc, char* argv[])
{
LSA_HANDLE lh = NULL;
lh = GetPolicyHandle();
if(lh)
{
GetAccountDomainInfo(lh);
}
return 0;
}