调用AuditQuerySystemPolicy（）从C＃的回报和QUOT（ADVAPI32.DLL）;参数不正确&QUOT;

本文介绍了调用AuditQuerySystemPolicy（）从C＃的回报和QUOT（ADVAPI32.DLL）;参数不正确&QUOT;的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

该序列就像如下：

打开用的（未显示）

LsaQueryInformationPolicy（） 获得类别数;>

AuditLookupCategoryGuidFromCategoryId（）

呼叫的让所有子类的GUID的列表;

AuditQuerySystemPolicy（） 获得审核政策的子类别。

和预期的回报，除了最后，明智的值。调用 AuditQuerySystemPolicy（）让我一个的参数不正确的错误。我想肯定会有一些细微的解编问题。我可能误解究竟是什么 AuditEnumerateSubCategories（）的回报，但我很为难。

您会看到（评论）我试图取消引用返回指针从 AuditEnumerateSubCategories（）作为一个指针。

  
 
 代码>＃地区的LSA类型
公共枚举POLICY_INFORMATION_CLASS 
 {
 PolicyAuditLogInformation = 1，
 PolicyAuditEventsInformation，
 PolicyPrimaryDomainInformation，
 PolicyPdAccountInformation，
进行PolicyAccountDomainInformation，
 PolicyLsaServerRoleInformation，
 PolicyReplicaSourceInformation，
 PolicyDefaultQuotaInformation，
 PolicyModificationInformation，
 PolicyAuditFullSetInformation，
 PolicyAuditFullQueryInformation，
 PolicyDnsDomainInformation 
} 
 
酒店的公共枚举POLICY_AUDIT_EVENT_TYPE 
 {
 AuditCategorySystem，
 AuditCategoryLogon，
 AuditCategoryObjectAccess，
 AuditCategoryPrivilegeUse，
 AuditCategoryDetailedTracking，
 AuditCategoryPolicyChange，
 AuditCategoryAccountManagement，
 AuditCategoryDirectoryServiceAccess，
 AuditCategoryAccountLogon 
} 
 
 [StructLayout（LayoutKind.Sequential，字符集= CharSet.Unicode）] 
公共结构POLICY_AUDIT_EVENTS_INFO 
 {
公共BOOL AuditingMode; 
公众的IntPtr EventAuditingOptions; 
公共UInt32的MaximumAuditEventCount; 
} 
 
 [StructLayout（LayoutKind.Sequential，字符集= CharSet.Unicode）] 
公共结构GUID 
 {
公共UInt32的数据1; 
公共UINT16数据2; 
公共UINT16数据3; 
公共字节Data4a; 
公共字节Data4b; 
公共字节Data4c; 
公共字节Data4d; 
公共字节Data4e; 
公共字节Data4f; 
公共字节Data4g; 
公共字节Data4h; 
 
公共重写字符串的ToString（）
 {
返回Data1.ToString（X8）+ - + Data2.ToString（×4）+ - + Data3.ToString（×4）+ - 
 + Data4a.ToString（×2）+ Data4b.ToString（×2）+ - 
 + Data4c.ToString（×2 ）+ Data4d.ToString（×2）+ Data4e.ToString（×2）+ Data4f.ToString（×2）+ Data4g.ToString（×2）+ Data4h.ToString（×2）; 
} 
} 
 #endregion 
 
＃地区的LSA进口
函数[DllImport（KERNEL32.DLL）] 
的extern静态INT GetLastError函数（）; 
 
函数[DllImport（advapi32.dll的，字符集= CharSet.Unicode，PreserveSig = TRUE）] 
公共静态外部UInt32的LsaNtStatusToWinError（
长状态）; 
 
函数[DllImport（advapi32.dll的，字符集= CharSet.Unicode，PreserveSig = TRUE）] 
公共静态外部长LsaOpenPolicy（
裁判LSA_UNICODE_STRING的SystemName，
 REF LSA_OBJECT_ATTRIBUTES ObjectAttributes，
的Int32 DesiredAccess，
 OUT的IntPtr PolicyHandle）; 
 
函数[DllImport（advapi32.dll的，字符集= CharSet.Unicode，PreserveSig = TRUE）] 
公共静态外部长LsaClose（IntPtr的PolicyHandle）; 
 
函数[DllImport（advapi32.dll的，字符集= CharSet.Unicode，PreserveSig = TRUE）] 
公共静态外部长LsaFreeMemory（IntPtr的缓冲区）; 
 
函数[DllImport（advapi32.dll的，字符集= CharSet.Unicode，PreserveSig = TRUE）] 
公共静态外部无效AuditFree（IntPtr的缓冲区）; 
 
函数[DllImport（advapi32.dll的，SetLastError = true时，PreserveSig = TRUE）] 
公共静态外部长LsaQueryInformationPolicy（
 IntPtr的PolicyHandle，POLICY_INFORMATION_CLASS InformationClass，
出的IntPtr缓存）; 
 
函数[DllImport（advapi32.dll的，SetLastError = true时，PreserveSig = TRUE）] 
公共静态外部布尔AuditLookupCategoryGuidFromCategoryId（
 POLICY_AUDIT_EVENT_TYPE AuditCategoryId，
的IntPtr pAuditCategoryGuid） ; 
 
函数[DllImport（advapi32.dll的，SetLastError = true时，PreserveSig = TRUE）] 
公共静态外部布尔AuditEnumerateSubCategories（
 IntPtr的pAuditCategoryGuid，
布尔bRetrieveAllSubCategories， 
 OUT的IntPtr ppAuditSubCategoriesArray，
 OUT ULONG pCountReturned）; 
 
函数[DllImport（advapi32.dll的，SetLastError = true时，PreserveSig = TRUE）] 
公共静态外部布尔AuditQuerySystemPolicy（
 IntPtr的pSubCategoryGuids，
 ULONG PolicyCount， 
 OUT的IntPtr ppAuditPolicy）; 
 #endregion 
 
&字典LT;字符串，UInt32的> retList =新词典<字符串，UInt32的>（）; 
长lretVal; 
 UINT retVal的; 
 
 IntPtr的pAuditEventsInfo; 
 lretVal = LsaQueryInformationPolicy（policyHandle，POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation，出pAuditEventsInfo）; 
 retVal的= LsaNtStatusToWinError（lretVal）; 
如果（retVal的！= 0）
 {
 LsaClose（policyHandle）; 
抛出新System.ComponentModel.Win32Exception（（INT）retVal的）; 
} 
 
 POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo =新POLICY_AUDIT_EVENTS_INFO（）; 
 myAuditEventsInfo =（POLICY_AUDIT_EVENTS_INFO）Marshal.PtrToStructure（pAuditEventsInfo，myAuditEventsInfo.GetType（））; 
 
 IntPtr的subCats = IntPtr.Zero; 
 ULONG nSubCats = 0; 
 
为（INT audCat = 0; audCat< myAuditEventsInfo.MaximumAuditEventCount; audCat ++）
 {
 GUID audCatGuid =新的GUID（）; 
如果（！AuditLookupCategoryGuidFromCategoryId（（POLICY_AUDIT_EVENT_TYPE）audCat，新的IntPtr（安培; audCatGuid）））
 {
 INT causingError = GetLastError函数（）; 
 LsaFreeMemory（pAuditEventsInfo）; 
 LsaClose（policyHandle）; 
抛出新System.ComponentModel.Win32Exception（causingError）; 
} 
 
如果（AuditEnumerateSubCategories（新的IntPtr（安培;！audCatGuid），真实，出subCats，出nSubCats））
 {
 INT causingError = GetLastError函数（） ; 
 LsaFreeMemory（pAuditEventsInfo）; 
 LsaClose（policyHandle）; 
抛出新System.ComponentModel.Win32Exception（causingError）; 
} 
 
 //取消引用的第一个指针到指针指向第一个子类别
 // subCats =（IntPtr的）Marshal.PtrToStructure（subCats，subCats.GetType（ ））; 
 
如果（nSubCats大于0）
 {
 IntPtr的audPolicies = IntPtr.Zero; 
如果
 {
 INT causingError = GetLastError函数（）（AuditQuerySystemPolicy（subCats，nSubCats，出audPolicies）！）; 
如果（subCats = IntPtr.Zero！）
 AuditFree（subCats）; 
 LsaFreeMemory（pAuditEventsInfo）; 
 LsaClose（policyHandle）; 
抛出新System.ComponentModel.Win32Exception（causingError）; 
} 
 
 AUDIT_POLICY_INFORMATION myAudPol =新AUDIT_POLICY_INFORMATION（）; 
为（ULONG audSubCat = 0; audSubCat< nSubCats; audSubCat ++）
 {
 //处理audPolicies [audSubCat]，转成的GUID的名字，填写retList。 
 // http://msdn.microsoft.com/en-us/library/aa373931%28VS.85%29.aspx 
 // http://msdn.microsoft.com/en-us /library/bb648638%28VS.85%29.aspx 
 
 IntPtr的itemAddr = IntPtr.Zero; 
的IntPtr itemAddrAddr =新的IntPtr（audPolicies.ToInt64（）+（长）（audSubCat *（ULONG）Marshal.SizeOf（itemAddr）））; 
 itemAddr =（IntPtr的）Marshal.PtrToStructure（itemAddrAddr，itemAddr.GetType（））; 
 myAudPol =（AUDIT_POLICY_INFORMATION）Marshal.PtrToStructure（itemAddr，myAudPol.GetType（））; 
 retList [myAudPol.AuditSubCategoryGuid.ToString（）] = myAudPol.AuditingInformation; 
} 
 
如果（！audPolicies = IntPtr.Zero）
 AuditFree（audPolicies）; 
} 
 
如果（！subCats = IntPtr.Zero）
 AuditFree（subCats）; 
 
 subCats = IntPtr.Zero; 
 nSubCats = 0; 
} 
 
 lretVal = LsaFreeMemory（pAuditEventsInfo）; 
 retVal的= LsaNtStatusToWinError（lretVal）; 
如果（retVal的！= 0）
抛出新System.ComponentModel.Win32Exception（（INT）retVal的）; 
 
 lretVal = LsaClose（policyHandle）; 
 retVal的= LsaNtStatusToWinError（lretVal）; 
如果（retVal的！= 0）
抛出新System.ComponentModel.Win32Exception（（INT）retVal的）;

解决方案

首先您发布不完整的代码，所以我不能编译。有没有代码来打开 policyHandle 与 LsaOpenPolicy 功能。一些结构的声明像 AUDIT_POLICY_INFORMATION ， LSA_OBJECT_ATTRIBUTES 和 LSA_UNICODE_STRING 也缺席。

不过我在你的代码中发现至少有一个错误。 AuditLookupCategoryGuidFromCategoryId 的最后一个参数的用法似乎我错了。功能 AuditLookupCategoryGuidFromCategoryId 有原型

 布尔WINAPI AuditLookupCategoryGuidFromCategoryId（
 __in POLICY_AUDIT_EVENT_TYPE AuditCategoryId，
 __out GUID * pAuditCategoryGuid 
）;

这意味着，你不得不分配的非托管的内存来容纳 GUID 并获取指向 AuditLookupCategoryGuidFromCategoryId 。该内存将由 AuditLookupCategoryGuidFromCategoryId 填写。因此，而不是

  GUID audCatGuid =新的GUID（）; 
如果（！AuditLookupCategoryGuidFromCategoryId（（POLICY_AUDIT_EVENT_TYPE）audCat，
新的IntPtr（安培; audCatGuid）））！
 // ... 
如果（AuditEnumerateSubCategories（新的IntPtr（安培; audCatGuid），真实，出subCats，
 OUT nSubCats））
 // ...

看来我纠正以下

  IntPtr的pAuditCatGuid = Marshal.AllocHGlobal（Marshal.SizeOf（GUID））; 
如果（！AuditLookupCategoryGuidFromCategoryId（（POLICY_AUDIT_EVENT_TYPE）audCat，
 pAuditCatGuid））
 // ... 
如果（！AuditEnumerateSubCategories（pAuditCatGuid，真实，出subCats，
出nSubCats））
 // ...

The sequence is like follows:

Open a policy handle with LsaOpenPolicy() (not shown)
Call LsaQueryInformationPolicy() to get the number of categories;
For each category:
- Call AuditLookupCategoryGuidFromCategoryId() to turn the enum value into a GUID;
- Call AuditEnumerateSubCategories() to get a list of the GUIDs of all subcategories;
- Call AuditQuerySystemPolicy() to get the audit policies for the subcategories.

All of these work and return expected, sensible values except the last. Calling AuditQuerySystemPolicy() gets me a "The parameter is incorrect" error. I'm thinking there must be some subtle unmarshaling problem. I'm probably misinterpreting what exactly AuditEnumerateSubCategories() returns, but I'm stumped.

You'll see (commented) I tried to dereference the return pointer from AuditEnumerateSubCategories() as a pointer. Doing or not doing that gives the same result.

Code:

#region LSA types
public enum POLICY_INFORMATION_CLASS
{
    PolicyAuditLogInformation = 1,
    PolicyAuditEventsInformation,
    PolicyPrimaryDomainInformation,
    PolicyPdAccountInformation,
    PolicyAccountDomainInformation,
    PolicyLsaServerRoleInformation,
    PolicyReplicaSourceInformation,
    PolicyDefaultQuotaInformation,
    PolicyModificationInformation,
    PolicyAuditFullSetInformation,
    PolicyAuditFullQueryInformation,
    PolicyDnsDomainInformation
}

public enum POLICY_AUDIT_EVENT_TYPE
{
    AuditCategorySystem,
    AuditCategoryLogon,
    AuditCategoryObjectAccess,
    AuditCategoryPrivilegeUse,
    AuditCategoryDetailedTracking,
    AuditCategoryPolicyChange,
    AuditCategoryAccountManagement,
    AuditCategoryDirectoryServiceAccess,
    AuditCategoryAccountLogon
}

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct POLICY_AUDIT_EVENTS_INFO
{
    public bool AuditingMode;
    public IntPtr EventAuditingOptions;
    public UInt32 MaximumAuditEventCount;
}

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct GUID
{
    public UInt32 Data1;
    public UInt16 Data2;
    public UInt16 Data3;
    public Byte Data4a;
    public Byte Data4b;
    public Byte Data4c;
    public Byte Data4d;
    public Byte Data4e;
    public Byte Data4f;
    public Byte Data4g;
    public Byte Data4h;

    public override string ToString()
    {
        return Data1.ToString("x8") + "-" + Data2.ToString("x4") + "-" + Data3.ToString("x4") + "-"
              + Data4a.ToString("x2") + Data4b.ToString("x2") + "-"
              + Data4c.ToString("x2") + Data4d.ToString("x2") + Data4e.ToString("x2") + Data4f.ToString("x2") + Data4g.ToString("x2") + Data4h.ToString("x2");
    }
}
#endregion

#region LSA Imports
[DllImport("kernel32.dll")]
extern static int GetLastError();

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern UInt32 LsaNtStatusToWinError(
    long Status);

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaOpenPolicy(
    ref LSA_UNICODE_STRING SystemName,
    ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
    Int32 DesiredAccess,
    out IntPtr PolicyHandle );

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaClose(IntPtr PolicyHandle);

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaFreeMemory(IntPtr Buffer);

[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern void AuditFree(IntPtr Buffer);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern long LsaQueryInformationPolicy(
    IntPtr PolicyHandle, POLICY_INFORMATION_CLASS InformationClass,
    out IntPtr Buffer);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditLookupCategoryGuidFromCategoryId(
    POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
    IntPtr pAuditCategoryGuid);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditEnumerateSubCategories(
    IntPtr pAuditCategoryGuid,
    bool bRetrieveAllSubCategories,
    out IntPtr ppAuditSubCategoriesArray,
    out ulong pCountReturned);

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditQuerySystemPolicy(
    IntPtr pSubCategoryGuids,
    ulong PolicyCount,
    out IntPtr ppAuditPolicy);
#endregion

Dictionary<string, UInt32> retList = new Dictionary<string, UInt32>();
long lretVal;
uint retVal;

IntPtr pAuditEventsInfo;
lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
{
    LsaClose(policyHandle);
    throw new System.ComponentModel.Win32Exception((int)retVal);
}

POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());

IntPtr subCats = IntPtr.Zero;
ulong nSubCats = 0;

for (int audCat = 0; audCat < myAuditEventsInfo.MaximumAuditEventCount; audCat++)
{
    GUID audCatGuid = new GUID();
    if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat, new IntPtr(&audCatGuid)))
    {
        int causingError = GetLastError();
        LsaFreeMemory(pAuditEventsInfo);
        LsaClose(policyHandle);
        throw new System.ComponentModel.Win32Exception(causingError);
    }

    if (!AuditEnumerateSubCategories(new IntPtr(&audCatGuid), true, out subCats, out nSubCats))
    {
        int causingError = GetLastError();
        LsaFreeMemory(pAuditEventsInfo);
        LsaClose(policyHandle);
        throw new System.ComponentModel.Win32Exception(causingError);
    }

    // Dereference the first pointer-to-pointer to point to the first subcategory
    // subCats = (IntPtr)Marshal.PtrToStructure(subCats, subCats.GetType());

    if (nSubCats > 0)
    {
        IntPtr audPolicies = IntPtr.Zero;
        if (!AuditQuerySystemPolicy(subCats, nSubCats, out audPolicies))
        {
            int causingError = GetLastError();
            if (subCats != IntPtr.Zero)
                AuditFree(subCats);
            LsaFreeMemory(pAuditEventsInfo);
            LsaClose(policyHandle);
            throw new System.ComponentModel.Win32Exception(causingError);
        }

        AUDIT_POLICY_INFORMATION myAudPol = new AUDIT_POLICY_INFORMATION();
        for (ulong audSubCat = 0; audSubCat < nSubCats; audSubCat++)
        {
            // Process audPolicies[audSubCat], turn GUIDs into names, fill retList.
            // http://msdn.microsoft.com/en-us/library/aa373931%28VS.85%29.aspx
            // http://msdn.microsoft.com/en-us/library/bb648638%28VS.85%29.aspx

            IntPtr itemAddr = IntPtr.Zero;
            IntPtr itemAddrAddr = new IntPtr(audPolicies.ToInt64() + (long)(audSubCat * (ulong)Marshal.SizeOf(itemAddr)));
            itemAddr = (IntPtr)Marshal.PtrToStructure(itemAddrAddr, itemAddr.GetType());
            myAudPol = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemAddr, myAudPol.GetType());
            retList[myAudPol.AuditSubCategoryGuid.ToString()] = myAudPol.AuditingInformation;
        }

        if (audPolicies != IntPtr.Zero)
            AuditFree(audPolicies);
    }

    if (subCats != IntPtr.Zero)
        AuditFree(subCats);

    subCats = IntPtr.Zero;
    nSubCats = 0;
}

lretVal = LsaFreeMemory(pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
    throw new System.ComponentModel.Win32Exception((int)retVal);

lretVal = LsaClose(policyHandle);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
    throw new System.ComponentModel.Win32Exception((int)retVal);

解决方案

First of all you post not full code, so I can not compile it. There are no code to open policyHandle with LsaOpenPolicy function. declaration of some structures like AUDIT_POLICY_INFORMATION, LSA_OBJECT_ATTRIBUTES and LSA_UNICODE_STRING also absent.

Nevertheless I found at least one error in your code. Usage of the last parameter of AuditLookupCategoryGuidFromCategoryId seems me wrong. The function AuditLookupCategoryGuidFromCategoryId has prototype

BOOLEAN WINAPI AuditLookupCategoryGuidFromCategoryId(
  __in   POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
  __out  GUID *pAuditCategoryGuid
);

which means, you have to allocate unmanaged memory to hold GUID and get pointer to AuditLookupCategoryGuidFromCategoryId. The memory will be filled by AuditLookupCategoryGuidFromCategoryId. So instead of

GUID audCatGuid = new GUID();
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
                                           new IntPtr(&audCatGuid)))
// ...
if (!AuditEnumerateSubCategories(new IntPtr(&audCatGuid), true, out subCats,
                                 out nSubCats))
// ...

seems me correct the following

IntPtr pAuditCatGuid = Marshal.AllocHGlobal (Marshal.SizeOf(GUID));
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
                                           pAuditCatGuid))
// ...
if (!AuditEnumerateSubCategories(pAuditCatGuid, true, out subCats,
                                 out nSubCats))
// ...

这篇关于调用AuditQuerySystemPolicy（）从C＃的回报和QUOT（ADVAPI32.DLL）;参数不正确&QUOT;的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！