问题描述
该序列就像如下:
- 打开用的(未显示)
-
LsaQueryInformationPolicy()
获得类别数;> - 呼叫的让所有子类的GUID的列表;
-
AuditQuerySystemPolicy()
获得审核政策的子类别。
LI>
AuditLookupCategoryGuidFromCategoryId()
把枚举值转化为GUID; 和预期的回报,除了最后,明智的值。调用
AuditQuerySystemPolicy()
让我一个的参数不正确的错误。我想肯定会有一些细微的解编问题。我可能误解究竟是什么 AuditEnumerateSubCategories()
的回报,但我很为难。 您会看到(评论)我试图取消引用返回指针从 AuditEnumerateSubCategories()
作为一个指针。
代码>#地区的LSA类型
公共枚举POLICY_INFORMATION_CLASS
{
PolicyAuditLogInformation = 1,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
进行PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation,
PolicyDnsDomainInformation
}
酒店的公共枚举POLICY_AUDIT_EVENT_TYPE
{
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
}
[StructLayout(LayoutKind.Sequential,字符集= CharSet.Unicode)]
公共结构POLICY_AUDIT_EVENTS_INFO
{
公共BOOL AuditingMode;
公众的IntPtr EventAuditingOptions;
公共UInt32的MaximumAuditEventCount;
}
[StructLayout(LayoutKind.Sequential,字符集= CharSet.Unicode)]
公共结构GUID
{
公共UInt32的数据1;
公共UINT16数据2;
公共UINT16数据3;
公共字节Data4a;
公共字节Data4b;
公共字节Data4c;
公共字节Data4d;
公共字节Data4e;
公共字节Data4f;
公共字节Data4g;
公共字节Data4h;
公共重写字符串的ToString()
{
返回Data1.ToString(X8)+ - + Data2.ToString(×4)+ - + Data3.ToString(×4)+ -
+ Data4a.ToString(×2)+ Data4b.ToString(×2)+ -
+ Data4c.ToString(×2 )+ Data4d.ToString(×2)+ Data4e.ToString(×2)+ Data4f.ToString(×2)+ Data4g.ToString(×2)+ Data4h.ToString(×2);
}
}
#endregion
#地区的LSA进口
函数[DllImport(KERNEL32.DLL)]
的extern静态INT GetLastError函数();
函数[DllImport(advapi32.dll的,字符集= CharSet.Unicode,PreserveSig = TRUE)]
公共静态外部UInt32的LsaNtStatusToWinError(
长状态);
函数[DllImport(advapi32.dll的,字符集= CharSet.Unicode,PreserveSig = TRUE)]
公共静态外部长LsaOpenPolicy(
裁判LSA_UNICODE_STRING的SystemName,
REF LSA_OBJECT_ATTRIBUTES ObjectAttributes,
的Int32 DesiredAccess,
OUT的IntPtr PolicyHandle);
函数[DllImport(advapi32.dll的,字符集= CharSet.Unicode,PreserveSig = TRUE)]
公共静态外部长LsaClose(IntPtr的PolicyHandle);
函数[DllImport(advapi32.dll的,字符集= CharSet.Unicode,PreserveSig = TRUE)]
公共静态外部长LsaFreeMemory(IntPtr的缓冲区);
函数[DllImport(advapi32.dll的,字符集= CharSet.Unicode,PreserveSig = TRUE)]
公共静态外部无效AuditFree(IntPtr的缓冲区);
函数[DllImport(advapi32.dll的,SetLastError = true时,PreserveSig = TRUE)]
公共静态外部长LsaQueryInformationPolicy(
IntPtr的PolicyHandle,POLICY_INFORMATION_CLASS InformationClass,
出的IntPtr缓存);
函数[DllImport(advapi32.dll的,SetLastError = true时,PreserveSig = TRUE)]
公共静态外部布尔AuditLookupCategoryGuidFromCategoryId(
POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
的IntPtr pAuditCategoryGuid) ;
函数[DllImport(advapi32.dll的,SetLastError = true时,PreserveSig = TRUE)]
公共静态外部布尔AuditEnumerateSubCategories(
IntPtr的pAuditCategoryGuid,
布尔bRetrieveAllSubCategories,
OUT的IntPtr ppAuditSubCategoriesArray,
OUT ULONG pCountReturned);
函数[DllImport(advapi32.dll的,SetLastError = true时,PreserveSig = TRUE)]
公共静态外部布尔AuditQuerySystemPolicy(
IntPtr的pSubCategoryGuids,
ULONG PolicyCount,
OUT的IntPtr ppAuditPolicy);
#endregion
&字典LT;字符串,UInt32的> retList =新词典<字符串,UInt32的>();
长lretVal;
UINT retVal的;
IntPtr的pAuditEventsInfo;
lretVal = LsaQueryInformationPolicy(policyHandle,POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation,出pAuditEventsInfo);
retVal的= LsaNtStatusToWinError(lretVal);
如果(retVal的!= 0)
{
LsaClose(policyHandle);
抛出新System.ComponentModel.Win32Exception((INT)retVal的);
}
POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo =新POLICY_AUDIT_EVENTS_INFO();
myAuditEventsInfo =(POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo,myAuditEventsInfo.GetType());
IntPtr的subCats = IntPtr.Zero;
ULONG nSubCats = 0;
为(INT audCat = 0; audCat< myAuditEventsInfo.MaximumAuditEventCount; audCat ++)
{
GUID audCatGuid =新的GUID();
如果(!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,新的IntPtr(安培; audCatGuid)))
{
INT causingError = GetLastError函数();
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
抛出新System.ComponentModel.Win32Exception(causingError);
}
如果(AuditEnumerateSubCategories(新的IntPtr(安培;!audCatGuid),真实,出subCats,出nSubCats))
{
INT causingError = GetLastError函数() ;
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
抛出新System.ComponentModel.Win32Exception(causingError);
}
//取消引用的第一个指针到指针指向第一个子类别
// subCats =(IntPtr的)Marshal.PtrToStructure(subCats,subCats.GetType( ));
如果(nSubCats大于0)
{
IntPtr的audPolicies = IntPtr.Zero;
如果
{
INT causingError = GetLastError函数()(AuditQuerySystemPolicy(subCats,nSubCats,出audPolicies)!);
如果(subCats = IntPtr.Zero!)
AuditFree(subCats);
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
抛出新System.ComponentModel.Win32Exception(causingError);
}
AUDIT_POLICY_INFORMATION myAudPol =新AUDIT_POLICY_INFORMATION();
为(ULONG audSubCat = 0; audSubCat< nSubCats; audSubCat ++)
{
//处理audPolicies [audSubCat],转成的GUID的名字,填写retList。
// http://msdn.microsoft.com/en-us/library/aa373931%28VS.85%29.aspx
// http://msdn.microsoft.com/en-us /library/bb648638%28VS.85%29.aspx
IntPtr的itemAddr = IntPtr.Zero;
的IntPtr itemAddrAddr =新的IntPtr(audPolicies.ToInt64()+(长)(audSubCat *(ULONG)Marshal.SizeOf(itemAddr)));
itemAddr =(IntPtr的)Marshal.PtrToStructure(itemAddrAddr,itemAddr.GetType());
myAudPol =(AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemAddr,myAudPol.GetType());
retList [myAudPol.AuditSubCategoryGuid.ToString()] = myAudPol.AuditingInformation;
}
如果(!audPolicies = IntPtr.Zero)
AuditFree(audPolicies);
}
如果(!subCats = IntPtr.Zero)
AuditFree(subCats);
subCats = IntPtr.Zero;
nSubCats = 0;
}
lretVal = LsaFreeMemory(pAuditEventsInfo);
retVal的= LsaNtStatusToWinError(lretVal);
如果(retVal的!= 0)
抛出新System.ComponentModel.Win32Exception((INT)retVal的);
lretVal = LsaClose(policyHandle);
retVal的= LsaNtStatusToWinError(lretVal);
如果(retVal的!= 0)
抛出新System.ComponentModel.Win32Exception((INT)retVal的);
首先您发布不完整的代码,所以我不能编译。有没有代码来打开 policyHandle
与 LsaOpenPolicy
功能。一些结构的声明像 AUDIT_POLICY_INFORMATION
, LSA_OBJECT_ATTRIBUTES
和 LSA_UNICODE_STRING
也缺席。
不过我在你的代码中发现至少有一个错误。 AuditLookupCategoryGuidFromCategoryId
的最后一个参数的用法似乎我错了。功能 AuditLookupCategoryGuidFromCategoryId
有原型
布尔WINAPI AuditLookupCategoryGuidFromCategoryId(
__in POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
__out GUID * pAuditCategoryGuid
);
这意味着,你不得不分配的非托管的内存来容纳 GUID
并获取指向 AuditLookupCategoryGuidFromCategoryId
。该内存将由 AuditLookupCategoryGuidFromCategoryId
填写。因此,而不是
GUID audCatGuid =新的GUID();
如果(!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
新的IntPtr(安培; audCatGuid)))!
// ...
如果(AuditEnumerateSubCategories(新的IntPtr(安培; audCatGuid),真实,出subCats,
OUT nSubCats))
// ...
看来我纠正以下
IntPtr的pAuditCatGuid = Marshal.AllocHGlobal(Marshal.SizeOf(GUID));
如果(!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
pAuditCatGuid))
// ...
如果(!AuditEnumerateSubCategories(pAuditCatGuid,真实,出subCats,
出nSubCats))
// ...
The sequence is like follows:
- Open a policy handle with
LsaOpenPolicy()
(not shown) - Call
LsaQueryInformationPolicy()
to get the number of categories; - For each category:
- Call
AuditLookupCategoryGuidFromCategoryId()
to turn the enum value into a GUID; - Call
AuditEnumerateSubCategories()
to get a list of the GUIDs of all subcategories; - Call
AuditQuerySystemPolicy()
to get the audit policies for the subcategories.
- Call
All of these work and return expected, sensible values except the last. Calling AuditQuerySystemPolicy()
gets me a "The parameter is incorrect" error. I'm thinking there must be some subtle unmarshaling problem. I'm probably misinterpreting what exactly AuditEnumerateSubCategories()
returns, but I'm stumped.
You'll see (commented) I tried to dereference the return pointer from AuditEnumerateSubCategories()
as a pointer. Doing or not doing that gives the same result.
Code:
#region LSA types
public enum POLICY_INFORMATION_CLASS
{
PolicyAuditLogInformation = 1,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation,
PolicyDnsDomainInformation
}
public enum POLICY_AUDIT_EVENT_TYPE
{
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct POLICY_AUDIT_EVENTS_INFO
{
public bool AuditingMode;
public IntPtr EventAuditingOptions;
public UInt32 MaximumAuditEventCount;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct GUID
{
public UInt32 Data1;
public UInt16 Data2;
public UInt16 Data3;
public Byte Data4a;
public Byte Data4b;
public Byte Data4c;
public Byte Data4d;
public Byte Data4e;
public Byte Data4f;
public Byte Data4g;
public Byte Data4h;
public override string ToString()
{
return Data1.ToString("x8") + "-" + Data2.ToString("x4") + "-" + Data3.ToString("x4") + "-"
+ Data4a.ToString("x2") + Data4b.ToString("x2") + "-"
+ Data4c.ToString("x2") + Data4d.ToString("x2") + Data4e.ToString("x2") + Data4f.ToString("x2") + Data4g.ToString("x2") + Data4h.ToString("x2");
}
}
#endregion
#region LSA Imports
[DllImport("kernel32.dll")]
extern static int GetLastError();
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern UInt32 LsaNtStatusToWinError(
long Status);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaOpenPolicy(
ref LSA_UNICODE_STRING SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
Int32 DesiredAccess,
out IntPtr PolicyHandle );
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaClose(IntPtr PolicyHandle);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern long LsaFreeMemory(IntPtr Buffer);
[DllImport("advapi32.dll", CharSet = CharSet.Unicode, PreserveSig = true)]
public static extern void AuditFree(IntPtr Buffer);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern long LsaQueryInformationPolicy(
IntPtr PolicyHandle, POLICY_INFORMATION_CLASS InformationClass,
out IntPtr Buffer);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditLookupCategoryGuidFromCategoryId(
POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
IntPtr pAuditCategoryGuid);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditEnumerateSubCategories(
IntPtr pAuditCategoryGuid,
bool bRetrieveAllSubCategories,
out IntPtr ppAuditSubCategoriesArray,
out ulong pCountReturned);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern bool AuditQuerySystemPolicy(
IntPtr pSubCategoryGuids,
ulong PolicyCount,
out IntPtr ppAuditPolicy);
#endregion
Dictionary<string, UInt32> retList = new Dictionary<string, UInt32>();
long lretVal;
uint retVal;
IntPtr pAuditEventsInfo;
lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
{
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception((int)retVal);
}
POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());
IntPtr subCats = IntPtr.Zero;
ulong nSubCats = 0;
for (int audCat = 0; audCat < myAuditEventsInfo.MaximumAuditEventCount; audCat++)
{
GUID audCatGuid = new GUID();
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat, new IntPtr(&audCatGuid)))
{
int causingError = GetLastError();
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception(causingError);
}
if (!AuditEnumerateSubCategories(new IntPtr(&audCatGuid), true, out subCats, out nSubCats))
{
int causingError = GetLastError();
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception(causingError);
}
// Dereference the first pointer-to-pointer to point to the first subcategory
// subCats = (IntPtr)Marshal.PtrToStructure(subCats, subCats.GetType());
if (nSubCats > 0)
{
IntPtr audPolicies = IntPtr.Zero;
if (!AuditQuerySystemPolicy(subCats, nSubCats, out audPolicies))
{
int causingError = GetLastError();
if (subCats != IntPtr.Zero)
AuditFree(subCats);
LsaFreeMemory(pAuditEventsInfo);
LsaClose(policyHandle);
throw new System.ComponentModel.Win32Exception(causingError);
}
AUDIT_POLICY_INFORMATION myAudPol = new AUDIT_POLICY_INFORMATION();
for (ulong audSubCat = 0; audSubCat < nSubCats; audSubCat++)
{
// Process audPolicies[audSubCat], turn GUIDs into names, fill retList.
// http://msdn.microsoft.com/en-us/library/aa373931%28VS.85%29.aspx
// http://msdn.microsoft.com/en-us/library/bb648638%28VS.85%29.aspx
IntPtr itemAddr = IntPtr.Zero;
IntPtr itemAddrAddr = new IntPtr(audPolicies.ToInt64() + (long)(audSubCat * (ulong)Marshal.SizeOf(itemAddr)));
itemAddr = (IntPtr)Marshal.PtrToStructure(itemAddrAddr, itemAddr.GetType());
myAudPol = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemAddr, myAudPol.GetType());
retList[myAudPol.AuditSubCategoryGuid.ToString()] = myAudPol.AuditingInformation;
}
if (audPolicies != IntPtr.Zero)
AuditFree(audPolicies);
}
if (subCats != IntPtr.Zero)
AuditFree(subCats);
subCats = IntPtr.Zero;
nSubCats = 0;
}
lretVal = LsaFreeMemory(pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
throw new System.ComponentModel.Win32Exception((int)retVal);
lretVal = LsaClose(policyHandle);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal != 0)
throw new System.ComponentModel.Win32Exception((int)retVal);
First of all you post not full code, so I can not compile it. There are no code to open policyHandle
with LsaOpenPolicy
function. declaration of some structures like AUDIT_POLICY_INFORMATION
, LSA_OBJECT_ATTRIBUTES
and LSA_UNICODE_STRING
also absent.
Nevertheless I found at least one error in your code. Usage of the last parameter of AuditLookupCategoryGuidFromCategoryId
seems me wrong. The function AuditLookupCategoryGuidFromCategoryId
has prototype
BOOLEAN WINAPI AuditLookupCategoryGuidFromCategoryId(
__in POLICY_AUDIT_EVENT_TYPE AuditCategoryId,
__out GUID *pAuditCategoryGuid
);
which means, you have to allocate unmanaged memory to hold GUID
and get pointer to AuditLookupCategoryGuidFromCategoryId
. The memory will be filled by AuditLookupCategoryGuidFromCategoryId
. So instead of
GUID audCatGuid = new GUID();
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
new IntPtr(&audCatGuid)))
// ...
if (!AuditEnumerateSubCategories(new IntPtr(&audCatGuid), true, out subCats,
out nSubCats))
// ...
seems me correct the following
IntPtr pAuditCatGuid = Marshal.AllocHGlobal (Marshal.SizeOf(GUID));
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)audCat,
pAuditCatGuid))
// ...
if (!AuditEnumerateSubCategories(pAuditCatGuid, true, out subCats,
out nSubCats))
// ...
这篇关于调用AuditQuerySystemPolicy()从C#的回报和QUOT(ADVAPI32.DLL);参数不正确"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!