監査ポリシーと同様に、ユーザーのアクティビティを追跡する必要があります。可能であれば、自分のプログラムを使用して Windows ユーザーのアクティビティを追跡したいと考えています。前もって感謝します...私は次のコードを使用しています...
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
using System.Configuration;
using System.IO;
using COMAdmin;
namespace ConsoleApplication3
{
class Program
{
static SensEvents SensEvents = new SensEvents();
static void Main(string[] args)
{
SensEvents.LogonEvent += OnSensLogonEvent;
Console.WriteLine("Waiting for events. Press [ENTER] to stop.");
Console.ReadLine();
}
static void OnSensLogonEvent(object sender, SensLogonEventArgs e)
{
String date = DateTime.Now.ToString("M/d/yyyy hh:mm:ss tt");
Console.WriteLine("Type:" + e.Type + ", UserName:" + e.UserName + ", SessionId:" + e.SessionId + ", Date :" + date);
}
}
public sealed class SensEvents
{
private static readonly Guid SENSGUID_EVENTCLASS_LOGON2 = new Guid("d5978650-5b9f-11d1-8dd2-00aa004abd5e");
private Sink _sink;
public event EventHandler<SensLogonEventArgs> LogonEvent;
public SensEvents()
{
_sink = new Sink(this);
COMAdminCatalogClass catalog = new COMAdminCatalogClass();
ICatalogCollection subscriptions = (ICatalogCollection)catalog.GetCollection("TransientSubscriptions");
ICatalogObject subscription = (ICatalogObject)subscriptions.Add();
subscription.set_Value("EventCLSID", SENSGUID_EVENTCLASS_LOGON2.ToString("B"));
subscription.set_Value("SubscriberInterface", _sink);
// NOTE: we don't specify a method name, so all methods may be called
subscriptions.SaveChanges();
}
private void OnLogonEvent(SensLogonEventType type, string bstrUserName, uint dwSessionId)
{
EventHandler<SensLogonEventArgs> handler = LogonEvent;
if (handler != null)
{
handler(this, new SensLogonEventArgs(type, bstrUserName, dwSessionId));
}
}
private class Sink : ISensLogon2
{
private SensEvents _events;
public Sink(SensEvents events)
{
_events = events;
}
public void Logon(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.Logon, bstrUserName, dwSessionId);
}
public void Logoff(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.Logoff, bstrUserName, dwSessionId);
}
public void SessionDisconnect(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.SessionDisconnect, bstrUserName, dwSessionId);
}
public void SessionReconnect(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.SessionReconnect, bstrUserName, dwSessionId);
}
public void PostShell(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.PostShell, bstrUserName, dwSessionId);
}
}
[ComImport, Guid("D597BAB4-5B9F-11D1-8DD2-00AA004ABD5E")]
private interface ISensLogon2
{
void Logon([MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void Logoff([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void SessionDisconnect([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void SessionReconnect([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void PostShell([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
}
}
public class SensLogonEventArgs : EventArgs
{
public SensLogonEventArgs(SensLogonEventType type, string userName, uint sessionId)
{
Type = type;
UserName = userName;
SessionId = sessionId;
}
private String userName;
public string UserName {
get { return userName; }
set { userName = value; }
}
private uint sessionId;
public uint SessionId {
get { return sessionId; }
set { sessionId = value; }
}
private SensLogonEventType type;
public SensLogonEventType Type {
get { return type; }
set { type = value; }
//get; private set;
}
}
public enum SensLogonEventType
{
Logon,
Logoff,
SessionDisconnect,
SessionReconnect,
PostShell
}
}