|
|
@@ -0,0 +1,93 @@
|
|
|
+using System;
|
|
|
+using System.Collections.Generic;
|
|
|
+using System.Diagnostics;
|
|
|
+using System.Linq;
|
|
|
+using System.Text;
|
|
|
+using System.Threading.Tasks;
|
|
|
+
|
|
|
+namespace DecryptPwd.utils
|
|
|
+{
|
|
|
+ class LoginEvent
|
|
|
+ {
|
|
|
+ /// <summary>
|
|
|
+ /// 查询登录事件,需要管理员权限,从注册表中查询。
|
|
|
+ /// </summary>
|
|
|
+ public static void EventLog_4624()
|
|
|
+ {
|
|
|
+ EventLog log = new EventLog("Security");
|
|
|
+ Console.WriteLine("\r\n========== SharpEventLog -> 4624 ==========\r\n");
|
|
|
+ var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == 4624);
|
|
|
+ entries.Select(x => new
|
|
|
+ {
|
|
|
+ x.MachineName,
|
|
|
+ x.Site,
|
|
|
+ x.Source,
|
|
|
+ x.Message,
|
|
|
+ x.TimeGenerated
|
|
|
+ }).ToList();
|
|
|
+ foreach (EventLogEntry log1 in entries)
|
|
|
+ {
|
|
|
+ string text = log1.Message;
|
|
|
+ string ipaddress = MidStrEx(text, " 源网络地址: ", " 源端口:");
|
|
|
+ string username = MidStrEx(text, "新登录:", "进程信息:");
|
|
|
+ username = MidStrEx(username, " 帐户名: ", " 帐户域: ");
|
|
|
+ DateTime Time = log1.TimeGenerated;
|
|
|
+ if (ipaddress.Length >= 7)
|
|
|
+ {
|
|
|
+ Console.WriteLine("\r\n-----------------------------------");
|
|
|
+ Console.WriteLine("Time: " + Time);
|
|
|
+ Console.WriteLine("Status: True");
|
|
|
+ Console.WriteLine("Username: " + username.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
|
|
|
+ Console.WriteLine("Remote ip: " + ipaddress.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public static void EventLog_4625()
|
|
|
+ {
|
|
|
+ EventLog log = new EventLog("Security");
|
|
|
+ Console.WriteLine("\r\n========== SharpEventLog -> 4625 ==========\r\n");
|
|
|
+ var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == 4625);
|
|
|
+ entries.Select(x => new
|
|
|
+ {
|
|
|
+ x.MachineName,
|
|
|
+ x.Site,
|
|
|
+ x.Source,
|
|
|
+ x.Message,
|
|
|
+ x.TimeGenerated
|
|
|
+ }).ToList();
|
|
|
+ foreach (EventLogEntry log1 in entries)
|
|
|
+ {
|
|
|
+ string text = log1.Message;
|
|
|
+ string ipaddress = MidStrEx(text, " 源网络地址: ", " 源端口:");
|
|
|
+ string username = MidStrEx(text, "新登录:", "进程信息:");
|
|
|
+ username = MidStrEx(username, " 帐户名: ", " 帐户域: ");
|
|
|
+ DateTime Time = log1.TimeGenerated;
|
|
|
+ if (ipaddress.Length >= 7)
|
|
|
+ {
|
|
|
+ Console.WriteLine("\r\n-----------------------------------");
|
|
|
+ Console.WriteLine("Time: " + Time);
|
|
|
+ Console.WriteLine("Status: Flase");
|
|
|
+ Console.WriteLine("Username: " + username.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
|
|
|
+ Console.WriteLine("Remote ip: " + ipaddress.Replace("\n", "").Replace(" ", "").Replace("\t", "").Replace("\r", ""));
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public static string MidStrEx(string sourse, string startstr, string endstr)
|
|
|
+ {
|
|
|
+ string result = string.Empty;
|
|
|
+ int startindex, endindex;
|
|
|
+ startindex = sourse.IndexOf(startstr);
|
|
|
+ if (startindex == -1)
|
|
|
+ return result;
|
|
|
+ string tmpstr = sourse.Substring(startindex + startstr.Length);
|
|
|
+ endindex = tmpstr.IndexOf(endstr);
|
|
|
+ if (endindex == -1)
|
|
|
+ return result;
|
|
|
+ result = tmpstr.Remove(endindex);
|
|
|
+
|
|
|
+ return result;
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
