I'm trying to find out whether I can subscribe directly to the file-related audit events recorded in the Windows Security event log channel by using an .NET Event Tracing for Windows (ETW) TraceEventSession (I have a C# server monitoring application that already subscribes to other ETW providers).
I am aware I can read the Security Eventlog in the traditional manner from C# using the EventLog class (and I have verified I can see the events I want using this method), but I'd like to do it all with a single ETW trace session if possible.
I am beginning to suspect that the audit events are synthesized by the eventLog service from information from other ETW providers as I've been unable to find them from any ETW providers directly.
Can anyone give me any pointers as to whether this is likely? Or maybe there's an ETW provider I haven't found yet, I have found very little official documentation of what to expect from each provider. This post: Using "Microsoft Windows Security Auditing" provider in real-time consumer with ETW (Event Tracing for Windows) implies some success using 'Microsoft Windows Security Auditing', but I haven't able to replicate this.
This is my setup:
- on Win7 x64 I have set up file access failure auditing on a folder and see the events with ids 4656 and 4658 detailing the access failures on my test file in the Security event log.
I then tried these approaches to capture similar data via ETW, the ultimate goal being a C# app:
using PerfView to collect default events machine-wide and, based on the provider mentioned in the Audit event data also subscribed to 'Microsoft-Windows-Security-Auditing' with ':Security:Always' flags. I saw 'Windows Kernel/FileIO' events for my file but nothing audit related
using a modified c# 'SimpleEventSourceMonitor' (from https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/TraceEvent/10_SimpleEventSourceMonitor.cs) app to subscribe to 'Microsoft-Windows-Security-Auditing'. Nothing captured
I read here (https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716%28v=vs.85%29.aspx ) that "SeSecurityPrivilege is Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator." so I used AdjustTokenPrivileges to grant my process that privilege to no visible effect (though I could see from ProcessExplorer that my process now had the privilege)
experimenting with other likely providers I tried 'Microsoft-Windows-Eventlog' in my app, again to no effect. Then I tried subscribing to all the providers that the 'eventLog' service was using (from the list generated by running 'logman query providers -pid ' (this gives 55 providers on my win 7 test machine!). I got lots of events but none that I could tell were audit events (I was looking for the type of audit data recorded in the eventlog event such as 'ObjectType=File', 'ObjectName=' etc)
