def subscribe_and_yield_events(channel, query="*"): #SUBSCRIBE h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe(channel, win32evtlog.EvtSubscribeToFutureEvents, SignalEvent=h, Query=query) #LOOP while True: while True: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break for event in events: raw_xml = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) er = LogEvent(raw_xml, source_os=detect_current_os()) if er.is_valid(): yield er else: print("[ERROR] Parsing error") while True: #print('waiting...') w = win32event.WaitForSingleObjectEx(h, 200, True) if w == win32con.WAIT_OBJECT_0: break
def render_event(self, event, context): # See https://docs.microsoft.com/en-us/windows/win32/wes/rendering-events # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender # https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_render_flags # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtRender_meth.html return win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=context)
def listen(self, honeypot_configuration): h = win32event.CreateEvent(None, 0, 0, None) s = win32evtlog.EvtSubscribe( self.log_type, win32evtlog.EvtSubscribeStartAtOldestRecord, SignalEvent=h, Query=self.query_text) while True: while True: events = win32evtlog.EvtNext(s, 10) if len(events) == 0: break for event in events: event_id = None event_format_xml = win32evtlog.EvtRender( event, win32evtlog.EvtRenderEventXml) event_format_dict = xmltodict.parse(event_format_xml) if isinstance( event_format_dict['Event']['System']['EventID'], str): event_id = event_format_dict['Event']['System'][ 'EventID'] else: event_id = event_format_dict['Event']['System'][ 'EventID']['#text'] honeypot = self.__identify_honeypot( event_id, event_format_xml, honeypot_configuration) if honeypot is not None: self.__alert(event_format_dict, event_id, honeypot) while True: print("Waiting " + self.log_type) w = win32event.WaitForSingleObjectEx(h, 10000, True) if w == win32con.WAIT_OBJECT_0: break
def run_task_with_data(reason, context, event): ' Converts event XML to dictionary ' r''' <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" /> <EventID Qualifiers="0">10010</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2021-02-10T12:24:20.581005200Z" /> <EventRecordID>729301</EventRecordID> <Correlation /> <Execution ProcessID="952" ThreadID="41804" /> <Channel>System</Channel> <Computer>DB</Computer> <Security UserID="S-1-5-20" /> </System> <EventData> <Data Name="param1">{AAC1009F-AB33-48F9-9A21-7F5B88426A2E}</Data> </EventData> </Event> ''' xml_str = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) s.run_task(task=task, caller=CALLER_EVENT, data=DataEvent(xml_str))
def update_checkpoints( self ): self._checkpoints['api'] = 'new' self.__bookmark_lock.acquire() try: for channel, bookmark in self.__bookmarks.iteritems(): self._checkpoints['bookmarks'][channel] = win32evtlog.EvtRender( bookmark, win32evtlog.EvtRenderBookmark ) finally: self.__bookmark_lock.release()
def c(reason, context, evt): if reason == win32evtlog.EvtSubscribeActionError: print('EvtSubscribeActionError') elif reason == win32evtlog.EvtSubscribeActionDeliver: print('EvtSubscribeActionDeliver') else: print(('??? Unknown action ???', reason)) context.append(win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml)) return 0
def __log_callback(self, reason, context, evt): if reason == win32evtlog.EvtSubscribeActionDeliver: parser = self.__event_parsers.get(context) if parser: event, data = parser( win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml)) if event: for callback in self.__callbacks[event]: callback(**data) return 0
def update_checkpoints(self): self._checkpoints["api"] = "new" self.__bookmark_lock.acquire() try: for channel, bookmark in six.iteritems(self.__bookmarks): self._checkpoints["bookmarks"][ channel] = win32evtlog.EvtRender( bookmark, win32evtlog.EvtRenderBookmark) finally: self.__bookmark_lock.release()
def update_bookmark(self, event): # See https://docs.microsoft.com/en-us/windows/win32/wes/bookmarking-events # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtupdatebookmark # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtUpdateBookmark_meth.html win32evtlog.EvtUpdateBookmark(self._bookmark_handle, event) # https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender # http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtRender_meth.html bookmark_xml = win32evtlog.EvtRender(self._bookmark_handle, win32evtlog.EvtRenderBookmark) self.write_persistent_cache('bookmark', bookmark_xml)
def load_log_data(log_file): query_handle = win32evtlog.EvtQuery(log_file, win32evtlog.EvtQueryFilePath) xml_list = [] while True: events = win32evtlog.EvtNext(query_handle, 1) # if there is no record break the loop if len(events) == 0: break else: xml_content = win32evtlog.EvtRender(events[0], win32evtlog.EvtRenderEventXml) xml_list.append(xml_content) return xml_list
def GetFormattedEventAsDict( self, render_context, event ): vals = win32evtlog.EvtRender( event, win32evtlog.EvtRenderEventValues, Context=render_context ) result = {} event_id = vals[win32evtlog.EvtSystemEventID] qualifiers = vals[win32evtlog.EvtSystemQualifiers] metadata = None try: metadata = win32evtlog.EvtOpenPublisherMetadata( vals[win32evtlog.EvtSystemProviderName][0] ) except: pass result['Message'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageEvent, '' ) if vals[win32evtlog.EvtSystemLevel][1] != win32evtlog.EvtVarTypeNull: result['Level'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageLevel, vals[win32evtlog.EvtSystemLevel][0] ) if vals[win32evtlog.EvtSystemOpcode][1] != win32evtlog.EvtVarTypeNull: result['Opcode'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageOpcode, vals[win32evtlog.EvtSystemOpcode][0] ) if vals[win32evtlog.EvtSystemKeywords][1] != win32evtlog.EvtVarTypeNull: result['Keywords'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageKeyword, vals[win32evtlog.EvtSystemKeywords][0] ) if vals[win32evtlog.EvtSystemChannel][1] != win32evtlog.EvtVarTypeNull: result['Channel'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageChannel, vals[win32evtlog.EvtSystemChannel][0] ) result['Task'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageTask, "" ) self._AddValueIfNotNullType( result, 'ProviderName', vals[win32evtlog.EvtSystemProviderName] ) self._AddValueIfNotNullType( result, 'ProviderGuid', vals[win32evtlog.EvtSystemProviderGuid] ) self._AddValueIfNotNullType( result, 'TimeCreated', vals[win32evtlog.EvtSystemTimeCreated] ) self._AddValueIfNotNullType( result, 'RecordId', vals[win32evtlog.EvtSystemEventRecordId] ) self._AddValueIfNotNullType( result, 'ActivityId', vals[win32evtlog.EvtSystemActivityID] ) self._AddValueIfNotNullType( result, 'RelatedActivityId', vals[win32evtlog.EvtSystemRelatedActivityID] ) self._AddValueIfNotNullType( result, 'ProcessId', vals[win32evtlog.EvtSystemProcessID] ) self._AddValueIfNotNullType( result, 'ThreadId', vals[win32evtlog.EvtSystemThreadID] ) self._AddValueIfNotNullType( result, 'Computer', vals[win32evtlog.EvtSystemComputer] ) self._AddValueIfNotNullType( result, 'UserId', vals[win32evtlog.EvtSystemUserID] ) self._AddValueIfNotNullType( result, 'Version', vals[win32evtlog.EvtSystemVersion] ) return result
def get_events_xmls(channel_name="Microsoft-Windows-PrintService/Operational", events_batch_num=100, backwards=True): ret = list() flags = win32evtlog.EvtQueryChannelPath if backwards: flags |= win32evtlog.EvtQueryReverseDirection try: query_results = win32evtlog.EvtQuery(channel_name, flags, None, None) except pywintypes.error as e: print(e) return ret events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE, 0) while events: for event in events: ret.append( win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)) events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE, 0) return ret
def GetFormattedEventAsDict(self, render_context, event): vals = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=render_context) result = {} # In the new event log api, EventIds were replaced by an InstanceId. # The InstanceID is made by combining the old EventId with any # SystemQualifiers associated with the event, to create a new 32bit value # with the EventId in the lower 16bits and the SystemQualifiers # in the high 16bits. event_id_val = vals[win32evtlog.EvtSystemEventID] if event_id_val[1] != win32evtlog.EvtVarTypeNull: # by default use the event id value as the event id event_id = event_id_val[0] qualifiers_val = vals[win32evtlog.EvtSystemQualifiers] # if we have any system qualifiers for this event if qualifiers_val[1] != win32evtlog.EvtVarTypeNull: # then combine the event id with the qualifiers to # make the full event id. event_id = win32api.MAKELONG(event_id, qualifiers_val[0]) result['EventID'] = event_id metadata = None try: metadata = win32evtlog.EvtOpenPublisherMetadata( vals[win32evtlog.EvtSystemProviderName][0]) except: pass result['Message'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageEvent, '') if vals[win32evtlog.EvtSystemLevel][1] != win32evtlog.EvtVarTypeNull: result['Level'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageLevel, vals[win32evtlog.EvtSystemLevel][0]) if vals[win32evtlog.EvtSystemOpcode][1] != win32evtlog.EvtVarTypeNull: result['Opcode'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageOpcode, vals[win32evtlog.EvtSystemOpcode][0]) if vals[win32evtlog. EvtSystemKeywords][1] != win32evtlog.EvtVarTypeNull: result['Keywords'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageKeyword, vals[win32evtlog.EvtSystemKeywords][0]) if vals[win32evtlog.EvtSystemChannel][1] != win32evtlog.EvtVarTypeNull: result['Channel'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageChannel, vals[win32evtlog.EvtSystemChannel][0]) result['Task'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageTask, "") self._AddValueIfNotNullType(result, 'ProviderName', vals[win32evtlog.EvtSystemProviderName]) self._AddValueIfNotNullType(result, 'ProviderGuid', vals[win32evtlog.EvtSystemProviderGuid]) self._AddValueIfNotNullType(result, 'TimeCreated', vals[win32evtlog.EvtSystemTimeCreated]) self._AddValueIfNotNullType(result, 'RecordId', vals[win32evtlog.EvtSystemEventRecordId]) self._AddValueIfNotNullType(result, 'ActivityId', vals[win32evtlog.EvtSystemActivityID]) self._AddValueIfNotNullType( result, 'RelatedActivityId', vals[win32evtlog.EvtSystemRelatedActivityID]) self._AddValueIfNotNullType(result, 'ProcessId', vals[win32evtlog.EvtSystemProcessID]) self._AddValueIfNotNullType(result, 'ThreadId', vals[win32evtlog.EvtSystemThreadID]) self._AddValueIfNotNullType(result, 'Computer', vals[win32evtlog.EvtSystemComputer]) self._AddValueIfNotNullType(result, 'UserId', vals[win32evtlog.EvtSystemUserID]) self._AddValueIfNotNullType(result, 'Version', vals[win32evtlog.EvtSystemVersion]) return result
def print_event(event): record = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) print(record)
def main(): path = 'System' num_events = 5 if len(sys.argv) > 2: path = sys.argv[1] num_events = int(sys.argv[2]) elif len(sys.argv) > 1: path = sys.argv[1] query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection) events = win32evtlog.EvtNext(query, num_events) context = win32evtlog.EvtCreateRenderContext( win32evtlog.EvtRenderContextSystem) for i, event in enumerate(events, 1): result = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=context) print(('Event {}'.format(i))) level_value, level_variant = result[win32evtlog.EvtSystemLevel] if level_variant != win32evtlog.EvtVarTypeNull: if level_value == 1: print(' Level: CRITICAL') elif level_value == 2: print(' Level: ERROR') elif level_value == 3: print(' Level: WARNING') elif level_value == 4: print(' Level: INFO') elif level_value == 5: print(' Level: VERBOSE') else: print(' Level: UNKNOWN') time_created_value, time_created_variant = result[ win32evtlog.EvtSystemTimeCreated] if time_created_variant != win32evtlog.EvtVarTypeNull: print((' Timestamp: {}'.format(time_created_value.isoformat()))) computer_value, computer_variant = result[ win32evtlog.EvtSystemComputer] if computer_variant != win32evtlog.EvtVarTypeNull: print((' FQDN: {}'.format(computer_value))) provider_name_value, provider_name_variant = result[ win32evtlog.EvtSystemProviderName] if provider_name_variant != win32evtlog.EvtVarTypeNull: print((' Provider: {}'.format(provider_name_value))) try: metadata = win32evtlog.EvtOpenPublisherMetadata( provider_name_value) # pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.') except Exception: pass else: try: message = win32evtlog.EvtFormatMessage( metadata, event, win32evtlog.EvtFormatMessageEvent) # pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.') except Exception: pass else: print((' Message: {}'.format(message)))
def render_event_xml(event): # no cov """ Helper function used only for debugging purposes. """ return win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
def event_main_filter(event): ''' 判断事件中是否存在可能的UAC绕过行为 ''' record = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) record_dict = xmltodict.parse(record) # 转换为本地时区 evt_local_time = utc_to_local( record_dict['Event']['System']['TimeCreated']['@SystemTime']) record_dict['Event']['System']['TimeCreated'][ '@SystemTime'] = evt_local_time temp_data = {} for data in record_dict['Event']['EventData']['Data']: if '#text' in data: temp_data[data['@Name']] = data['#text'] elif data == None or data == 'None': temp_data = {} else: temp_data[data['@Name']] = None record_dict['Event']['EventData'] = temp_data evt_id = int(record_dict['Event']['System']['EventID']) if evt_id == 1: image = str(record_dict['Event']['EventData']['Image']) parent_image = str(record_dict['Event']['EventData']['ParentImage']) if parent_image == "C:\\Windows\\System32\\services.exe": service_outlier_executables_history[image] = 0 if 'cmd.exe' in image: outlier_parents_of_cmd_history[parent_image] = 0 # events_by_id[evt_id].append({'image': record_dict['Event']['EventData']['Image']}) if 'ParentCommandLine' in record_dict['Event']['EventData']: # COM-ICMLuaUtils-bypassUAC # 'C:\\WINDOWS\\system32\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}': if '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' in \ record_dict['Event']['EventData']['ParentCommandLine'].upper(): print('COM-ICMLuaUtils-bypassUAC') print(record_dict['Event']['EventData']['ParentCommandLine']) notification('COM-ICMLuaUtils-bypassUAC Detected!') # 判断是不是会被劫持的自动提权exe启动,是则检查对应的会被劫持的路径。 for ex in reg_hijack_dict: if (image.lower().startswith(r'C:\Windows\WinSxS'.lower()) or image.lower().startswith(r'C:\Windows\System32'.lower()) ) and ex.lower() in image.lower(): # check reg symlink sym_path = reg_symhij_check(reg_hijack_dict[ex]) if sym_path != None: print('Possible registry UAC Hijack with symlink!') print(f'Path:{sym_path}') notification('Possible registry UAC Hijack with symlink!', f'Path:{sym_path}') # if evt_id == 2: # events_by_id[evt_id].append({'image': record_dict['Event']['EventData']['Image'], # 'target name': record_dict['Event']['EventData']['TargetFilename']}) # SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad] if evt_id == 6: if record_dict['Event']['EventData'][ 'Signature'] != 'Microsoft Windows': events_by_id[evt_id].append({ 'ImageLoaded': record_dict['Event']['EventData']['ImageLoaded'], 'Signature': record_dict['Event']['EventData']['Signature'] }) # SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad] if evt_id == 7: if record_dict['Event']['EventData'][ 'Signature'] != 'Microsoft Windows': events_by_id[evt_id].append({ 'Image': record_dict['Event']['EventData']['Image'], 'ImageLoaded': record_dict['Event']['EventData']['ImageLoaded'] }) # dotLocal 被劫持dll的加载 current = events_by_id[evt_id][-1] if '.exe.local\\' in current['ImageLoaded'].lower(): print("dotLocal DLL hijack detected") print(events_by_id[evt_id][-1]) notification( "dotLocal DLL hijack detected", 'Image: {}\nLib: {}'.format(current['Image'], current['ImageLoaded'])) # SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread] if evt_id == 8: # 远程线程注入 events_by_id[evt_id].append({ 'SourceProcessId': record_dict['Event']['EventData']['SourceProcessId'], 'SourceImage': record_dict['Event']['EventData']['SourceImage'], 'TargetProcessId': record_dict['Event']['EventData']['TargetProcessId'], 'TargetImage': record_dict['Event']['EventData']['TargetImage'], 'StartAddress': record_dict['Event']['EventData']['StartAddress'], 'StartModule': record_dict['Event']['EventData']['StartModule'], 'StartFunction': record_dict['Event']['EventData']['StartFunction'] }) print("RemoteThreadCreate detected") print(events_by_id[evt_id][-1]) notification( "RemoteThreadCreate detected", 'Source: {}\nTarget: {}'.format( events_by_id[evt_id][-1]['SourceImage'], events_by_id[evt_id][-1]['TargetImage'])) # SYSMON EVENT ID 11 : FILE CREATED [FileCreate] if evt_id == 11: events_by_id[evt_id].append({ 'ProcessId': record_dict['Event']['EventData']['ProcessId'], 'Image': record_dict['Event']['EventData']['Image'], 'TargetFilename': record_dict['Event']['EventData']['TargetFilename'] }) current = events_by_id[evt_id][-1] # dotLocal机制的DLL劫持检测 - 判断是否有文件创建在'*.exe.local/'的路径内 if '.exe.local\\' in current['TargetFilename'].lower(): print("dotLocal DLL hijack file create!") print(events_by_id[evt_id][-1]) notification( "dotLocal DLL hijack file create!", 'Image: {}\nFile: {}'.format(current['Image'], current['TargetFilename'])) # SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent] if evt_id == 13: events_by_id[evt_id].append({ 'Image': record_dict['Event']['EventData']['Image'], 'TargetObject': record_dict['Event']['EventData']['TargetObject'] }) current = events_by_id[evt_id][-1] # 打印出得到的注册表事件 - 调试用 # print("Registry value set") # print(len(record_dict['Event']['EventData']['Details'])) # print(record_dict['Event']['EventData']['Details'][:5]) # print(type(record_dict['Event']['EventData']['Details'])) # print(current) if '[Reflection.Assembly]::Load' in record_dict['Event']['EventData']['Details'] and \ "[Microsoft.Win32.Registry]" in record_dict['Event']['EventData']['Details']: print("Fileless Attack - Living off the land.") print(current) notification("Fileless Attack!") if not record_dict['Event']['EventData']['TargetObject'].startswith( 'HKLM'): # possibly HKCU target_path = record_dict['Event']['EventData']['TargetObject'] target = target_path[target_path.rfind('\\') + 1:].lower() # 检测windir环境变量改变 - 检测部分通过windir劫持的UAC绕过方法 if target == 'windir': print("Possible UACBypass: windir hijack!") print(current) notification("Possible UACBypass: windir hijack!") # 检测COR_ENABLE_PROFILING环境变量改变 - 检测部分通过C# profile的UAC绕过方法 elif target.upper() == 'COR_ENABLE_PROFILING' or target.upper( ) == 'COR_PROFILER': print("Possible UACBypass: C# profile!") print(current) notification("Possible UACBypass: C# profile!") # print(target_path) value = record_dict['Event']['EventData']['Details'] # 对每个可能被劫持路径判断一下,看看当前修改的注册表是不是用来劫持的位置 for path in reg_hijack_dict.values(): # print((target_path, path)) if path in target_path: print('Possible registry UAC Hijack!') print(f'Path:{target_path}\nValue:{value}') notification('Possible registry UAC Hijack!', f'Path:{target_path}\nValue:{value}')
def main(): path = "System" num_events = 5 if len(sys.argv) > 2: path = sys.argv[1] num_events = int(sys.argv[2]) elif len(sys.argv) > 1: path = sys.argv[1] query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection) events = win32evtlog.EvtNext(query, num_events) context = win32evtlog.EvtCreateRenderContext( win32evtlog.EvtRenderContextSystem) for i, event in enumerate(events, 1): result = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=context) print("Event {}".format(i)) level_value, level_variant = result[win32evtlog.EvtSystemLevel] if level_variant != win32evtlog.EvtVarTypeNull: if level_value == 1: print(" Level: CRITICAL") elif level_value == 2: print(" Level: ERROR") elif level_value == 3: print(" Level: WARNING") elif level_value == 4: print(" Level: INFO") elif level_value == 5: print(" Level: VERBOSE") else: print(" Level: UNKNOWN") time_created_value, time_created_variant = result[ win32evtlog.EvtSystemTimeCreated] if time_created_variant != win32evtlog.EvtVarTypeNull: print(" Timestamp: {}".format(time_created_value.isoformat())) computer_value, computer_variant = result[ win32evtlog.EvtSystemComputer] if computer_variant != win32evtlog.EvtVarTypeNull: print(" FQDN: {}".format(computer_value)) provider_name_value, provider_name_variant = result[ win32evtlog.EvtSystemProviderName] if provider_name_variant != win32evtlog.EvtVarTypeNull: print(" Provider: {}".format(provider_name_value)) try: metadata = win32evtlog.EvtOpenPublisherMetadata( provider_name_value) # pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.') except Exception: pass else: try: message = win32evtlog.EvtFormatMessage( metadata, event, win32evtlog.EvtFormatMessageEvent) # pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.') except Exception: pass else: try: print(" Message: {}".format(message)) except UnicodeEncodeError: # Obscure error when run under subprocess.Popen(), presumably due to # not knowing the correct encoding for the console. # > UnicodeEncodeError: \'charmap\' codec can\'t encode character \'\\u200e\' in position 57: character maps to <undefined>\r\n' # Can't reproduce when running manually, so it seems more a subprocess.Popen() # than ours: print(" Failed to decode:", repr(message))
def eventTriggered(evt1, evt2, evt3): print("Triggered") print(evt1) print(evt2) print(win32evtlog.EvtRender(evt3, win32evtlog.EvtRenderEventXml)) win32event.PulseEvent(evtHandle)
path, win32evtlog.EvtQueryReverseDirection, query, None) while 1: events = win32evtlog.EvtNext(handle, 10) if len(events) == 0: # remove parsed events # win32evtlog.ClearEventLog(handle, None): Access Violation (0xC0000005) break for event in events: count += 1 print(count) if count % 1 == 0: # print(count) record = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml) ##print(event) # print(record) # xml to dict record_dict = xmltodict.parse(record) # print(record_dict['Event']) evtID = int(record_dict['Event']['System']['EventID']) print(evtID) # print(record_dict['Event']['EventData']['Data'][4]['#text']) # for data in record_dict['Event']['EventData']['Data']: # print(data['@Name']+":"+data['#text']) # if evtID == 1: # vals = []