def subscribe_and_yield_events(channel, query="*"):
#SUBSCRIBE
h = win32event.CreateEvent(None, 0, 0, None)
s = win32evtlog.EvtSubscribe(channel,
win32evtlog.EvtSubscribeToFutureEvents,
SignalEvent=h,
Query=query)
#LOOP
while True:
while True:
events = win32evtlog.EvtNext(s, 10)
if len(events) == 0:
break
for event in events:
raw_xml = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventXml)
er = LogEvent(raw_xml, source_os=detect_current_os())
if er.is_valid():
yield er
else:
print("[ERROR] Parsing error")
while True:
#print('waiting...')
w = win32event.WaitForSingleObjectEx(h, 200, True)
if w == win32con.WAIT_OBJECT_0:
break
def render_event(self, event, context):
# See https://docs.microsoft.com/en-us/windows/win32/wes/rendering-events
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_render_flags
# http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtRender_meth.html
return win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventValues, Context=context)
def listen(self, honeypot_configuration):
h = win32event.CreateEvent(None, 0, 0, None)
s = win32evtlog.EvtSubscribe(
self.log_type,
win32evtlog.EvtSubscribeStartAtOldestRecord,
SignalEvent=h,
Query=self.query_text)
while True:
while True:
events = win32evtlog.EvtNext(s, 10)
if len(events) == 0:
break
for event in events:
event_id = None
event_format_xml = win32evtlog.EvtRender(
event, win32evtlog.EvtRenderEventXml)
event_format_dict = xmltodict.parse(event_format_xml)
if isinstance(
event_format_dict['Event']['System']['EventID'],
str):
event_id = event_format_dict['Event']['System'][
'EventID']
else:
event_id = event_format_dict['Event']['System'][
'EventID']['#text']
honeypot = self.__identify_honeypot(
event_id, event_format_xml, honeypot_configuration)
if honeypot is not None:
self.__alert(event_format_dict, event_id, honeypot)
while True:
print("Waiting " + self.log_type)
w = win32event.WaitForSingleObjectEx(h, 10000, True)
if w == win32con.WAIT_OBJECT_0:
break
def run_task_with_data(reason, context, event):
' Converts event XML to dictionary '
r'''
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10010</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2021-02-10T12:24:20.581005200Z" />
<EventRecordID>729301</EventRecordID>
<Correlation />
<Execution ProcessID="952" ThreadID="41804" />
<Channel>System</Channel>
<Computer>DB</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="param1">{AAC1009F-AB33-48F9-9A21-7F5B88426A2E}</Data>
</EventData>
</Event>
'''
xml_str = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventXml)
s.run_task(task=task, caller=CALLER_EVENT, data=DataEvent(xml_str))
def update_checkpoints( self ):
self._checkpoints['api'] = 'new'
self.__bookmark_lock.acquire()
try:
for channel, bookmark in self.__bookmarks.iteritems():
self._checkpoints['bookmarks'][channel] = win32evtlog.EvtRender( bookmark, win32evtlog.EvtRenderBookmark )
finally:
self.__bookmark_lock.release()
def c(reason, context, evt):
if reason == win32evtlog.EvtSubscribeActionError:
print('EvtSubscribeActionError')
elif reason == win32evtlog.EvtSubscribeActionDeliver:
print('EvtSubscribeActionDeliver')
else:
print(('??? Unknown action ???', reason))
context.append(win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml))
return 0
def __log_callback(self, reason, context, evt):
if reason == win32evtlog.EvtSubscribeActionDeliver:
parser = self.__event_parsers.get(context)
if parser:
event, data = parser(
win32evtlog.EvtRender(evt, win32evtlog.EvtRenderEventXml))
if event:
for callback in self.__callbacks[event]:
callback(**data)
return 0
def update_checkpoints(self):
self._checkpoints["api"] = "new"
self.__bookmark_lock.acquire()
try:
for channel, bookmark in six.iteritems(self.__bookmarks):
self._checkpoints["bookmarks"][
channel] = win32evtlog.EvtRender(
bookmark, win32evtlog.EvtRenderBookmark)
finally:
self.__bookmark_lock.release()
def update_bookmark(self, event):
# See https://docs.microsoft.com/en-us/windows/win32/wes/bookmarking-events
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtupdatebookmark
# http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtUpdateBookmark_meth.html
win32evtlog.EvtUpdateBookmark(self._bookmark_handle, event)
# https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender
# http://timgolden.me.uk/pywin32-docs/win32evtlog__EvtRender_meth.html
bookmark_xml = win32evtlog.EvtRender(self._bookmark_handle, win32evtlog.EvtRenderBookmark)
self.write_persistent_cache('bookmark', bookmark_xml)
def load_log_data(log_file):
query_handle = win32evtlog.EvtQuery(log_file, win32evtlog.EvtQueryFilePath)
xml_list = []
while True:
events = win32evtlog.EvtNext(query_handle, 1)
# if there is no record break the loop
if len(events) == 0:
break
else:
xml_content = win32evtlog.EvtRender(events[0],
win32evtlog.EvtRenderEventXml)
xml_list.append(xml_content)
return xml_list
def GetFormattedEventAsDict( self, render_context, event ):
vals = win32evtlog.EvtRender( event, win32evtlog.EvtRenderEventValues, Context=render_context )
result = {}
event_id = vals[win32evtlog.EvtSystemEventID]
qualifiers = vals[win32evtlog.EvtSystemQualifiers]
metadata = None
try:
metadata = win32evtlog.EvtOpenPublisherMetadata( vals[win32evtlog.EvtSystemProviderName][0] )
except:
pass
result['Message'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageEvent, '' )
if vals[win32evtlog.EvtSystemLevel][1] != win32evtlog.EvtVarTypeNull:
result['Level'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageLevel, vals[win32evtlog.EvtSystemLevel][0] )
if vals[win32evtlog.EvtSystemOpcode][1] != win32evtlog.EvtVarTypeNull:
result['Opcode'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageOpcode, vals[win32evtlog.EvtSystemOpcode][0] )
if vals[win32evtlog.EvtSystemKeywords][1] != win32evtlog.EvtVarTypeNull:
result['Keywords'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageKeyword, vals[win32evtlog.EvtSystemKeywords][0] )
if vals[win32evtlog.EvtSystemChannel][1] != win32evtlog.EvtVarTypeNull:
result['Channel'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageChannel, vals[win32evtlog.EvtSystemChannel][0] )
result['Task'] = self._FormattedMessage( metadata, event, win32evtlog.EvtFormatMessageTask, "" )
self._AddValueIfNotNullType( result, 'ProviderName', vals[win32evtlog.EvtSystemProviderName] )
self._AddValueIfNotNullType( result, 'ProviderGuid', vals[win32evtlog.EvtSystemProviderGuid] )
self._AddValueIfNotNullType( result, 'TimeCreated', vals[win32evtlog.EvtSystemTimeCreated] )
self._AddValueIfNotNullType( result, 'RecordId', vals[win32evtlog.EvtSystemEventRecordId] )
self._AddValueIfNotNullType( result, 'ActivityId', vals[win32evtlog.EvtSystemActivityID] )
self._AddValueIfNotNullType( result, 'RelatedActivityId', vals[win32evtlog.EvtSystemRelatedActivityID] )
self._AddValueIfNotNullType( result, 'ProcessId', vals[win32evtlog.EvtSystemProcessID] )
self._AddValueIfNotNullType( result, 'ThreadId', vals[win32evtlog.EvtSystemThreadID] )
self._AddValueIfNotNullType( result, 'Computer', vals[win32evtlog.EvtSystemComputer] )
self._AddValueIfNotNullType( result, 'UserId', vals[win32evtlog.EvtSystemUserID] )
self._AddValueIfNotNullType( result, 'Version', vals[win32evtlog.EvtSystemVersion] )
return result
def get_events_xmls(channel_name="Microsoft-Windows-PrintService/Operational",
events_batch_num=100,
backwards=True):
ret = list()
flags = win32evtlog.EvtQueryChannelPath
if backwards:
flags |= win32evtlog.EvtQueryReverseDirection
try:
query_results = win32evtlog.EvtQuery(channel_name, flags, None, None)
except pywintypes.error as e:
print(e)
return ret
events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE, 0)
while events:
for event in events:
ret.append(
win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml))
events = win32evtlog.EvtNext(query_results, events_batch_num, INFINITE,
0)
return ret
def GetFormattedEventAsDict(self, render_context, event):
vals = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventValues,
Context=render_context)
result = {}
# In the new event log api, EventIds were replaced by an InstanceId.
# The InstanceID is made by combining the old EventId with any
# SystemQualifiers associated with the event, to create a new 32bit value
# with the EventId in the lower 16bits and the SystemQualifiers
# in the high 16bits.
event_id_val = vals[win32evtlog.EvtSystemEventID]
if event_id_val[1] != win32evtlog.EvtVarTypeNull:
# by default use the event id value as the event id
event_id = event_id_val[0]
qualifiers_val = vals[win32evtlog.EvtSystemQualifiers]
# if we have any system qualifiers for this event
if qualifiers_val[1] != win32evtlog.EvtVarTypeNull:
# then combine the event id with the qualifiers to
# make the full event id.
event_id = win32api.MAKELONG(event_id, qualifiers_val[0])
result['EventID'] = event_id
metadata = None
try:
metadata = win32evtlog.EvtOpenPublisherMetadata(
vals[win32evtlog.EvtSystemProviderName][0])
except:
pass
result['Message'] = self._FormattedMessage(
metadata, event, win32evtlog.EvtFormatMessageEvent, '')
if vals[win32evtlog.EvtSystemLevel][1] != win32evtlog.EvtVarTypeNull:
result['Level'] = self._FormattedMessage(
metadata, event, win32evtlog.EvtFormatMessageLevel,
vals[win32evtlog.EvtSystemLevel][0])
if vals[win32evtlog.EvtSystemOpcode][1] != win32evtlog.EvtVarTypeNull:
result['Opcode'] = self._FormattedMessage(
metadata, event, win32evtlog.EvtFormatMessageOpcode,
vals[win32evtlog.EvtSystemOpcode][0])
if vals[win32evtlog.
EvtSystemKeywords][1] != win32evtlog.EvtVarTypeNull:
result['Keywords'] = self._FormattedMessage(
metadata, event, win32evtlog.EvtFormatMessageKeyword,
vals[win32evtlog.EvtSystemKeywords][0])
if vals[win32evtlog.EvtSystemChannel][1] != win32evtlog.EvtVarTypeNull:
result['Channel'] = self._FormattedMessage(
metadata, event, win32evtlog.EvtFormatMessageChannel,
vals[win32evtlog.EvtSystemChannel][0])
result['Task'] = self._FormattedMessage(
metadata, event, win32evtlog.EvtFormatMessageTask, "")
self._AddValueIfNotNullType(result, 'ProviderName',
vals[win32evtlog.EvtSystemProviderName])
self._AddValueIfNotNullType(result, 'ProviderGuid',
vals[win32evtlog.EvtSystemProviderGuid])
self._AddValueIfNotNullType(result, 'TimeCreated',
vals[win32evtlog.EvtSystemTimeCreated])
self._AddValueIfNotNullType(result, 'RecordId',
vals[win32evtlog.EvtSystemEventRecordId])
self._AddValueIfNotNullType(result, 'ActivityId',
vals[win32evtlog.EvtSystemActivityID])
self._AddValueIfNotNullType(
result, 'RelatedActivityId',
vals[win32evtlog.EvtSystemRelatedActivityID])
self._AddValueIfNotNullType(result, 'ProcessId',
vals[win32evtlog.EvtSystemProcessID])
self._AddValueIfNotNullType(result, 'ThreadId',
vals[win32evtlog.EvtSystemThreadID])
self._AddValueIfNotNullType(result, 'Computer',
vals[win32evtlog.EvtSystemComputer])
self._AddValueIfNotNullType(result, 'UserId',
vals[win32evtlog.EvtSystemUserID])
self._AddValueIfNotNullType(result, 'Version',
vals[win32evtlog.EvtSystemVersion])
return result
def print_event(event):
record = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
print(record)
def main():
path = 'System'
num_events = 5
if len(sys.argv) > 2:
path = sys.argv[1]
num_events = int(sys.argv[2])
elif len(sys.argv) > 1:
path = sys.argv[1]
query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection)
events = win32evtlog.EvtNext(query, num_events)
context = win32evtlog.EvtCreateRenderContext(
win32evtlog.EvtRenderContextSystem)
for i, event in enumerate(events, 1):
result = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventValues,
Context=context)
print(('Event {}'.format(i)))
level_value, level_variant = result[win32evtlog.EvtSystemLevel]
if level_variant != win32evtlog.EvtVarTypeNull:
if level_value == 1:
print(' Level: CRITICAL')
elif level_value == 2:
print(' Level: ERROR')
elif level_value == 3:
print(' Level: WARNING')
elif level_value == 4:
print(' Level: INFO')
elif level_value == 5:
print(' Level: VERBOSE')
else:
print(' Level: UNKNOWN')
time_created_value, time_created_variant = result[
win32evtlog.EvtSystemTimeCreated]
if time_created_variant != win32evtlog.EvtVarTypeNull:
print((' Timestamp: {}'.format(time_created_value.isoformat())))
computer_value, computer_variant = result[
win32evtlog.EvtSystemComputer]
if computer_variant != win32evtlog.EvtVarTypeNull:
print((' FQDN: {}'.format(computer_value)))
provider_name_value, provider_name_variant = result[
win32evtlog.EvtSystemProviderName]
if provider_name_variant != win32evtlog.EvtVarTypeNull:
print((' Provider: {}'.format(provider_name_value)))
try:
metadata = win32evtlog.EvtOpenPublisherMetadata(
provider_name_value)
# pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.')
except Exception:
pass
else:
try:
message = win32evtlog.EvtFormatMessage(
metadata, event, win32evtlog.EvtFormatMessageEvent)
# pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.')
except Exception:
pass
else:
print((' Message: {}'.format(message)))
def render_event_xml(event): # no cov
"""
Helper function used only for debugging purposes.
"""
return win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
def event_main_filter(event):
'''
判断事件中是否存在可能的UAC绕过行为
'''
record = win32evtlog.EvtRender(event, win32evtlog.EvtRenderEventXml)
record_dict = xmltodict.parse(record)
# 转换为本地时区
evt_local_time = utc_to_local(
record_dict['Event']['System']['TimeCreated']['@SystemTime'])
record_dict['Event']['System']['TimeCreated'][
'@SystemTime'] = evt_local_time
temp_data = {}
for data in record_dict['Event']['EventData']['Data']:
if '#text' in data:
temp_data[data['@Name']] = data['#text']
elif data == None or data == 'None':
temp_data = {}
else:
temp_data[data['@Name']] = None
record_dict['Event']['EventData'] = temp_data
evt_id = int(record_dict['Event']['System']['EventID'])
if evt_id == 1:
image = str(record_dict['Event']['EventData']['Image'])
parent_image = str(record_dict['Event']['EventData']['ParentImage'])
if parent_image == "C:\\Windows\\System32\\services.exe":
service_outlier_executables_history[image] = 0
if 'cmd.exe' in image:
outlier_parents_of_cmd_history[parent_image] = 0
# events_by_id[evt_id].append({'image': record_dict['Event']['EventData']['Image']})
if 'ParentCommandLine' in record_dict['Event']['EventData']:
# COM-ICMLuaUtils-bypassUAC
# 'C:\\WINDOWS\\system32\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}':
if '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' in \
record_dict['Event']['EventData']['ParentCommandLine'].upper():
print('COM-ICMLuaUtils-bypassUAC')
print(record_dict['Event']['EventData']['ParentCommandLine'])
notification('COM-ICMLuaUtils-bypassUAC Detected!')
# 判断是不是会被劫持的自动提权exe启动,是则检查对应的会被劫持的路径。
for ex in reg_hijack_dict:
if (image.lower().startswith(r'C:\Windows\WinSxS'.lower())
or image.lower().startswith(r'C:\Windows\System32'.lower())
) and ex.lower() in image.lower():
# check reg symlink
sym_path = reg_symhij_check(reg_hijack_dict[ex])
if sym_path != None:
print('Possible registry UAC Hijack with symlink!')
print(f'Path:{sym_path}')
notification('Possible registry UAC Hijack with symlink!',
f'Path:{sym_path}')
# if evt_id == 2:
# events_by_id[evt_id].append({'image': record_dict['Event']['EventData']['Image'],
# 'target name': record_dict['Event']['EventData']['TargetFilename']})
# SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]
if evt_id == 6:
if record_dict['Event']['EventData'][
'Signature'] != 'Microsoft Windows':
events_by_id[evt_id].append({
'ImageLoaded':
record_dict['Event']['EventData']['ImageLoaded'],
'Signature':
record_dict['Event']['EventData']['Signature']
})
# SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]
if evt_id == 7:
if record_dict['Event']['EventData'][
'Signature'] != 'Microsoft Windows':
events_by_id[evt_id].append({
'Image':
record_dict['Event']['EventData']['Image'],
'ImageLoaded':
record_dict['Event']['EventData']['ImageLoaded']
})
# dotLocal 被劫持dll的加载
current = events_by_id[evt_id][-1]
if '.exe.local\\' in current['ImageLoaded'].lower():
print("dotLocal DLL hijack detected")
print(events_by_id[evt_id][-1])
notification(
"dotLocal DLL hijack detected",
'Image: {}\nLib: {}'.format(current['Image'],
current['ImageLoaded']))
# SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]
if evt_id == 8:
# 远程线程注入
events_by_id[evt_id].append({
'SourceProcessId':
record_dict['Event']['EventData']['SourceProcessId'],
'SourceImage':
record_dict['Event']['EventData']['SourceImage'],
'TargetProcessId':
record_dict['Event']['EventData']['TargetProcessId'],
'TargetImage':
record_dict['Event']['EventData']['TargetImage'],
'StartAddress':
record_dict['Event']['EventData']['StartAddress'],
'StartModule':
record_dict['Event']['EventData']['StartModule'],
'StartFunction':
record_dict['Event']['EventData']['StartFunction']
})
print("RemoteThreadCreate detected")
print(events_by_id[evt_id][-1])
notification(
"RemoteThreadCreate detected", 'Source: {}\nTarget: {}'.format(
events_by_id[evt_id][-1]['SourceImage'],
events_by_id[evt_id][-1]['TargetImage']))
# SYSMON EVENT ID 11 : FILE CREATED [FileCreate]
if evt_id == 11:
events_by_id[evt_id].append({
'ProcessId':
record_dict['Event']['EventData']['ProcessId'],
'Image':
record_dict['Event']['EventData']['Image'],
'TargetFilename':
record_dict['Event']['EventData']['TargetFilename']
})
current = events_by_id[evt_id][-1]
# dotLocal机制的DLL劫持检测 - 判断是否有文件创建在'*.exe.local/'的路径内
if '.exe.local\\' in current['TargetFilename'].lower():
print("dotLocal DLL hijack file create!")
print(events_by_id[evt_id][-1])
notification(
"dotLocal DLL hijack file create!",
'Image: {}\nFile: {}'.format(current['Image'],
current['TargetFilename']))
# SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]
if evt_id == 13:
events_by_id[evt_id].append({
'Image':
record_dict['Event']['EventData']['Image'],
'TargetObject':
record_dict['Event']['EventData']['TargetObject']
})
current = events_by_id[evt_id][-1]
# 打印出得到的注册表事件 - 调试用
# print("Registry value set")
# print(len(record_dict['Event']['EventData']['Details']))
# print(record_dict['Event']['EventData']['Details'][:5])
# print(type(record_dict['Event']['EventData']['Details']))
# print(current)
if '[Reflection.Assembly]::Load' in record_dict['Event']['EventData']['Details'] and \
"[Microsoft.Win32.Registry]" in record_dict['Event']['EventData']['Details']:
print("Fileless Attack - Living off the land.")
print(current)
notification("Fileless Attack!")
if not record_dict['Event']['EventData']['TargetObject'].startswith(
'HKLM'):
# possibly HKCU
target_path = record_dict['Event']['EventData']['TargetObject']
target = target_path[target_path.rfind('\\') + 1:].lower()
# 检测windir环境变量改变 - 检测部分通过windir劫持的UAC绕过方法
if target == 'windir':
print("Possible UACBypass: windir hijack!")
print(current)
notification("Possible UACBypass: windir hijack!")
# 检测COR_ENABLE_PROFILING环境变量改变 - 检测部分通过C# profile的UAC绕过方法
elif target.upper() == 'COR_ENABLE_PROFILING' or target.upper(
) == 'COR_PROFILER':
print("Possible UACBypass: C# profile!")
print(current)
notification("Possible UACBypass: C# profile!")
# print(target_path)
value = record_dict['Event']['EventData']['Details']
# 对每个可能被劫持路径判断一下,看看当前修改的注册表是不是用来劫持的位置
for path in reg_hijack_dict.values():
# print((target_path, path))
if path in target_path:
print('Possible registry UAC Hijack!')
print(f'Path:{target_path}\nValue:{value}')
notification('Possible registry UAC Hijack!',
f'Path:{target_path}\nValue:{value}')
def main():
path = "System"
num_events = 5
if len(sys.argv) > 2:
path = sys.argv[1]
num_events = int(sys.argv[2])
elif len(sys.argv) > 1:
path = sys.argv[1]
query = win32evtlog.EvtQuery(path, win32evtlog.EvtQueryForwardDirection)
events = win32evtlog.EvtNext(query, num_events)
context = win32evtlog.EvtCreateRenderContext(
win32evtlog.EvtRenderContextSystem)
for i, event in enumerate(events, 1):
result = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventValues,
Context=context)
print("Event {}".format(i))
level_value, level_variant = result[win32evtlog.EvtSystemLevel]
if level_variant != win32evtlog.EvtVarTypeNull:
if level_value == 1:
print(" Level: CRITICAL")
elif level_value == 2:
print(" Level: ERROR")
elif level_value == 3:
print(" Level: WARNING")
elif level_value == 4:
print(" Level: INFO")
elif level_value == 5:
print(" Level: VERBOSE")
else:
print(" Level: UNKNOWN")
time_created_value, time_created_variant = result[
win32evtlog.EvtSystemTimeCreated]
if time_created_variant != win32evtlog.EvtVarTypeNull:
print(" Timestamp: {}".format(time_created_value.isoformat()))
computer_value, computer_variant = result[
win32evtlog.EvtSystemComputer]
if computer_variant != win32evtlog.EvtVarTypeNull:
print(" FQDN: {}".format(computer_value))
provider_name_value, provider_name_variant = result[
win32evtlog.EvtSystemProviderName]
if provider_name_variant != win32evtlog.EvtVarTypeNull:
print(" Provider: {}".format(provider_name_value))
try:
metadata = win32evtlog.EvtOpenPublisherMetadata(
provider_name_value)
# pywintypes.error: (2, 'EvtOpenPublisherMetadata', 'The system cannot find the file specified.')
except Exception:
pass
else:
try:
message = win32evtlog.EvtFormatMessage(
metadata, event, win32evtlog.EvtFormatMessageEvent)
# pywintypes.error: (15027, 'EvtFormatMessage: allocated 0, need buffer of size 0', 'The message resource is present but the message was not found in the message table.')
except Exception:
pass
else:
try:
print(" Message: {}".format(message))
except UnicodeEncodeError:
# Obscure error when run under subprocess.Popen(), presumably due to
# not knowing the correct encoding for the console.
# > UnicodeEncodeError: \'charmap\' codec can\'t encode character \'\\u200e\' in position 57: character maps to <undefined>\r\n'
# Can't reproduce when running manually, so it seems more a subprocess.Popen()
# than ours:
print(" Failed to decode:", repr(message))
def eventTriggered(evt1, evt2, evt3):
print("Triggered")
print(evt1)
print(evt2)
print(win32evtlog.EvtRender(evt3, win32evtlog.EvtRenderEventXml))
win32event.PulseEvent(evtHandle)
path, win32evtlog.EvtQueryReverseDirection, query, None)
while 1:
events = win32evtlog.EvtNext(handle, 10)
if len(events) == 0:
# remove parsed events
# win32evtlog.ClearEventLog(handle, None): Access Violation (0xC0000005)
break
for event in events:
count += 1
print(count)
if count % 1 == 0:
# print(count)
record = win32evtlog.EvtRender(event,
win32evtlog.EvtRenderEventXml)
##print(event)
# print(record)
# xml to dict
record_dict = xmltodict.parse(record)
# print(record_dict['Event'])
evtID = int(record_dict['Event']['System']['EventID'])
print(evtID)
# print(record_dict['Event']['EventData']['Data'][4]['#text'])
# for data in record_dict['Event']['EventData']['Data']:
# print(data['@Name']+":"+data['#text'])
# if evtID == 1:
# vals = []
