c# - How to use Windows API AuditEnumerateCategories function in PowerShell? -
i want current advanced security audit policy using powershell. use auditpol.exe
, ouput different per os language, makes difficult parse.
the settings stored in reg_none value in hkey_local_machine\security\policy\poladtev
. try parse value of that unofficial structure table. preffered approach, however, use windows api function auditquerysystempolicy
of advapi32.dll
.
with great of this article, created type in powershell follows.
$memberdefinition = @' [dllimport("advapi32.dll", setlasterror = true)] public static extern bool auditenumeratecategories( out intptr ppauditcategoriesarray, out uint pcountreturned); [dllimport("advapi32.dll", setlasterror = true)] public static extern bool auditlookupcategoryname( ref guid pauditcategoryguid, out stringbuilder ppszcategoryname); [dllimport("advapi32.dll", setlasterror = true)] private static extern bool auditenumeratesubcategories( ref guid pauditcategoryguid, bool bretrieveallsubcategories, out intptr ppauditsubcategoriesarray, out uint pcountreturned); [dllimport("advapi32.dll", setlasterror = true)] public static extern bool auditlookupsubcategoryname( ref guid pauditsubcategoryguid, out stringbuilder ppszsubcategoryname); [dllimport("advapi32.dll")] public static extern void auditfree( intptr buffer); [dllimport("advapi32.dll", setlasterror = true)] public static extern bool auditquerysystempolicy( guid psubcategoryguids, uint policycount, out intptr ppauditpolicy); '@ $advapi32 = add-type -memberdefinition $memberdefinition -name 'advapi32' -namespace 'win32' -usingnamespace system.text -passthru
the type created successfuly, fail first step - guids of audit categories. have issues different types. tried example
$guid = [guid].makebyreftype() $count = [intptr]::zero [win32.advapi32]::auditenumeratecategories([ref]$guid, [ref]$count) # exception calling "auditenumeratecategories" 2 arguments: "the value "system.guid&" of type "system.runtimetype" cannot coverted "system.intptr".
i tried change auditenumeratecategories
definition output intptr
guid
. output of ppauditcategoriesarray
a pointer single buffer contains both array of pointers guid structures , structures themselves.
unfortunately have no idea how handle in powershell.
Comments
Post a Comment