sean-m
/
Vanara
mirror of https://github.com/dahall/Vanara.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Vanara/PInvoke/Security/AdvApi32/NTSecApi.Audit.cs

1078 lines
60 KiB
C#
Raw Blame History

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using Vanara.Extensions;
using Vanara.InteropServices;
namespace Vanara.PInvoke
{
public static partial class AdvApi32
{
/// <summary>
/// Flags that specify the conditions under which the security event type specified by the AuditSubCategoryGuid and AuditCategoryGuid members are audited.
/// </summary>
[PInvokeData("ntsecapi.h")]
[Flags]
public enum AuditCondition : uint
{
/// <summary>Do not change auditing options for the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_UNCHANGED = 0x00000000,
/// <summary>Audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_SUCCESS = 0x00000001,
/// <summary>Audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_FAILURE = 0x00000002,
/// <summary>Do not audit the specified event type.
/// <para>This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.</para></summary>
POLICY_AUDIT_EVENT_NONE = 0x00000004,
/// <summary>Do not change auditing options for the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_POLICY_UNCHANGED = 0x00,
/// <summary>Audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_SUCCESS_INCLUDE = 0x01,
/// <summary>Do not audit successful occurrences of the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_SUCCESS_EXCLUDE = 0x02,
/// <summary>Audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_FAILURE_INCLUDE = 0x04,
/// <summary>Do not audit failed attempts to cause the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_FAILURE_EXCLUDE = 0x08,
/// <summary>Do not audit the specified event type.
/// <para>This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.</para></summary>
PER_USER_AUDIT_NONE = 0x10,
}
/// <summary>
/// The <c>POLICY_AUDIT_EVENT_TYPE</c> enumeration defines values that indicate the types of events the system can audit. The
/// LsaQueryInformationPolicy and LsaSetInformationPolicy functions use this enumeration when their InformationClass parameters are
/// set to PolicyAuditEventsInformation.
/// </summary>
/// <remarks>
/// The <c>POLICY_AUDIT_EVENT_TYPE</c> enumeration may expand in future versions of Windows. Because of this, you should not compute
/// the number of values in this enumeration directly. Instead, you should obtain the count of values by calling
/// LsaQueryInformationPolicy with the InformationClass parameter set to PolicyAuditEventsInformation and extract the count from the
/// <c>MaximumAuditEventCount</c> member of the returned POLICY_AUDIT_EVENTS_INFO structure.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ne-ntsecapi-_policy_audit_event_type typedef enum
// _POLICY_AUDIT_EVENT_TYPE { AuditCategorySystem, AuditCategoryLogon, AuditCategoryObjectAccess, AuditCategoryPrivilegeUse,
// AuditCategoryDetailedTracking, AuditCategoryPolicyChange, AuditCategoryAccountManagement, AuditCategoryDirectoryServiceAccess,
// AuditCategoryAccountLogon } POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
[PInvokeData("ntsecapi.h", MSDNShortId = "e8dbd1d5-37d5-4a97-9d1c-c645871dc7a5")]
public enum POLICY_AUDIT_EVENT_TYPE
{
/// <summary>Determines whether the operating system must audit any of the following attempts:</summary>
AuditCategorySystem,
/// <summary>
/// Determines whether the operating system must audit each time this computer validates the credentials of an account. Account
/// logon events are generated whenever a computer validates the credentials of one of its local accounts. The credential
/// validation can be in support of a local logon or, in the case of an Active Directory domain account on a domain controller,
/// can be in support of a logon to another computer. Audited events for local accounts must be logged on the local security log
/// of the computer. Account logoff does not generate an event that can be audited.
/// </summary>
AuditCategoryLogon,
/// <summary>
/// Determines whether the operating system must audit each instance of user attempts to access a non-Active Directory object,
/// such as a file, that has its own system access control list (SACL) specified. The type of access request, such as Write,
/// Read, or Modify, and the account that is making the request must match the settings in the SACL.
/// </summary>
AuditCategoryObjectAccess,
/// <summary>Determines whether the operating system must audit each instance of user attempts to use privileges.</summary>
AuditCategoryPrivilegeUse,
/// <summary>
/// Determines whether the operating system must audit specific events, such as program activation, some forms of handle
/// duplication, indirect access to an object, and process exit.
/// </summary>
AuditCategoryDetailedTracking,
/// <summary>
/// Determines whether the operating system must audit attempts to change Policy object rules, such as user rights assignment
/// policy, audit policy, account policy, or trust policy.
/// </summary>
AuditCategoryPolicyChange,
/// <summary>
/// Determines whether the operating system must audit attempts to create, delete, or change user or group accounts. Also, audit
/// password changes.
/// </summary>
AuditCategoryAccountManagement,
/// <summary>
/// Determines whether the operating system must audit attempts to access the directory service. The Active Directory object has
/// its own SACL specified. The type of access request, such as Write, Read, or Modify, and the account that is making the
/// request must match the settings in the SACL.
/// </summary>
AuditCategoryDirectoryServiceAccess,
/// <summary>
/// Determines whether the operating system must audit each instance of a user attempt to log on or log off this computer. Also
/// audits logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the
/// Kerberos Key Distribution Center (KDC) logs on to the domain controller. Logoff attempts are generated whenever the logon
/// session of a logged-on user account is terminated.
/// </summary>
AuditCategoryAccountLogon,
}
/// <summary>
/// The <c>AuditComputeEffectivePolicyBySid</c> function computes the effective audit policy for one or more subcategories for the
/// specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy.
/// </summary>
/// <param name="pSid">
/// A pointer to the SID structure associated with the principal for which to compute effective audit policy. Per-user policy for
/// group SIDs is not currently supported.
/// </param>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to compute effective audit policy. For a
/// list of defined subcategories, see Auditing Constants.
/// </param>
/// <param name="dwPolicyCount">The number of elements in each of the pSubCategoryGuids and ppAuditPolicy arrays.</param>
/// <param name="ppAuditPolicy">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to AUDIT_POLICY_INFORMATION structures and the structures
/// themselves. The <c>AUDIT_POLICY_INFORMATION</c> structures specify the effective audit policy for the subcategories specified by
/// the pSubCategoryGuids array.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87 (0x57)</term>
/// <term>One or more parameters are not valid.</term>
/// </item>
/// <item>
/// <term>ERROR_FILE_NOT_FOUND 2 (0x2)</term>
/// <term>No per-user audit policy exists for the principal specified by the pSid parameter.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_QUERY_SYSTEM_POLICY</c> and
/// <c>AUDIT_QUERY_USER_POLICY</c> access on the Audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditcomputeeffectivepolicybysid BOOLEAN
// AuditComputeEffectivePolicyBySid( const PSID pSid, const GUID *pSubCategoryGuids, ULONG dwPolicyCount, PAUDIT_POLICY_INFORMATION
// *ppAuditPolicy );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "cac928e5-8d8f-4b2f-9c1b-c00dc891e3d1")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditComputeEffectivePolicyBySid(PSID pSid, [In, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2)] Guid[] pSubCategoryGuids, uint dwPolicyCount, out SafeAuditMemoryHandle ppAuditPolicy);
/// <summary>
/// The <c>AuditComputeEffectivePolicyBySid</c> function computes the effective audit policy for one or more subcategories for the
/// specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy.
/// </summary>
/// <param name="pSid">
/// A pointer to the SID structure associated with the principal for which to compute effective audit policy. Per-user policy for
/// group SIDs is not currently supported.
/// </param>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to compute effective audit policy. For a
/// list of defined subcategories, see Auditing Constants.
/// </param>
/// <returns>
/// A list of AUDIT_POLICY_INFORMATION structures that specify the effective audit policy for the subcategories specified by the
/// pSubCategoryGuids array.
/// </returns>
[PInvokeData("ntsecapi.h", MSDNShortId = "cac928e5-8d8f-4b2f-9c1b-c00dc891e3d1")]
public static IEnumerable<AUDIT_POLICY_INFORMATION> AuditComputeEffectivePolicyBySid(PSID pSid, [In] Guid[] pSubCategoryGuids) =>
AuditComputeEffectivePolicyBySid(pSid, pSubCategoryGuids, (uint)pSubCategoryGuids.Length, out var h) ? h.ToIEnum<AUDIT_POLICY_INFORMATION>(pSubCategoryGuids.Length) : throw Win32Error.GetLastError().GetException();
/// <summary>
/// The <c>AuditComputeEffectivePolicyByToken</c> function computes the effective audit policy for one or more subcategories for the
/// security principal associated with the specified token. The function computes effective audit policy by combining system audit
/// policy with per-user policy.
/// </summary>
/// <param name="hTokenHandle">
/// A handle to the access token associated with the principal for which to compute effective audit policy. The token must have been
/// opened with <c>TOKEN_QUERY</c> access. Per-user policy for group SIDs is not currently supported.
/// </param>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to compute effective audit policy. For a
/// list of defined subcategories, see Auditing Constants.
/// </param>
/// <param name="dwPolicyCount">The number of elements in each of the pSubCategoryGuids and ppAuditPolicy arrays.</param>
/// <param name="ppAuditPolicy">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to AUDIT_POLICY_INFORMATION structures and the structures
/// themselves. The <c>AUDIT_POLICY_INFORMATION</c> structures specify the effective audit policy for the subcategories specified by
/// the pSubCategoryGuids array.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// <item>
/// <term>ERROR_FILE_NOT_FOUND 2 (0x2)</term>
/// <term>No per-user audit policy exists for the principal specified by the pSid parameter.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have both <c>AUDIT_QUERY_SYSTEM_POLICY</c>
/// and <c>AUDIT_QUERY_USER_POLICY</c> access on the Audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditcomputeeffectivepolicybytoken BOOLEAN
// AuditComputeEffectivePolicyByToken( HANDLE hTokenHandle, const GUID *pSubCategoryGuids, ULONG dwPolicyCount,
// PAUDIT_POLICY_INFORMATION *ppAuditPolicy );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "e5fc9b8d-a61e-48c2-9093-f27167232cc8")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditComputeEffectivePolicyByToken(HTOKEN hTokenHandle, [In, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2)] Guid[] pSubCategoryGuids, uint dwPolicyCount, out SafeAuditMemoryHandle ppAuditPolicy);
/// <summary>
/// The <c>AuditComputeEffectivePolicyByToken</c> function computes the effective audit policy for one or more subcategories for the
/// security principal associated with the specified token. The function computes effective audit policy by combining system audit
/// policy with per-user policy.
/// </summary>
/// <param name="hTokenHandle">
/// A handle to the access token associated with the principal for which to compute effective audit policy. The token must have been
/// opened with <c>TOKEN_QUERY</c> access. Per-user policy for group SIDs is not currently supported.
/// </param>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to compute effective audit policy. For a
/// list of defined subcategories, see Auditing Constants.
/// </param>
/// <returns>
/// A list of <c>AUDIT_POLICY_INFORMATION</c> structures that specify the effective audit policy for the subcategories specified by
/// the pSubCategoryGuids array.
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have both <c>AUDIT_QUERY_SYSTEM_POLICY</c>
/// and <c>AUDIT_QUERY_USER_POLICY</c> access on the Audit security object.
/// </remarks>
[PInvokeData("ntsecapi.h", MSDNShortId = "e5fc9b8d-a61e-48c2-9093-f27167232cc8")]
public static IEnumerable<AUDIT_POLICY_INFORMATION> AuditComputeEffectivePolicyByToken(HTOKEN hTokenHandle, [In] Guid[] pSubCategoryGuids) =>
AuditComputeEffectivePolicyByToken(hTokenHandle, pSubCategoryGuids, (uint)pSubCategoryGuids.Length, out var h) ? h.ToIEnum<AUDIT_POLICY_INFORMATION>(pSubCategoryGuids.Length) : throw Win32Error.GetLastError().GetException();
/// <summary>The <c>AuditEnumerateCategories</c> function enumerates the available audit-policy categories.</summary>
/// <param name="ppAuditCategoriesArray">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to <c>GUID</c> structures and the structures themselves. The
/// <c>GUID</c> structures specify the audit-policy categories available on the computer.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <param name="pdwCountReturned">A pointer to the number of elements in the ppAuditCategoriesArray array.</param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
/// </returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditenumeratecategories BOOLEAN
// AuditEnumerateCategories( GUID **ppAuditCategoriesArray, PULONG pdwCountReturned );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "bcfdb24b-182e-4845-95c0-a210915435ae")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditEnumerateCategories(out SafeAuditMemoryHandle ppAuditCategoriesArray, out uint pdwCountReturned);
/// <summary>The <c>AuditEnumerateCategories</c> function enumerates the available audit-policy categories.</summary>
/// <returns>The <c>GUID</c> structures that specify the audit-policy categories available on the computer.</returns>
[PInvokeData("ntsecapi.h", MSDNShortId = "bcfdb24b-182e-4845-95c0-a210915435ae")]
public static IEnumerable<Guid> AuditEnumerateCategories() => AuditEnumerateCategories(out var h, out var i) ? h.ToIEnum<Guid>((int)i) : throw Win32Error.GetLastError().GetException();
/// <summary>The <c>AuditEnumeratePerUserPolicy</c> function enumerates users for whom per-user auditing policy is specified.</summary>
/// <param name="ppAuditSidArray">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to POLICY_AUDIT_SID_ARRAY structures and the structures
/// themselves. The <c>POLICY_AUDIT_SID_ARRAY</c> structures specify the users for whom per-user audit policy is specified.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_ENUMERATE_USERS</c> access
/// on the Audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditenumerateperuserpolicy BOOLEAN
// AuditEnumeratePerUserPolicy( PPOLICY_AUDIT_SID_ARRAY *ppAuditSidArray );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "4b13f021-ba08-4eb8-9c7a-0512992ef272")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditEnumeratePerUserPolicy(out SafeAuditMemoryHandle ppAuditSidArray);
/// <summary>The <c>AuditEnumeratePerUserPolicy</c> function enumerates users for whom per-user auditing policy is specified.</summary>
/// <returns>The user SIDs for whom per-user audit policy is specified.</returns>
[PInvokeData("ntsecapi.h", MSDNShortId = "4b13f021-ba08-4eb8-9c7a-0512992ef272")]
public static IEnumerable<PSID> AuditEnumeratePerUserPolicy() => AuditEnumeratePerUserPolicy(out var h) ? h.ToStructure<POLICY_AUDIT_SID_ARRAY>().UserSidArray : throw Win32Error.GetLastError().GetException();
/// <summary>The <c>AuditEnumerateSubCategories</c> function enumerates the available audit-policy subcategories.</summary>
/// <param name="pAuditCategoryGuid">
/// The <c>GUID</c> of an audit-policy category for which subcategories are enumerated. If the value of the bRetrieveAllSubCategories
/// parameter is <c>TRUE</c>, this parameter is ignored.
/// </param>
/// <param name="bRetrieveAllSubCategories">
/// <c>TRUE</c> to enumerate all audit-policy subcategories; <c>FALSE</c> to enumerate only the subcategories of the audit-policy
/// category specified by the pAuditCategoryGuid parameter.
/// </param>
/// <param name="ppAuditSubCategoriesArray">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to <c>GUID</c> structures and the structures themselves. The
/// <c>GUID</c> structures specify the audit-policy subcategories available on the computer.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <param name="pdwCountReturned">
/// A pointer to the number of audit-policy subcategories returned in the ppAuditSubCategoriesArray array.
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
/// </returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditenumeratesubcategories BOOLEAN
// AuditEnumerateSubCategories( const GUID *pAuditCategoryGuid, BOOLEAN bRetrieveAllSubCategories, GUID **ppAuditSubCategoriesArray,
// PULONG pdwCountReturned );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "c5af83f4-9524-4a39-ad1d-39b21bb073bd")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditEnumerateSubCategories(in Guid pAuditCategoryGuid, [MarshalAs(UnmanagedType.U1)] bool bRetrieveAllSubCategories, out SafeAuditMemoryHandle ppAuditSubCategoriesArray, out uint pdwCountReturned);
/// <summary>The <c>AuditEnumerateSubCategories</c> function enumerates the available audit-policy subcategories.</summary>
/// <param name="pAuditCategoryGuid">
/// The <c>GUID</c> of an audit-policy category for which subcategories are enumerated. If the value is <see langword="null"/>, then
/// all subcategories are enumerated.
/// </param>
/// <returns>A list of <c>GUID</c> structures specify the audit-policy subcategories available on the computer.</returns>
[PInvokeData("ntsecapi.h", MSDNShortId = "c5af83f4-9524-4a39-ad1d-39b21bb073bd")]
public static IEnumerable<Guid> AuditEnumerateSubCategories(Guid? pAuditCategoryGuid = null)
{
var guid = pAuditCategoryGuid.HasValue ? pAuditCategoryGuid.Value : Guid.Empty;
return AuditEnumerateSubCategories(guid, !pAuditCategoryGuid.HasValue, out var h, out var c) ? h.ToIEnum<Guid>((int)c) : throw Win32Error.GetLastError().GetException();
}
/// <summary>The <c>AuditFree</c> function frees the memory allocated by audit functions for the specified buffer.</summary>
/// <param name="Buffer">A pointer to the buffer to free.</param>
/// <returns>This function does not return a value.</returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditfree void AuditFree( PVOID Buffer );
[DllImport(Lib.AdvApi32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "697baf9b-91c4-4a88-a190-e9f6812e08af")]
public static extern void AuditFree(IntPtr Buffer);
/// <summary>
/// The <c>AuditLookupCategoryGuidFromCategoryId</c> function retrieves a <c>GUID</c> structure that represents the specified
/// audit-policy category.
/// </summary>
/// <param name="AuditCategoryId">An element of the POLICY_AUDIT_EVENT_TYPE enumeration that specifies an audit-policy category.</param>
/// <param name="pAuditCategoryGuid">
/// A pointer to a <c>GUID</c> structure that represents the audit-policy category specified by the AuditCategoryId
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
/// </returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditlookupcategoryguidfromcategoryid BOOLEAN
// AuditLookupCategoryGuidFromCategoryId( POLICY_AUDIT_EVENT_TYPE AuditCategoryId, GUID *pAuditCategoryGuid );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "2f00fe52-2e94-473a-be13-252b50b58522")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditLookupCategoryGuidFromCategoryId(POLICY_AUDIT_EVENT_TYPE AuditCategoryId, out Guid pAuditCategoryGuid);
/// <summary>
/// The <c>AuditLookupCategoryIdFromCategoryGuid</c> function retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that
/// represents the specified audit-policy category.
/// </summary>
/// <param name="pAuditCategoryGuid">A pointer to a <c>GUID</c> structure that specifies an audit-policy category.</param>
/// <param name="pAuditCategoryId">
/// A pointer to an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the audit-policy category specified by the
/// pAuditCategoryGuid parameter.
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
/// </returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditlookupcategoryidfromcategoryguid BOOLEAN
// AuditLookupCategoryIdFromCategoryGuid( const GUID *pAuditCategoryGuid, PPOLICY_AUDIT_EVENT_TYPE pAuditCategoryId );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "c50e39f0-d45f-4deb-abe5-6261775b507c")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditLookupCategoryIdFromCategoryGuid(in Guid pAuditCategoryGuid, out POLICY_AUDIT_EVENT_TYPE pAuditCategoryId);
/// <summary>The <c>AuditLookupCategoryName</c> function retrieves the display name of the specified audit-policy category.</summary>
/// <param name="pAuditCategoryGuid">A pointer to a <c>GUID</c> structure that specifies an audit-policy category.</param>
/// <param name="ppszCategoryName">
/// <para>
/// The address of a pointer to a null-terminated string that contains the display name of the audit-policy category specified by the
/// pAuditCategoryGuid function.
/// </para>
/// <para>When you have finished using this string, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
/// </returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditlookupcategorynamea BOOLEAN
// AuditLookupCategoryNameA( const GUID *pAuditCategoryGuid, PSTR *ppszCategoryName );
[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)]
[PInvokeData("ntsecapi.h", MSDNShortId = "8b30d864-8eb5-42d8-bc9a-a9eae1de5187")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditLookupCategoryName(in Guid pAuditCategoryGuid, [MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(AuditStringMarshaler))] out string ppszCategoryName);
/// <summary>The <c>AuditLookupSubCategoryName</c> function retrieves the display name of the specified audit-policy subcategory.</summary>
/// <param name="pAuditSubCategoryGuid">A pointer to a <c>GUID</c> structure that specifies an audit-policy subcategory.</param>
/// <param name="ppszSubCategoryName">
/// <para>
/// The address of a pointer to a null-terminated string that contains the display name of the audit-policy subcategory specified by
/// the pAuditSubCategoryGuid parameter.
/// </para>
/// <para>When you have finished using this string, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError.</para>
/// </returns>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditlookupsubcategorynamea BOOLEAN
// AuditLookupSubCategoryNameA( const GUID *pAuditSubCategoryGuid, PSTR *ppszSubCategoryName );
[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)]
[PInvokeData("ntsecapi.h", MSDNShortId = "65ccd0f6-ee43-4b4d-98fd-b7a49f23ad9d")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditLookupSubCategoryName(in Guid pAuditSubCategoryGuid, [MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(AuditStringMarshaler))] out string ppszSubCategoryName);
/// <summary>
/// The <c>AuditQueryGlobalSacl</c> function retrieves a global system access control list (SACL) that delegates access to the audit
/// messages. Updating the global SACL requires the <c>SeSecurityPrivilege</c> which protects the global SACL from being updated by
/// any user without administrator privileges.
/// </summary>
/// <param name="ObjectTypeName">
/// A pointer to a null-terminated string specifying the type of object being accessed. This parameter must be either "File" or
/// "Key", depending on whether the object is a file or registry. This string appears in any audit message that the function generates.
/// </param>
/// <param name="Acl">
/// A pointer to an ACL structure that contains the SACL information. This should be freed later by calling the LocalFree function.
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>To successfully call this function, the caller must have <c>SeSecurityPrivilege</c>.</remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditqueryglobalsacla BOOLEAN AuditQueryGlobalSaclA(
// PCSTR ObjectTypeName, PACL *Acl );
[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)]
[PInvokeData("ntsecapi.h", MSDNShortId = "133BBC94-9C89-437A-9146-75A9898A6566")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditQueryGlobalSacl(string ObjectTypeName, out SafePACL Acl);
/// <summary>
/// The <c>AuditQueryPerUserPolicy</c> function retrieves per-user audit policy in one or more audit-policy subcategories for the
/// specified principal.
/// </summary>
/// <param name="pSid">
/// A pointer to the SID structure associated with the principal for which to query audit policy. Per-user policy for group SIDs is
/// not currently supported.
/// </param>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to query audit policy. For a list of defined
/// audit-policy subcategories, see Auditing Constants.
/// </param>
/// <param name="dwPolicyCount">The number of elements in each of the pSubCategoryGuids and ppAuditPolicy arrays.</param>
/// <param name="ppAuditPolicy">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to AUDIT_POLICY_INFORMATION structures and the structures
/// themselves. The <c>AUDIT_POLICY_INFORMATION</c> structures specify the per-user audit policy for the subcategories specified by
/// the pSubCategoryGuids array.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_FILE_NOT_FOUND 2</term>
/// <term>No per-user audit policy exists for the principal specified by the pSid parameter.</term>
/// </item>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_QUERY_USER_POLICY</c> access
/// on the Audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditqueryperuserpolicy BOOLEAN AuditQueryPerUserPolicy(
// const PSID pSid, const GUID *pSubCategoryGuids, ULONG dwPolicyCount, PAUDIT_POLICY_INFORMATION *ppAuditPolicy );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "7d4790de-ebd6-4840-b532-7158b8d80db2")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditQueryPerUserPolicy(PSID pSid, [In, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2)] Guid[] pSubCategoryGuids, uint dwPolicyCount, out SafeAuditMemoryHandle ppAuditPolicy);
/// <summary>
/// The <c>AuditQueryPerUserPolicy</c> function retrieves per-user audit policy in one or more audit-policy subcategories for the
/// specified principal.
/// </summary>
/// <param name="pSid">
/// A pointer to the SID structure associated with the principal for which to query audit policy. Per-user policy for group SIDs is
/// not currently supported.
/// </param>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to query audit policy. For a list of defined
/// audit-policy subcategories, see Auditing Constants.
/// </param>
/// <returns>
/// A list of <c>AUDIT_POLICY_INFORMATION</c> structures that specify the per-user audit policy for the subcategories specified by
/// the pSubCategoryGuids array.
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_QUERY_USER_POLICY</c> access
/// on the Audit security object.
/// </remarks>
[PInvokeData("ntsecapi.h", MSDNShortId = "7d4790de-ebd6-4840-b532-7158b8d80db2")]
public static IEnumerable<AUDIT_POLICY_INFORMATION> AuditQueryPerUserPolicy(PSID pSid, [In] Guid[] pSubCategoryGuids)
{
var b = AuditQueryPerUserPolicy(pSid, pSubCategoryGuids, (uint)(pSubCategoryGuids?.Length ?? 0), out var h);
if (b)
return h.ToIEnum<AUDIT_POLICY_INFORMATION>(pSubCategoryGuids?.Length ?? 0);
var err = Win32Error.GetLastError();
return err == Win32Error.ERROR_FILE_NOT_FOUND ? new AUDIT_POLICY_INFORMATION[0] : throw err.GetException();
}
/// <summary>The <c>AuditQuerySecurity</c> function retrieves security descriptor that delegates access to audit policy.</summary>
/// <param name="SecurityInformation">
/// A SECURITY_INFORMATION value that specifies which parts of the security descriptor this function sets. Only
/// <c>SACL_SECURITY_INFORMATION</c> and <c>DACL_SECURITY_INFORMATION</c> are supported. Any other values are ignored. If neither
/// <c>SACL_SECURITY_INFORMATION</c> nor <c>DACL_SECURITY_INFORMATION</c> is specified, this function fails and returns <c>ERROR_INVALID_PARAMETER</c>.
/// </param>
/// <param name="ppSecurityDescriptor">
/// The address of a pointer to a well-formed SECURITY_DESCRIPTOR structure that controls access to the Audit security object.
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>To successfully call this function, the caller must have <c>SeSecurityPrivilege</c>.</remarks>
// https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-auditquerysecurity
// BOOLEAN AuditQuerySecurity( SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR *ppSecurityDescriptor );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "496c9659-0c03-42c9-93c4-eb4d97e950e2")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditQuerySecurity(SECURITY_INFORMATION SecurityInformation, out SafePSECURITY_DESCRIPTOR ppSecurityDescriptor);
/// <summary>The <c>AuditQuerySystemPolicy</c> function retrieves system audit policy for one or more audit-policy subcategories.</summary>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to query audit policy. For a list of defined
/// audit-policy subcategories, see Auditing Constants.
/// </param>
/// <param name="dwPolicyCount">The number of elements in each of the pSubCategoryGuids and ppAuditPolicy arrays.</param>
/// <param name="ppAuditPolicy">
/// <para>
/// A pointer to a single buffer that contains both an array of pointers to AUDIT_POLICY_INFORMATION structures and the structures
/// themselves. The <c>AUDIT_POLICY_INFORMATION</c> structures specify the system audit policy for the subcategories specified by the
/// pSubCategoryGuids array.
/// </para>
/// <para>When you have finished using this buffer, free it by calling the AuditFree function.</para>
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_FILE_NOT_FOUND 2</term>
/// <term>No per-user audit policy exists for the principal specified by the pSid parameter.</term>
/// </item>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_QUERY_SYSTEM_POLICY</c>
/// access on the audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditquerysystempolicy BOOLEAN AuditQuerySystemPolicy(
// const GUID *pSubCategoryGuids, ULONG dwPolicyCount, PAUDIT_POLICY_INFORMATION *ppAuditPolicy );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "5c268033-65fd-4a74-90a1-4b9e1e18daf1")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditQuerySystemPolicy([In, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1)] Guid[] pSubCategoryGuids, uint dwPolicyCount, out SafeAuditMemoryHandle ppAuditPolicy);
/// <summary>The <c>AuditQuerySystemPolicy</c> function retrieves system audit policy for one or more audit-policy subcategories.</summary>
/// <param name="pSubCategoryGuids">
/// A pointer to an array of <c>GUID</c> values that specify the subcategories for which to query audit policy. For a list of defined
/// audit-policy subcategories, see Auditing Constants.
/// </param>
/// <returns>
/// A list of <c>AUDIT_POLICY_INFORMATION</c> structures that specify the system audit policy for the subcategories specified by the
/// pSubCategoryGuids array.
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_QUERY_SYSTEM_POLICY</c>
/// access on the audit security object.
/// </remarks>
[PInvokeData("ntsecapi.h", MSDNShortId = "5c268033-65fd-4a74-90a1-4b9e1e18daf1")]
public static IEnumerable<AUDIT_POLICY_INFORMATION> AuditQuerySystemPolicy([In] Guid[] pSubCategoryGuids) =>
AuditQuerySystemPolicy(pSubCategoryGuids, (uint)(pSubCategoryGuids?.Length ?? 0), out var h) ? h.ToIEnum<AUDIT_POLICY_INFORMATION>(pSubCategoryGuids?.Length ?? 0) : throw Win32Error.GetLastError().GetException();
/// <summary>
/// The <c>AuditSetGlobalSacl</c> function sets a global system access control list (SACL) that delegates access to the audit
/// messages. Updating the global SACL requires the <c>SeSecurityPrivilege</c> which protects the global SACL from being updated by
/// any user without administrator privileges.
/// </summary>
/// <param name="ObjectTypeName">
/// A pointer to a null-terminated string specifying the type of object being created or accessed. For setting the global SACL on
/// files, this should be set to "File" and for setting the global SACL on registry, this should be set to "Key". This string appears
/// in any audit message that the function generates.
/// </param>
/// <param name="Acl">A pointer to an ACL structure.</param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>To successfully call this function, the caller must have <c>SeSecurityPrivilege</c>.</remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditsetglobalsacla BOOLEAN AuditSetGlobalSaclA( PCSTR
// ObjectTypeName, PACL Acl );
[DllImport(Lib.AdvApi32, SetLastError = true, CharSet = CharSet.Auto)]
[PInvokeData("ntsecapi.h", MSDNShortId = "48A41E3F-DDB0-431F-BCF0-E2452FEA57FA")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditSetGlobalSacl(string ObjectTypeName, PACL Acl);
/// <summary>
/// The <c>AuditSetPerUserPolicy</c> function sets per-user audit policy in one or more audit subcategories for the specified principal.
/// </summary>
/// <param name="pSid">
/// A pointer to the SID structure associated with the principal for which to set audit policy. Per-user policy for group SIDs is not
/// currently supported.
/// </param>
/// <param name="pAuditPolicy">
/// <para>
/// A pointer to an array of AUDIT_POLICY_INFORMATION structures. Each structure specifies per-user audit policy for one audit subcategory.
/// </para>
/// <para>The <c>AuditCategoryGuid</c> member of these structures is ignored.</para>
/// </param>
/// <param name="dwPolicyCount">The number of elements in the pAuditPolicy array.</param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// <item>
/// <term>ERROR_NO_SUCH_USER 1317</term>
/// <term>The SID structure specified by the pSID parameter is not associated with an existing user.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_SET_USER_POLICY</c> access
/// on the Audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditsetperuserpolicy BOOLEAN AuditSetPerUserPolicy(
// const PSID pSid, PCAUDIT_POLICY_INFORMATION pAuditPolicy, ULONG dwPolicyCount );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "a6cef640-5658-4c13-96fb-a664d2a61b57")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditSetPerUserPolicy(PSID pSid, [In, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2)] AUDIT_POLICY_INFORMATION[] pAuditPolicy, uint dwPolicyCount);
/// <summary>The <c>AuditSetSecurity</c> function sets a security descriptor that delegates access to audit policy.</summary>
/// <param name="SecurityInformation">
/// A SECURITY_INFORMATION value that specifies which parts of the security descriptor this function sets. Only
/// <c>SACL_SECURITY_INFORMATION</c> and <c>DACL_SECURITY_INFORMATION</c> are supported. Any other values are ignored. If neither
/// <c>SACL_SECURITY_INFORMATION</c> nor <c>DACL_SECURITY_INFORMATION</c> is specified, this function fails and returns <c>ERROR_INVALID_PARAMETER</c>.
/// </param>
/// <param name="pSecurityDescriptor">
/// A pointer to a well-formed SECURITY_DESCRIPTOR structure that controls access to the Audit security object. If this parameter is
/// <c>NULL</c>, the function fails and returns <c>ERROR_INVALID_PARAMETER</c>.
/// </param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>To successfully call this function, the caller must have <c>SeSecurityPrivilege</c>.</remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditsetsecurity BOOLEAN AuditSetSecurity(
// SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "2f4d6198-775a-40e4-9158-a69e71bfe050")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditSetSecurity(SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor);
/// <summary>The <c>AuditSetSystemPolicy</c> function sets system audit policy for one or more audit-policy subcategories.</summary>
/// <param name="pAuditPolicy">
/// <para>
/// A pointer to an array of AUDIT_POLICY_INFORMATION structures. Each structure specifies system audit policy for one audit-policy subcategory.
/// </para>
/// <para>The <c>AuditCategoryGuid</c> member of these structures is ignored.</para>
/// </param>
/// <param name="dwPolicyCount">The number of elements in the pAuditPolicy array.</param>
/// <returns>
/// <para>If the function succeeds, it returns <c>TRUE</c>.</para>
/// <para>
/// If the function fails, it returns <c>FALSE</c>. To get extended error information, call GetLastError. <c>GetLastError</c> may
/// return one of the following error codes defined in WinError.h.
/// </para>
/// <list type="table">
/// <listheader>
/// <term>Return code/value</term>
/// <term>Description</term>
/// </listheader>
/// <item>
/// <term>ERROR_ACCESS_DENIED 5</term>
/// <term>The caller does not have the privilege or access rights necessary to call this function.</term>
/// </item>
/// <item>
/// <term>ERROR_INVALID_PARAMETER 87</term>
/// <term>One or more parameters are invalid.</term>
/// </item>
/// </list>
/// </returns>
/// <remarks>
/// To successfully call this function, the caller must have <c>SeSecurityPrivilege</c> or have <c>AUDIT_SET_SYSTEM_POLICY</c> access
/// on the Audit security object.
/// </remarks>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/nf-ntsecapi-auditsetsystempolicy BOOLEAN AuditSetSystemPolicy(
// PCAUDIT_POLICY_INFORMATION pAuditPolicy, ULONG dwPolicyCount );
[DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("ntsecapi.h", MSDNShortId = "9692ebe3-a676-45bb-a58d-b3fdbb1bbc2a")]
[return: MarshalAs(UnmanagedType.U1)]
public static extern bool AuditSetSystemPolicy([In, MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 1)] AUDIT_POLICY_INFORMATION[] pAuditPolicy, uint dwPolicyCount);
/// <summary>The <c>AUDIT_POLICY_INFORMATION</c> structure specifies a security event type and when to audit that type.</summary>
// https://docs.microsoft.com/en-us/windows/desktop/api/ntsecapi/ns-ntsecapi-_audit_policy_information typedef struct
// _AUDIT_POLICY_INFORMATION { GUID AuditSubCategoryGuid; ULONG AuditingInformation; GUID AuditCategoryGuid; }
// AUDIT_POLICY_INFORMATION, *PAUDIT_POLICY_INFORMATION;
[PInvokeData("ntsecapi.h", MSDNShortId = "3fafeec9-a028-4a65-933e-fb973eb257b0")]
[StructLayout(LayoutKind.Sequential)]
public struct AUDIT_POLICY_INFORMATION
{
/// <summary>A <c>GUID</c> structure that specifies an audit subcategory.</summary>
public Guid AuditSubCategoryGuid;
/// <summary>
/// <para>
/// A set of bit flags that specify the conditions under which the security event type specified by the
/// <c>AuditSubCategoryGuid</c> and <c>AuditCategoryGuid</c> members are audited. The following values are defined.
/// </para>
/// <para><c>Important</c> Note that the meaning of these values differs depending on which function is using this structure.</para>
/// <list type="table">
/// <listheader>
/// <term>Value</term>
/// <term>Meaning</term>
/// </listheader>
/// <item>
/// <term>POLICY_AUDIT_EVENT_UNCHANGED 0x00000000</term>
/// <term>
/// Do not change auditing options for the specified event type. This value is valid for the AuditSetSystemPolicy and
/// AuditQuerySystemPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>POLICY_AUDIT_EVENT_SUCCESS 0x00000001</term>
/// <term>
/// Audit successful occurrences of the specified event type. This value is valid for the AuditSetSystemPolicy and
/// AuditQuerySystemPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>POLICY_AUDIT_EVENT_FAILURE 0x00000002</term>
/// <term>
/// Audit failed attempts to cause the specified event type. This value is valid for the AuditSetSystemPolicy and
/// AuditQuerySystemPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>POLICY_AUDIT_EVENT_NONE 0x00000004</term>
/// <term>
/// Do not audit the specified event type. This value is valid for the AuditSetSystemPolicy and AuditQuerySystemPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>PER_USER_POLICY_UNCHANGED 0x00</term>
/// <term>
/// Do not change auditing options for the specified event type. This value is valid for the AuditSetPerUserPolicy and
/// AuditQueryPerUserPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>PER_USER_AUDIT_SUCCESS_INCLUDE 0x01</term>
/// <term>
/// Audit successful occurrences of the specified event type. This value is valid for the AuditSetPerUserPolicy and
/// AuditQueryPerUserPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>PER_USER_AUDIT_SUCCESS_EXCLUDE 0x02</term>
/// <term>
/// Do not audit successful occurrences of the specified event type. This value is valid for the AuditSetPerUserPolicy and
/// AuditQueryPerUserPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>PER_USER_AUDIT_FAILURE_INCLUDE 0x04</term>
/// <term>
/// Audit failed attempts to cause the specified event type. This value is valid for the AuditSetPerUserPolicy and
/// AuditQueryPerUserPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>PER_USER_AUDIT_FAILURE_EXCLUDE 0x08</term>
/// <term>
/// Do not audit failed attempts to cause the specified event type. This value is valid for the AuditSetPerUserPolicy and
/// AuditQueryPerUserPolicy functions.
/// </term>
/// </item>
/// <item>
/// <term>PER_USER_AUDIT_NONE 0x10</term>
/// <term>
/// Do not audit the specified event type. This value is valid for the AuditSetPerUserPolicy and AuditQueryPerUserPolicy functions.
/// </term>
/// </item>
/// </list>
/// </summary>
public AuditCondition AuditingInformation;
/// <summary>A <c>GUID</c> structure that specifies an audit-policy category.</summary>
public Guid AuditCategoryGuid;
}
/// <summary>The POLICY_AUDIT_SID_ARRAY structure specifies an array of SID structures that represent Windows users or groups.</summary>
[PInvokeData("ntsecapi.h")]
[StructLayout(LayoutKind.Sequential)]
public struct POLICY_AUDIT_SID_ARRAY
{
/// <summary>The number of SID structures in the UserSidArray array.</summary>
public uint UsersCount;
/// <summary>An array of SID pointers.</summary>
private IntPtr _UserSidArray;
/// <summary>An array of SID pointers.</summary>
public PSID[] UserSidArray => _UserSidArray == IntPtr.Zero ? new PSID[0] : _UserSidArray.ToArray<PSID>((int)UsersCount);
}
/// <summary>Provides a <see cref="SafeHandle"/> for memory allocated by audit functions that is disposed using <see cref="AuditFree"/>.</summary>
public class SafeAuditMemoryHandle : SafeHANDLE
{
/// <summary>Initializes a new instance of the <see cref="SafeAuditMemoryHandle"/> class and assigns an existing handle.</summary>
/// <param name="preexistingHandle">An <see cref="IntPtr"/> object that represents the pre-existing handle to use.</param>
/// <param name="ownsHandle">
/// <see langword="true"/> to reliably release the handle during the finalization phase; otherwise, <see langword="false"/> (not recommended).
/// </param>
public SafeAuditMemoryHandle(IntPtr preexistingHandle, bool ownsHandle = true) : base(preexistingHandle, ownsHandle) { }
/// <summary>Initializes a new instance of the <see cref="SafeAuditMemoryHandle"/> class.</summary>
private SafeAuditMemoryHandle() : base() { }
/// <summary>
/// Extracts an array of structures of <typeparamref name="T"/> containing <paramref name="count"/> items. <note type="note">This
/// call can cause memory exceptions if the pointer does not have sufficient allocated memory to retrieve all the structures.</note>
/// </summary>
/// <typeparam name="T">The type of the structures to retrieve.</typeparam>
/// <param name="count">The number of structures to retrieve.</param>
/// <param name="prefixBytes">The number of bytes to skip before reading the structures.</param>
/// <returns>An array of structures of <typeparamref name="T"/>.</returns>
public IEnumerable<T> ToIEnum<T>(int count, int prefixBytes = 0)
{
if (IsInvalid) return null;
if (!typeof(T).IsBlittable()) throw new ArgumentException(@"Structure layout is not sequential or explicit.");
return handle.ToIEnum<T>(count, prefixBytes);
}
/// <summary>
/// Marshals data from this block of memory to a newly allocated managed object of the type specified by a generic type parameter.
/// </summary>
/// <typeparam name="T">The type of the object to which the data is to be copied. This must be a structure.</typeparam>
/// <returns>A managed object that contains the data that this <see cref="SafeMemoryHandleExt{T}"/> holds.</returns>
public T ToStructure<T>()
{
if (IsInvalid) return default;
return handle.ToStructure<T>();
}
/// <inheritdoc/>
protected override bool InternalReleaseHandle() { AuditFree(handle); return true; }
}
/// <summary>A custom marshaler for functions using memeroy allocated by audit functions so that managed strings can be used.</summary>
/// <seealso cref="ICustomMarshaler"/>
internal class AuditStringMarshaler : ICustomMarshaler
{
public static ICustomMarshaler GetInstance(string _) => new AuditStringMarshaler();
public void CleanUpManagedData(object ManagedObj)
{
}
public void CleanUpNativeData(IntPtr pNativeData)
{
if (pNativeData == IntPtr.Zero) return;
AuditFree(pNativeData);
}
public int GetNativeDataSize() => -1;
public IntPtr MarshalManagedToNative(object ManagedObj) => throw new NotImplementedException();
public object MarshalNativeToManaged(IntPtr pNativeData) => (string)StringHelper.GetString(pNativeData)?.Clone();
}
}
}
Reference in New Issue View Git Blame Copy Permalink