Friday, September 03, 2004
A bit of WINDOWS Internals
Recently, while programming with the Audit Policy Setting, I was little puzzled on how windows manages these policies internally. After initial research, a document sent by aradhana finished my research.
Finally, here is how Windows Stores AUDIT Policies internally, Windows XP has 9 Policicies, which can be set using secpol.msc
These settings are stored in the Registry at \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv
and stored in disk at %WINDIR%\System32\Config\SECURITY
The SECURITY File at disk is not even accessible to Administrators, these files are available only to SYSTEM Account and Authentication Packages. and If you are inquisitive like me to know whatz stored as the binary data, here is the view of binary info of SECURITY File
The same is stored in the Registry at \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv
But you cannot access this key using RegEDIT. but there is a alternate way to extract the contents of this Key. Hint:Use the Scheduler, The Scheduler service runs under SYSTEM Account. So this can help us to extract the contents of this registry key.
C:\temp>at \\scape005 19:39 CMD /c "regedit /e c:\temp\mykey1.txt HKEY_LOCAL_MACHINE\Security\Policy\Poladtev"
The output of mykey1.txt in my computer is [HKEY_LOCAL_MACHINE\Security\Policy\Poladtev]
@=hex(0):01,17,f5,77,01,00,00,00,02,00,00,00,02,00,00,00,01,00,00,00,02,00,00, 00,02,00,00,00,01,00,00,00,02,00,00,00,01,00,00,00,09,00,00,00
This can be intercepted using, the following legend info, the key is of the following format
[HKEY_LOCAL_MACHINE\Security\Policy\Poladtev]
@=hex(0):ZZ,ii,ii,00,AA,00,00,00,BB,00,00,00,CC,00,00,00,DD,00,00,00,EE,00,00,00,FF,00,00,00,GG,00,00,00,ii,00,00,00
Now, we need to lookup at the corresponding values. i.e. To check if the Logon/Logoff auditing is enabled, check out the 9 value in the comma separated list. In my computer this is "02", which means Failure Auditing is enabled for this policy. Simple. Similarly, you can read up further data settings.
ii - Ignore these values.
ZZ - 01 indicates auditing is enabled, 00 means disabled.
AA - Restart, Shutdown, System.
BB - Logons and Logoffs.
CC - File and Object Access.
DD - Use of User Rights.
EE - Process Tracking.
FF - Security Policy Management.
GG - User and Group Management.
If the value of the AA / GG letter is 01, success auditing is enabled.
If the value of the AA / GG letter is 02, failure auditing is enabled.
If the value of the AA / GG letter is 03, success and failure auditing is enabled.
posted by Logu Krishnan : 8:11 AM
Comments:
Good fill someone in on and this mail helped me alot in my college assignement. Thanks you on your information.
He never brought friends home from school. Thats not true.
hot sexy love stories
teen lesbian stories
femdom mom stories strapon
free first time crossdress sex stories
free bbw erotic stories
He never brought friends home from school. Thats not true.
Post a Comment
hot sexy love stories
teen lesbian stories
femdom mom stories strapon
free first time crossdress sex stories
free bbw erotic stories
He never brought friends home from school. Thats not true.