Vivek Mahto Vivek Mahto - 2 months ago 14
C++ Question

Collecting Event Logs using Windows APIs without Admin privileges

I'm trying to collect the event logs and I want to to do it without the admin privileges.

This is my code..

#include "stdafx.h"
#pragma comment(lib, "wevtapi.lib")
#include <Windows.h>
#include <winevt.h>

int _tmain(int argc, _TCHAR* argv[])
{
BOOL flag=EvtExportLog(
NULL,
L"%SystemRoot%\\System32\\Winevt\\Logs\\System.evtx",
L"*",
L"D:\\SomePath\\Des.evtx",
EvtExportLogFilePath
);
int i = GetLastError();
}


When I try to do this I get Access Denied error. I'm able to view the event logs using
eventvwr
and i can get the path of the log file which is
%SystemRoot%\System32\Winevt\Logs\System.evtx
, but again when i try to view it by putting the path on
run
i get access denied.

I want to copy that
.evtx
log file without any admin privileges, so is there any way to do so.

Answer

Seperate permissions are given to the EventLog, so by using the eventlog APIs we can get the eventlogs.So whenever we open the eventvwr its get opened through the eventlog permissions.

So if an authenticated user wants to get the eventlogs he has to go thruogh eventlog APIs. The fourth parameter in the EvtExportLog is EVT_EXPORTLOG_FLAGS which defines values that indicate whether the events come from a channel or log file.

So in above code a authenticated user cannot access the eventlog file without eventlog APIs that is eventvwr, to do that we have to change the flag in the EvtExportLog as EvtExportLogChannelPathfrom EvtExportLogFilePath.

So above code can be modified as...

#include "stdafx.h"
#pragma comment(lib, "wevtapi.lib")
#include <Windows.h>
#include <winevt.h>

int _tmain(int argc, _TCHAR* argv[])
{
    BOOL flag=EvtExportLog(
                    NULL,
                    L"System",
                    L"*",
                    L"D:\\SomePath\\Des.evtx",
                    EvtExportLogChannelPath
            );
    int i = GetLastError();
}

This code will give the SYSTEM logs in the desired location.