WMI, Event Log, WinLogon, SENS, UI Automation, MSAA

If you can't get a handle on your system events, then you aren't really aware of what is going on within a given machine. For many years I have neglected my system event logs, but I'm working on doing a better job of it now....

Windows is a strange beast when it comes to event and audit management...many sources of information and not many good tools to manage it.

Event Log

8 bits: Explore copied eventlog with PowerShell - Event Log Repair
ACLs and security

EventLog with .NET

The old .NET standby EventLog.GetEventLogs() does not work as it should on Win2008 and Vista.
When you use the EventLog, it will return results, but it will complain that it can't find description for the events. EventLog has been replaced by a whole new system called ETW.

WinLogon a way to hook into the logon events within windows. However, this interface has been deprecated in favor of the SENS notifications.
(Note: WinLogon doesn't exist in Vista)
Winlogon Notification Packages Removed: Impact on Windows Vista Planning and Deployment
Custom Login Experiences: Credential Providers in Windows Vista
Programmatic User Login (aka Win32 LogonUser)


Windows XP comes with "wmic" which is a windows command line app for working with WMI classes.
Windows XP also comes with Windows Management Instrumentation Tester - "wbemtest" which is a windows GUI app for working with WMI.
SELECT * FROM meta_class WHERE __this ISA "Win32_BaseService", is an example of a schema query...very cool, gives you back all the information about the given class.

ManagementDateTimeConverter.ToDateTime Method (System.Management) - this is a nice little .net class to convert dates from wmi.

Tutorial: How To Fix WMI Corruption | Katy's Homepage - nice read, for some reason, I've seen a lot of evt log corruption.


SystemEvents.SessionEnding Event (Microsoft.Win32) - this event happens when user logs off or shutsdown, cancelable.

UI Automation

Using accessibility to monitoring windows as they come and go - The Old New Thing - Site Home - MSDN Blogs - SetWinEventHook

AccProbe: Accessibility Probe - The Accessibility Probe (AccProbe) is a standalone, Eclipse Rich-Client Product (RCP) application that provides a view of the Microsoft Active Accessibility (MSAA) or IAccessible2 hierarchy of a currently running application or rendered document and of the properties of the accessible objects of that application or document. It can also serve as an event monitor for tracking the events fired by these accessible objects. It is meant to combine the functionality of tools like Microsoft's Inspect32, AccExplore, and AccEvent into one easy-to-use application for accessibility testing and debugging. AccProbe is an Eclipse RCP application.
aViewer 2013 | The Paciello Group BlogThe Paciello Group Blog - aViewer accessibility API information inspection tool. Exposes MSAA, iAccessible2, ARIA, HTML DOM and UI Automation properties.

Accessibility Technical Documentation - The Chromium Projects - did you know assistive tech is off by default, unless you've got a screen reader... or use chrome://accessibility/.

Windows Filtering Platform (Windows) - in it, it states "The firewall hook and the filter hook drivers are not available in Windows Server 2008 and Windows Vista; applications that were using these drivers should use WFP instead."
Visual Studio : Windows Filtering Platform Sample - WFP sample a context allows information to be passed from a user mode component, which installs and configures a packet filter, to a kernel mode component that performs the actual filtering. The context information is simple in this case; it specifies a word replacement to be performed on the TCP stream.

Yet Another Process Monitor (YAPM) - application that allows to view and manage your running tasks, processes, threads, modules...etc. and your services on a local or on a remote machine. YAPM offers lots of features to manipulate them, such as privilege management, memory management, a complete history of statistics, a dependency viewer... etc. (Written in vb.net)

Custom Login Experiences: Credential Providers in Windows Vista - includes why GINA-based authentication was dropped
Sample credential providers are provided as part of the Windows SDK for Windows 7. See the projects and documentation under .\Samples\security\credentialproviders\ of the installed Windows SDK. (Thanks Alan Adams!)
Exception handling

