|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 |
- import win32api # To translate NT Sids to account names.
- import win32con
- import win32evtlog
- import win32evtlogutil
- import win32security
-
-
- def ReadLog(computer, logType="Application", dumpEachRecord=0):
- # read the entire log back.
- h = win32evtlog.OpenEventLog(computer, logType)
- numRecords = win32evtlog.GetNumberOfEventLogRecords(h)
- # print "There are %d records" % numRecords
-
- num = 0
- while 1:
- objects = win32evtlog.ReadEventLog(
- h,
- win32evtlog.EVENTLOG_BACKWARDS_READ | win32evtlog.EVENTLOG_SEQUENTIAL_READ,
- 0,
- )
- if not objects:
- break
- for object in objects:
- # get it for testing purposes, but dont print it.
- msg = win32evtlogutil.SafeFormatMessage(object, logType)
- if object.Sid is not None:
- try:
- domain, user, typ = win32security.LookupAccountSid(
- computer, object.Sid
- )
- sidDesc = "%s/%s" % (domain, user)
- except win32security.error:
- sidDesc = str(object.Sid)
- user_desc = "Event associated with user %s" % (sidDesc,)
- else:
- user_desc = None
- if dumpEachRecord:
- print(
- "Event record from %r generated at %s"
- % (object.SourceName, object.TimeGenerated.Format())
- )
- if user_desc:
- print(user_desc)
- try:
- print(msg)
- except UnicodeError:
- print("(unicode error printing message: repr() follows...)")
- print(repr(msg))
-
- num = num + len(objects)
-
- if numRecords == num:
- print("Successfully read all", numRecords, "records")
- else:
- print(
- "Couldn't get all records - reported %d, but found %d" % (numRecords, num)
- )
- print(
- "(Note that some other app may have written records while we were running!)"
- )
- win32evtlog.CloseEventLog(h)
-
-
- def usage():
- print("Writes an event to the event log.")
- print("-w : Dont write any test records.")
- print("-r : Dont read the event log")
- print("-c : computerName : Process the log on the specified computer")
- print("-v : Verbose")
- print("-t : LogType - Use the specified log - default = 'Application'")
-
-
- def test():
- # check if running on Windows NT, if not, display notice and terminate
- if win32api.GetVersion() & 0x80000000:
- print("This sample only runs on NT")
- return
-
- import getopt
- import sys
-
- opts, args = getopt.getopt(sys.argv[1:], "rwh?c:t:v")
- computer = None
- do_read = do_write = 1
-
- logType = "Application"
- verbose = 0
-
- if len(args) > 0:
- print("Invalid args")
- usage()
- return 1
- for opt, val in opts:
- if opt == "-t":
- logType = val
- if opt == "-c":
- computer = val
- if opt in ["-h", "-?"]:
- usage()
- return
- if opt == "-r":
- do_read = 0
- if opt == "-w":
- do_write = 0
- if opt == "-v":
- verbose = verbose + 1
- if do_write:
- ph = win32api.GetCurrentProcess()
- th = win32security.OpenProcessToken(ph, win32con.TOKEN_READ)
- my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
-
- win32evtlogutil.ReportEvent(
- logType,
- 2,
- strings=["The message text for event 2", "Another insert"],
- data="Raw\0Data".encode("ascii"),
- sid=my_sid,
- )
- win32evtlogutil.ReportEvent(
- logType,
- 1,
- eventType=win32evtlog.EVENTLOG_WARNING_TYPE,
- strings=["A warning", "An even more dire warning"],
- data="Raw\0Data".encode("ascii"),
- sid=my_sid,
- )
- win32evtlogutil.ReportEvent(
- logType,
- 1,
- eventType=win32evtlog.EVENTLOG_INFORMATION_TYPE,
- strings=["An info", "Too much info"],
- data="Raw\0Data".encode("ascii"),
- sid=my_sid,
- )
- print("Successfully wrote 3 records to the log")
-
- if do_read:
- ReadLog(computer, logType, verbose > 0)
-
-
- if __name__ == "__main__":
- test()
|