是否有API可以遠程讀取Windows計算機的審計配置？

Question

我需要知道，每個子類別，它是否會審覈成功，失敗，兩者，或沒有。這些信息可通過AuditEnumerateSubCategories在本地獲得，但似乎沒有辦法遠程訪問這些相同的信息。以下是我需要收集的信息的一個例子。

我可以通過WMI獲得這個嗎？或者，如果沒有，通過其他方式，假設我有適當的（管理員）憑據到目標機器？

再一次，爲了澄清，這不是我需要閱讀的事件日誌，它是日誌記錄配置。

<security_state_change>AUDIT_SUCCESS</security_state_change> 
    <security_system_extension>AUDIT_NONE</security_system_extension> 
    <system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity> 
    <ipsec_driver>AUDIT_NONE</ipsec_driver> 
    <other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events> 
    <logon>AUDIT_SUCCESS</logon> 
    <logoff>AUDIT_SUCCESS</logoff> 
    <account_lockout>AUDIT_SUCCESS</account_lockout> 
    <ipsec_main_mode>AUDIT_NONE</ipsec_main_mode> 
    <ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode> 
    <ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode> 
    <special_logon>AUDIT_SUCCESS</special_logon> 
    <other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events> 
    <file_system>AUDIT_NONE</file_system> 
    <registry>AUDIT_NONE</registry> 
    <kernel_object>AUDIT_NONE</kernel_object> 
    <sam>AUDIT_NONE</sam> 
    <certification_services>AUDIT_NONE</certification_services> 
    <application_generated>AUDIT_NONE</application_generated> 
    <handle_manipulation>AUDIT_NONE</handle_manipulation> 
    <file_share>AUDIT_NONE</file_share> 
    <filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop> 
    <filtering_platform_connection>AUDIT_NONE</filtering_platform_connection> 
    <other_object_access_events>AUDIT_NONE</other_object_access_events> 
    <sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use> 
    <non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use> 
    <other_privlege_use_events>AUDIT_NONE</other_privlege_use_events> 
    <process_creation>AUDIT_NONE</process_creation> 
    <process_termination>AUDIT_NONE</process_termination> 
    <dpapi_activity>AUDIT_NONE</dpapi_activity> 
    <rpc_events>AUDIT_NONE</rpc_events> 
    <audit_policy_change>AUDIT_SUCCESS</audit_policy_change> 
    <authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change> 
    <authorization_policy_change>AUDIT_NONE</authorization_policy_change> 
    <mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change> 
    <filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change> 
    <other_policy_change_events>AUDIT_NONE</other_policy_change_events> 
    <user_account_management>AUDIT_SUCCESS</user_account_management> 
    <computer_account_management>AUDIT_NONE</computer_account_management> 
    <security_group_management>AUDIT_SUCCESS</security_group_management> 
    <distribution_group_management>AUDIT_NONE</distribution_group_management> 
    <application_group_management>AUDIT_NONE</application_group_management> 
    <other_account_management_events>AUDIT_NONE</other_account_management_events> 
    <directory_service_access>AUDIT_NONE</directory_service_access> 
    <directory_service_changes>AUDIT_NONE</directory_service_changes> 
    <directory_service_replication>AUDIT_NONE</directory_service_replication> 
    <detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication> 
    <credential_validation>AUDIT_NONE</credential_validation> 
    <kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events> 
    <other_account_logon_events>AUDIT_NONE</other_account_logon_events> 

Answer 1

爲你尋找到一些建議是：

的RSOP_AuditPolicy WMI類 - 它提供了訪問相關的審覈各類事件的設置。一個警告，這可能不是一個問題，它只是在Windows XP和更高版本上才支持。

LSA Policy Functions - 一組Windows API函數，允許您在本地或遠程計算機上查詢策略信息，包括審計。 LsaQueryInformationPolicy函數將是有趣的。

Audit Policy Functions - 它們只適用於Windows Vista及更高版本。有關更多信息，請參閱此代碼項目article。