[python-win32] Access Denied on Eventlogs - possible solution(s)
Steven Manross
steven at manross.net
Fri Sep 17 20:25:05 EDT 2021
Howdy.
I replied offline to the author earlier in my day about what might be the problem he is running into (I was in digest mode until today and couldnt just reply to the thread - apologies), but played around with this script a little today and seem to have something that can pass credentials to a call for eventlogs and wanted to share with the list (now that I had a working sample).
Based on the API that was available for running searches on remote computers, I had to output the data into XML and did not parse the XML (a task which I leave to the original author of this thread -- using something like lxml).
However, Hopefully this helps the original author see how he might be able to inject credentials into their script to get what they need.
It is worthy of note that the original poster's script worked fine on my test systems (with Remote Scripting UAC disabled) which might suggest that there's a problem with how the remote server is configured and maybe "Allowing Remote Scripts to Bypass UAC" is the solution to their whole problem... See here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction
Kudos to the pywin32 maintainers and the members of this list for their input. I hope this minor script helps someone.
# -------------------------------
# tested using python 3.6.3 on W10x64 with domain admin credentials tested in the script
import win32evtlog # requires pywin32 pre-installed
import time
user = "someuser" # your windows username
domain = "SOMEDOMAIN" # your windows domain name (or possibly computername)
passwd = "reallysecurepassword" # your unencrypted password
server = 'IP_OR_FQDN' # name of the target computer to get event logs
try:
logtype = 'System' # 'Application' # 'Security'
sess_handle = win32evtlog.EvtOpenSession(Login=(server, user, domain, passwd, win32evtlog.EvtRpcLoginAuthDefault),
Timeout=0,
Flags=0)
query_flags = win32evtlog.EvtQueryReverseDirection | win32evtlog.EvtQueryChannelPath
# while I get "*" (all the logs), this thread seems to suggest you could limit it.. however, their syntax didn't work for me
# https://stackoverflow.com/questions/29827769/get-an-event-object-from-win32evtlog-evtquery-results
log_handle = win32evtlog.EvtQuery(logtype, query_flags, "*", sess_handle)
x = 0
count = 10 # get x events per query
events = win32evtlog.EvtNext(ResultSet=log_handle, Count=count,Timeout=0, Flags=0)
while events:
for event in events:
x += 1
print(f'b4 render: {x} --> {event}')
print (f'Event Data: {win32evtlog.EvtRender(event, Flags=win32evtlog.EvtRenderEventXml)}')
events = win32evtlog.EvtNext(ResultSet=log_handle, Count=count,Timeout=0, Flags=0)
time.sleep(5)
except Exception as e:
print(f"Excepted with: {e}")
####################
# minor excerpt of output:
b4 render: 240 --> <PyEVT_HANDLE:22>
Event Data: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2021-09-16T21:02:15.383021500Z'/><EventRecordID>296223</EventRecordID><Correlation/><Execution ProcessID='688' ThreadID='3724'/><Channel>System</Channel><Computer>somecomuter.somewhere.com</Computer><Security/></System><EventData><Data Name='param1'>WMI Performance Adapter</Data><Data Name='param2'>stopped</Data><Binary>77006D006900410070005300720076002F0031000000</Binary></EventData></Event>
More information about the python-win32
mailing list