[python-win32] pywintypes.error: (5, 'OpenEventLogW', 'Access is denied.') - GOAL - ACCESS to windows event log from remote host
Ruggero Paolo Basile
RuggeroPaolo.Basile at ora-0.it
Fri Sep 17 05:58:27 EDT 2021
Hello everyone.
I am insisting on two python modules for windows event collection, I still don't have a satisfactory result
as the solution eventlog_0.py the win32evtlog module of the pypiwin32 library I can connect to the RPC service but only on a local PC,
have a readable parsing of the events and then forward it to the soc, I have to insist on remote login.
* learning about the topic and exchanging emails with the WIN32 API community, they wrote me about the possibility
to launch a script on a remote computer to authorize the share of the eventlog also on guest users, then
the strategy would be with WMI with admin connection, modification of the parameters useful for the log dump
and connection with win32 for parsing the event log.
As for the solution using the WMI, I encountered the reverse problem, connecting to the remote host
happens correctly (after entering the registrations), with an SQL query I log in
to Win32_NTLogEvent, but I don't know the schema of the db and I have not found snippet that readable results.
I had believed in the use of win32, theoretically and from what they tell me in the community it is necessary first
authenticate with the win32security.LogonUser () module and then invoke the RPC service, which I did but it didn't
results. The win32evtlog library apparently does not have a method for posting les
article when establishing the connection.
I spent less time on WMI because I found little fiction about managing the eventlog with python.
eventlog_0.py
#python C:\python\5_Forensic_Basic\eventlog.py
# Windows Event Log Viewer
# FB - 201012116
import win32evtlog # requires pywin32 pre-installed
server = 'localhost' # name of the target computer to get event logs
try:
logtype = 'System' # 'Application' # 'Security'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
while True:
print ("test")
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
print ('Event Category:', event.EventCategory)
print ('Time Generated:', event.TimeGenerated)
print ('Source Name:', event.SourceName)
print ('Event ID:', event.EventID)
print ('Event Type:', event.EventType)
data = event.StringInserts
if data:
print ('Event Data:')
for msg in data:
print (msg)
print()
except Exception as err:
print("Exception")
print(str(err))
if __name__ == "__main__":
try:
print ("start")
except getopt.GetoptError as err:
print(str(err))
#ModuleNotFoundError: No module named 'win32evtlog'
#pip install pypiwin32
#Server RPC non disponibile.
login_eventlog.py
import getpass
import win32security
import win32evtlog # requires pywin32 pre-installed
domain = input("Domain: ")
username = input("Username: ")
password = getpass.getpass ("Password: ")
def simple_logon():
try:
hUser = win32security.LogonUser (
username,
domain,
password,
win32security.LOGON32_LOGON_NETWORK,
win32security.LOGON32_PROVIDER_DEFAULT
)
except win32security.error:
print ("Failed")
else:
print ("Succeeded")
if __name__ == "__main__":
simple_logon()
try:
logtype = 'System' # 'Application' # 'Security'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)
pdb.set_trace()
while True:
print ("test")
events = win32evtlog.ReadEventLog(hand, flags,0)
if events:
for event in events:
print ('Event Category:', event.EventCategory)
print ('Time Generated:', event.TimeGenerated)
print ('Source Name:', event.SourceName)
print ('Event ID:', event.EventID)
print ('Event Type:', event.EventType)
data = event.StringInserts
if data:
print ('Event Data:')
for msg in data:
print (msg)
print()
except Exception as err:
print("Exception")
print(str(err))
#print (logonUser("/\norazero\norazero"))
wmi_2
import wmi
ip = '192.168.1.10'
username =
password =
from socket import *
try:
print("Establishing connection to %s" %ip)
conn = wmi.WMI(ip, user=username, password=password)
print("Connection established")
print(conn)
if False:
print("list processes")
# list processes
for process in conn.Win32_Process():
print("ID: {0}\nHandleCount: {1}\nProcessName: {2}\n".format(
process.ProcessId, process.HandleCount, process.Name
)
)
if False:
for s in conn.Win32_Service(StartMode="Auto", State="Running"):
print(s.State, s.StartMode, s.Name, s.DisplayName)
# filter service names
if 'Update' in s.Name:
print(s.State, s.StartMode, s.Name, s.DisplayName)
if False:
wmi_obj = wmi.WMI('.') #Initialize WMI object and query.
wmi_query = "SELECT * FROM Win32_NTLogEvent WHERE Logfile='System' AND EventType=1"
query_result = wmi_obj.query(wmi_query) # Query WMI object
print(query_result)
#for group in conn.Win32_Group():
for group in conn.Win32_Group():
print(group.Caption)
# loop
#for user in group.associators(wmi_result_class="Win32_UserAccount"):
# print(" [+]", user.Caption)
except wmi.x_wmi:
print("Your Username and Password of "+getfqdn(ip)+" are wrong.")
Ruggero Paolo Basile
Cellulare: 3403216393
Mail: ruggeropaolo.basile at ora-0.it<mailto:gabriele.saltini at ora-0.it>
Privacy Policy<https://ora-0.it/privacy-policy/> Company Policy<https://ora-0.it/wp-content/uploads/2020/08/politica_aziendale_it.pdf>
[cid:image001.png at 01D789E4.08355260]
________________________________
Da: python-win32 <python-win32-bounces+ruggeropaolo.basile=ora-0.it at python.org> per conto di Ruggero Paolo Basile <RuggeroPaolo.Basile at ora-0.it>
Inviato: giovedì 16 settembre 2021 15:51:37
A: Mark Hammond; python-win32 at python.org
Oggetto: Re: [python-win32] pywintypes.error: (5, 'OpenEventLogW', 'Access is denied.')
OK well , i dint try the experiment becouse i wont modify the
other host, only i have to connect to a remote host in the local lan
but i cant find any parameter to connect to an host with win32security.LogonUser().
Gretings
Ruggero Paolo Basile
Cellulare: 3403216393
Mail: ruggeropaolo.basile at ora-0.it<mailto:gabriele.saltini at ora-0.it>
Privacy Policy<https://ora-0.it/privacy-policy/> Company Policy<https://ora-0.it/wp-content/uploads/2020/08/politica_aziendale_it.pdf>
[cid:image001.png at 01D789E4.08355260]
________________________________
Da: Mark Hammond <mhammond at skippinet.com.au>
Inviato: giovedì 16 settembre 2021 11:30:34
A: Ruggero Paolo Basile; python-win32 at python.org
Oggetto: Re: [python-win32] pywintypes.error: (5, 'OpenEventLogW', 'Access is denied.')
On 16/09/2021 7:17 pm, Ruggero Paolo Basile wrote:
> OK , let's explain the case
>
>
> My goal is to read the event log of the remote windows machine. I have
> experienced the *wmi library,* the wmi problem is that I have to create
> parsers, I have not found any code. On the remote machine I have no
> authentication problems as I connect to the local network.
If you have a username and password that works on the *server*, you may
be able to use win32security.LogonUser().
You still haven't answered:
> Tim also suggested a specific experiment you should try - did you try
> it? What happened?
It's likely you will be prompted for a username and password here. If
you have a username/password that works, win32security.LogonUser() is
likely to work with the same username/password.
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-win32/attachments/20210917/d8ed3ff8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: login_eventlog.py
Type: text/x-python
Size: 1739 bytes
Desc: login_eventlog.py
URL: <https://mail.python.org/pipermail/python-win32/attachments/20210917/d8ed3ff8/attachment-0003.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eventlog_0.py
Type: text/x-python
Size: 1479 bytes
Desc: eventlog_0.py
URL: <https://mail.python.org/pipermail/python-win32/attachments/20210917/d8ed3ff8/attachment-0004.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wmi_2.py
Type: text/x-python
Size: 1493 bytes
Desc: wmi_2.py
URL: <https://mail.python.org/pipermail/python-win32/attachments/20210917/d8ed3ff8/attachment-0005.py>
More information about the python-win32
mailing list