![](/img/trans.png)
[英]Read remote server event log to get AD user logon and logoff events and save it to SQL
[英]Get notified from logon and logoff
我必須開發一個程序,它在本地PC上作為服務運行,為服務器提供幾個用戶狀態。 一開始我必須檢測用戶登錄和注銷 。
我的想法是使用ManagementEventWatcher
類並查詢Win32_LogonSession
,以便在發生更改時收到通知。
我的第一個測試運行良好,這是代碼部分(這將作為服務的線程執行) :
private readonly static WqlEventQuery qLgi = new WqlEventQuery("__InstanceCreationEvent", new TimeSpan(0, 0, 1), "TargetInstance ISA \"Win32_LogonSession\"");
public EventWatcherUser() {
}
public void DoWork() {
ManagementEventWatcher eLgiWatcher = new ManagementEventWatcher(EventWatcherUser.qLgi);
eLgiWatcher.EventArrived += new EventArrivedEventHandler(HandleEvent);
eLgiWatcher.Start();
}
private void HandleEvent(object sender, EventArrivedEventArgs e)
{
ManagementBaseObject f = (ManagementBaseObject)e.NewEvent["TargetInstance"];
using (StreamWriter fs = new StreamWriter("C:\\status.log", true))
{
fs.WriteLine(f.Properties["LogonId"].Value);
}
}
但我有一些理解問題,我不確定這是否是解決該任務的常用方法。
如果我查詢Win32_LogonSession
我會得到幾條與同一用戶相關聯的記錄。 例如,我得到這個ID 7580798和7580829,如果我查詢
ASSOCIATORS OF {Win32_LogonSession.LogonId = X} WHERE ResultClass = Win32_UserAccount
我獲得了不同ID的相同記錄。 (Win32_UserAccount.Domain = “PC-名稱”,名稱= “用戶1”)
為什么有多個與同一用戶的登錄會話? 獲取當前用戶簽名的常用方法是什么? 或者更好的方法是如何通過用戶登錄正確收到通知?
我以為我可以用__InstanceDeletionEvent
以相同的方式來確定用戶是否注銷。 但我想如果事件被提出,那么在此之后我無法查詢Win32_UserAccount
的用戶名。 我是正確的?
我是在正確的方向還是有更好的方法? 如果你可以幫助我,那真是太棒了!
編輯 WTSRegisterSessionNotification類是否正確? 我不知道是否可能,因為在服務中我沒有窗口處理程序。
由於您使用的是服務,因此可以直接獲取會話更改事件。
您可以注冊自己以接收SERVICE_CONTROL_SESSIONCHANGE
事件。 特別是,您需要查找WTS_SESSION_LOGON
和WTS_SESSION_LOGOFF
原因。
有關MSDN文檔的詳細信息和鏈接,請查看我昨天寫的這個答案 。
在C#中,它更容易,因為ServiceBase已經包裝了服務控制例程並將事件公開為可OnSessionChange
方法。 請參閱ServiceBase的MSDN文檔 ,並且不要忘記將CanHandleSessionChangeEvent
屬性設置為true以啟用此方法的執行。
當框架調用OnSessionChange
覆蓋時,您得到的是SessionChangeDescription結構,其中包含原因(注銷,登錄,...)和可用於獲取信息的會話ID,例如,用戶登錄/注銷信息(請參閱我的熱門答案鏈接詳情)
編輯:示例代碼
public class SimpleService : ServiceBase {
...
public SimpleService()
{
CanPauseAndContinue = true;
CanHandleSessionChangeEvent = true;
ServiceName = "SimpleService";
}
protected override void OnSessionChange(SessionChangeDescription changeDescription)
{
EventLog.WriteEntry("SimpleService.OnSessionChange", DateTime.Now.ToLongTimeString() +
" - Session change notice received: " +
changeDescription.Reason.ToString() + " Session ID: " +
changeDescription.SessionId.ToString());
switch (changeDescription.Reason)
{
case SessionChangeReason.SessionLogon:
EventLog.WriteEntry("SimpleService.OnSessionChange: Logon");
break;
case SessionChangeReason.SessionLogoff:
EventLog.WriteEntry("SimpleService.OnSessionChange Logoff");
break;
...
}
您可以使用作為Windows一部分的系統事件通知服務技術。 它具有ISensLogon2接口 ,可提供登錄/注銷事件(以及其他事件,如遠程會話連接)。
這是一段代碼(示例控制台應用程序),演示了如何執行此操作。 您可以使用來自另一台計算機的遠程桌面會話對其進行測試,例如,這將觸發SessionDisconnect,SessionReconnect事件。
此代碼應支持從XP到Windows 8的所有Windows版本。
添加對名為COM + 1.0 Admin Type Library (即COMAdmin)的COM組件的引用。
注意務必將嵌入互操作類型設置為'False',否則將出現以下錯誤:“無法嵌入Interop類型'COMAdminCatalogClass'。請改用相應的接口。”
與互聯網上有關在.NET中使用此技術的其他文章相反,它不引用Sens.dll,因為它在Windows 8上似乎不存在(我不知道為什么)。 然而,該技術似乎得到支持,並且SENS服務確實安裝並在Windows 8上正常運行,因此您只需手動聲明接口和guids(如本示例中所示),或引用在早期版本的Windows上創建的互操作程序集(它應該工作正常,因為guids和各種接口沒有改變)。
class Program
{
static SensEvents SensEvents { get; set; }
static void Main(string[] args)
{
SensEvents = new SensEvents();
SensEvents.LogonEvent += OnSensLogonEvent;
Console.WriteLine("Waiting for events. Press [ENTER] to stop.");
Console.ReadLine();
}
static void OnSensLogonEvent(object sender, SensLogonEventArgs e)
{
Console.WriteLine("Type:" + e.Type + ", UserName:" + e.UserName + ", SessionId:" + e.SessionId);
}
}
public sealed class SensEvents
{
private static readonly Guid SENSGUID_EVENTCLASS_LOGON2 = new Guid("d5978650-5b9f-11d1-8dd2-00aa004abd5e");
private Sink _sink;
public event EventHandler<SensLogonEventArgs> LogonEvent;
public SensEvents()
{
_sink = new Sink(this);
COMAdminCatalogClass catalog = new COMAdminCatalogClass(); // need a reference to COMAdmin
// we just need a transient subscription, for the lifetime of our application
ICatalogCollection subscriptions = (ICatalogCollection)catalog.GetCollection("TransientSubscriptions");
ICatalogObject subscription = (ICatalogObject)subscriptions.Add();
subscription.set_Value("EventCLSID", SENSGUID_EVENTCLASS_LOGON2.ToString("B"));
subscription.set_Value("SubscriberInterface", _sink);
// NOTE: we don't specify a method name, so all methods may be called
subscriptions.SaveChanges();
}
private void OnLogonEvent(SensLogonEventType type, string bstrUserName, uint dwSessionId)
{
EventHandler<SensLogonEventArgs> handler = LogonEvent;
if (handler != null)
{
handler(this, new SensLogonEventArgs(type, bstrUserName, dwSessionId));
}
}
private class Sink : ISensLogon2
{
private SensEvents _events;
public Sink(SensEvents events)
{
_events = events;
}
public void Logon(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.Logon, bstrUserName, dwSessionId);
}
public void Logoff(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.Logoff, bstrUserName, dwSessionId);
}
public void SessionDisconnect(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.SessionDisconnect, bstrUserName, dwSessionId);
}
public void SessionReconnect(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.SessionReconnect, bstrUserName, dwSessionId);
}
public void PostShell(string bstrUserName, uint dwSessionId)
{
_events.OnLogonEvent(SensLogonEventType.PostShell, bstrUserName, dwSessionId);
}
}
[ComImport, Guid("D597BAB4-5B9F-11D1-8DD2-00AA004ABD5E")]
private interface ISensLogon2
{
void Logon([MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void Logoff([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void SessionDisconnect([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void SessionReconnect([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
void PostShell([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);
}
}
public class SensLogonEventArgs : EventArgs
{
public SensLogonEventArgs(SensLogonEventType type, string userName, uint sessionId)
{
Type = type;
UserName = userName;
SessionId = sessionId;
}
public string UserName { get; private set; }
public uint SessionId { get; private set; }
public SensLogonEventType Type { get; private set; }
}
public enum SensLogonEventType
{
Logon,
Logoff,
SessionDisconnect,
SessionReconnect,
PostShell
}
注意:通過右鍵單擊Visual Studio快捷方式並單擊run as administrator
運行,確保Visual Studio以管理員權限run as administrator
,否則在運行程序時將拋出System.UnauthorizedAccessException
。
這是代碼(所有代碼都駐留在類中;在我的例子中,是繼承ServiceBase
的類)。 如果您還想獲取登錄用戶的用戶名,這將特別有用。
[DllImport("Wtsapi32.dll")]
private static extern bool WTSQuerySessionInformation(IntPtr hServer, int sessionId, WtsInfoClass wtsInfoClass, out IntPtr ppBuffer, out int pBytesReturned);
[DllImport("Wtsapi32.dll")]
private static extern void WTSFreeMemory(IntPtr pointer);
private enum WtsInfoClass
{
WTSUserName = 5,
WTSDomainName = 7,
}
private static string GetUsername(int sessionId, bool prependDomain = true)
{
IntPtr buffer;
int strLen;
string username = "SYSTEM";
if (WTSQuerySessionInformation(IntPtr.Zero, sessionId, WtsInfoClass.WTSUserName, out buffer, out strLen) && strLen > 1)
{
username = Marshal.PtrToStringAnsi(buffer);
WTSFreeMemory(buffer);
if (prependDomain)
{
if (WTSQuerySessionInformation(IntPtr.Zero, sessionId, WtsInfoClass.WTSDomainName, out buffer, out strLen) && strLen > 1)
{
username = Marshal.PtrToStringAnsi(buffer) + "\\" + username;
WTSFreeMemory(buffer);
}
}
}
return username;
}
使用您的類中的上述代碼,您可以簡單地獲取您要覆蓋的方法中的用戶名,如下所示:
protected override void OnSessionChange(SessionChangeDescription changeDescription)
{
string username = GetUsername(changeDescription.SessionId);
//continue with any other thing you wish to do
}
注意:記得添加CanHandleSessionChangeEvent = true;
在從ServiceBase
繼承的類的構造函數中
我使用ServiceBase.OnSessionChange來捕獲不同的用戶事件,然后加載必要的信息。
protected override void OnSessionChange(SessionChangeDescription desc)
{
var user = Session.Get(desc.SessionId);
}
要加載會話信息,我使用WTS_INFO_CLASS 。 請參閱下面的示例:
internal static class NativeMethods
{
public enum WTS_INFO_CLASS
{
WTSInitialProgram,
WTSApplicationName,
WTSWorkingDirectory,
WTSOEMId,
WTSSessionId,
WTSUserName,
WTSWinStationName,
WTSDomainName,
WTSConnectState,
WTSClientBuildNumber,
WTSClientName,
WTSClientDirectory,
WTSClientProductId,
WTSClientHardwareId,
WTSClientAddress,
WTSClientDisplay,
WTSClientProtocolType,
WTSIdleTime,
WTSLogonTime,
WTSIncomingBytes,
WTSOutgoingBytes,
WTSIncomingFrames,
WTSOutgoingFrames,
WTSClientInfo,
WTSSessionInfo
}
[DllImport("Kernel32.dll")]
public static extern uint WTSGetActiveConsoleSessionId();
[DllImport("Wtsapi32.dll")]
public static extern bool WTSQuerySessionInformation(IntPtr hServer, Int32 sessionId, WTS_INFO_CLASS wtsInfoClass, out IntPtr ppBuffer, out Int32 pBytesReturned);
[DllImport("Wtsapi32.dll")]
public static extern void WTSFreeMemory(IntPtr pointer);
}
public static class Status
{
public static Byte Online
{
get { return 0x0; }
}
public static Byte Offline
{
get { return 0x1; }
}
public static Byte SignedIn
{
get { return 0x2; }
}
public static Byte SignedOff
{
get { return 0x3; }
}
}
public static class Session
{
private static readonly Dictionary<Int32, User> User = new Dictionary<Int32, User>();
public static bool Add(Int32 sessionId)
{
IntPtr buffer;
int length;
var name = String.Empty;
var domain = String.Empty;
if (NativeMethods.WTSQuerySessionInformation(IntPtr.Zero, sessionId, NativeMethods.WTS_INFO_CLASS.WTSUserName, out buffer, out length) && length > 1)
{
name = Marshal.PtrToStringAnsi(buffer);
NativeMethods.WTSFreeMemory(buffer);
if (NativeMethods.WTSQuerySessionInformation(IntPtr.Zero, sessionId, NativeMethods.WTS_INFO_CLASS.WTSDomainName, out buffer, out length) && length > 1)
{
domain = Marshal.PtrToStringAnsi(buffer);
NativeMethods.WTSFreeMemory(buffer);
}
}
if (name == null || name.Length <= 0)
{
return false;
}
User.Add(sessionId, new User(name, domain));
return true;
}
public static bool Remove(Int32 sessionId)
{
return User.Remove(sessionId);
}
public static User Get(Int32 sessionId)
{
if (User.ContainsKey(sessionId))
{
return User[sessionId];
}
return Add(sessionId) ? Get(sessionId) : null;
}
public static UInt32 GetActiveConsoleSessionId()
{
return NativeMethods.WTSGetActiveConsoleSessionId();
}
}
public class AvailabilityChangedEventArgs : EventArgs
{
public bool Available { get; set; }
public AvailabilityChangedEventArgs(bool isAvailable)
{
Available = isAvailable;
}
}
public class User
{
private readonly String _name;
private readonly String _domain;
private readonly bool _isDomainUser;
private bool _signedIn;
public static EventHandler<AvailabilityChangedEventArgs> AvailabilityChanged;
public User(String name, String domain)
{
_name = name;
_domain = domain;
if (domain.Equals("EXAMPLE.COM"))
{
_isDomainUser = true;
}
else
{
_isDomainUser = false;
}
}
public String Name
{
get { return _name; }
}
public String Domain
{
get { return _domain; }
}
public bool IsDomainUser
{
get { return _isDomainUser; }
}
public bool IsSignedIn
{
get { return _signedIn; }
set
{
if (_signedIn == value) return;
_signedIn = value;
OnAvailabilityChanged(this, new AvailabilityChangedEventArgs(IsSignedIn));
}
}
protected void OnAvailabilityChanged(object sender, AvailabilityChangedEventArgs e)
{
if (AvailabilityChanged != null)
{
AvailabilityChanged(this, e);
}
}
}
以下代碼使用來自User
的靜態AvailabilityChanged
事件,一旦會話狀態更改,就會觸發該事件。 arg e
包含特定用戶。
public Main()
{
User.AvailabilityChanged += UserAvailabilityChanged;
}
private static void UserAvailabilityChanged(object sender, AvailabilityChangedEventArgs e)
{
var user = sender as User;
if (user == null) return;
System.Diagnostics.Debug.WriteLine(user.IsSignedIn);
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.