Saturday, March 31, 2012

Evtsys (actually auditpol and auditusr) Part II

# Powershell V3 CTP2
# Using auditpol on Vista, Win7
# Enables failure and sucess auditing for selected subcategories

"Special Logon",
"Other Logon/Logoff Events",
"Security State Change",
"Filtering Platform Connection",
"Process Creation",
"Audit Policy Change",
"Filtering Platform Policy Change",
"Credential Validation"

foreach ($i in $auditpollist) {auditpol /set /subcategory:"$i" /success:enable /failure:enable}

# Using auditusr on XP, 2003
# Since auditusr requires doesn't globally audit all users...

"System Event",
"Object Access",
"Privilege Use",
"Detailed Tracking",
"Policy Change",
"Account Management",
"Account Logon"

# creates list of all XP users
function netusers {$query = "Win32_UserAccount";$query+= " WHERE LocalAccount='True'";Get-WmiObject $query }
[array]$name_list=foreach ($i in $name_list) {$}

# set success and failure for all users for all categories in $auditusrlist
$name_list | % -process {
foreach ($i in $auditusrlist) {$au_str="$_`:$i";auditusr /is $au_str};
foreach ($i in $auditusrlist) {$au_str="$_`:$i";auditusr /if $au_str};