1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
|
/*++ BUILD Version: 0003 // Increment this if a change has global effects
Copyright (c) 1991-1996 Microsoft Corporation
Module Name:
lmaudit.h
Abstract:
This module defines the API function prototypes and data structures
for the following groups of NT API functions:
NetAudit
Environment:
User Mode - Win32
Notes:
You must include NETCONS.H before this file, since this file depends
on values defined in NETCONS.H.
--*/
#ifndef _LMAUDIT_
#define _LMAUDIT_
#ifdef __cplusplus
extern "C" {
#endif
#ifndef _LMHLOGDEFINED_
#define _LMHLOGDEFINED_
typedef struct _HLOG {
DWORD time;
DWORD last_flags;
DWORD offset;
DWORD rec_offset;
} HLOG, *PHLOG, *LPHLOG;
#define LOGFLAGS_FORWARD 0
#define LOGFLAGS_BACKWARD 0x1
#define LOGFLAGS_SEEK 0x2
#endif
//
// Function Prototypes - Audit
//
NET_API_STATUS NET_API_FUNCTION
NetAuditClear (
IN LPCWSTR server OPTIONAL,
IN LPCWSTR backupfile OPTIONAL,
IN LPCWSTR service OPTIONAL // WARNING: buggy support before LM 2.0C!!
);
NET_API_STATUS NET_API_FUNCTION
NetAuditRead (
IN LPCWSTR server OPTIONAL,
IN LPCWSTR service OPTIONAL, // WARNING: buggy support before LM 2.0C!!
IN LPHLOG auditloghandle,
IN DWORD offset,
IN LPDWORD reserved1 OPTIONAL,
IN DWORD reserved2,
IN DWORD offsetflag,
OUT LPBYTE *bufptr,
IN DWORD prefmaxlen,
OUT LPDWORD bytesread,
OUT LPDWORD totalavailable
);
NET_API_STATUS NET_API_FUNCTION
NetAuditWrite (
IN DWORD type,
IN LPBYTE buf,
IN DWORD numbytes,
IN LPCWSTR service OPTIONAL,
IN LPBYTE reserved OPTIONAL
);
//
// Data Structures - Audit
//
typedef struct _AUDIT_ENTRY {
DWORD ae_len;
DWORD ae_reserved;
DWORD ae_time;
DWORD ae_type;
DWORD ae_data_offset; /* Offset from beginning
address of audit_entry */
DWORD ae_data_size; // byte count of ae_data area (not incl pad).
} AUDIT_ENTRY, *PAUDIT_ENTRY, *LPAUDIT_ENTRY;
// BUGBUG: Temporary to let users ifdef on this struct layout.
#define REVISED_AUDIT_ENTRY_STRUCT
typedef struct _AE_SRVSTATUS {
DWORD ae_sv_status;
} AE_SRVSTATUS, *PAE_SRVSTATUS, *LPAE_SRVSTATUS;
typedef struct _AE_SESSLOGON {
DWORD ae_so_compname;
DWORD ae_so_username;
DWORD ae_so_privilege;
} AE_SESSLOGON, *PAE_SESSLOGON, *LPAE_SESSLOGON;
typedef struct _AE_SESSLOGOFF {
DWORD ae_sf_compname;
DWORD ae_sf_username;
DWORD ae_sf_reason;
} AE_SESSLOGOFF, *PAE_SESSLOGOFF, *LPAE_SESSLOGOFF;
typedef struct _AE_SESSPWERR {
DWORD ae_sp_compname;
DWORD ae_sp_username;
} AE_SESSPWERR, *PAE_SESSPWERR, *LPAE_SESSPWERR;
typedef struct _AE_CONNSTART {
DWORD ae_ct_compname;
DWORD ae_ct_username;
DWORD ae_ct_netname;
DWORD ae_ct_connid;
} AE_CONNSTART, *PAE_CONNSTART, *LPAE_CONNSTART;
typedef struct _AE_CONNSTOP {
DWORD ae_cp_compname;
DWORD ae_cp_username;
DWORD ae_cp_netname;
DWORD ae_cp_connid;
DWORD ae_cp_reason;
} AE_CONNSTOP, *PAE_CONNSTOP, *LPAE_CONNSTOP;
typedef struct _AE_CONNREJ {
DWORD ae_cr_compname;
DWORD ae_cr_username;
DWORD ae_cr_netname;
DWORD ae_cr_reason;
} AE_CONNREJ, *PAE_CONNREJ, *LPAE_CONNREJ;
typedef struct _AE_RESACCESS {
DWORD ae_ra_compname;
DWORD ae_ra_username;
DWORD ae_ra_resname;
DWORD ae_ra_operation;
DWORD ae_ra_returncode;
DWORD ae_ra_restype;
DWORD ae_ra_fileid;
} AE_RESACCESS, *PAE_RESACCESS, *LPAE_RESACCESS;
typedef struct _AE_RESACCESSREJ {
DWORD ae_rr_compname;
DWORD ae_rr_username;
DWORD ae_rr_resname;
DWORD ae_rr_operation;
} AE_RESACCESSREJ, *PAE_RESACCESSREJ, *LPAE_RESACCESSREJ;
typedef struct _AE_CLOSEFILE {
DWORD ae_cf_compname;
DWORD ae_cf_username;
DWORD ae_cf_resname;
DWORD ae_cf_fileid;
DWORD ae_cf_duration;
DWORD ae_cf_reason;
} AE_CLOSEFILE, *PAE_CLOSEFILE, *LPAE_CLOSEFILE;
typedef struct _AE_SERVICESTAT {
DWORD ae_ss_compname;
DWORD ae_ss_username;
DWORD ae_ss_svcname;
DWORD ae_ss_status;
DWORD ae_ss_code;
DWORD ae_ss_text;
DWORD ae_ss_returnval;
} AE_SERVICESTAT, *PAE_SERVICESTAT, *LPAE_SERVICESTAT;
typedef struct _AE_ACLMOD {
DWORD ae_am_compname;
DWORD ae_am_username;
DWORD ae_am_resname;
DWORD ae_am_action;
DWORD ae_am_datalen;
} AE_ACLMOD, *PAE_ACLMOD, *LPAE_ACLMOD;
typedef struct _AE_UASMOD {
DWORD ae_um_compname;
DWORD ae_um_username;
DWORD ae_um_resname;
DWORD ae_um_rectype;
DWORD ae_um_action;
DWORD ae_um_datalen;
} AE_UASMOD, *PAE_UASMOD, *LPAE_UASMOD;
typedef struct _AE_NETLOGON {
DWORD ae_no_compname;
DWORD ae_no_username;
DWORD ae_no_privilege;
DWORD ae_no_authflags;
} AE_NETLOGON, *PAE_NETLOGON, *LPAE_NETLOGON;
typedef struct _AE_NETLOGOFF {
DWORD ae_nf_compname;
DWORD ae_nf_username;
DWORD ae_nf_reserved1;
DWORD ae_nf_reserved2;
} AE_NETLOGOFF, *PAE_NETLOGOFF, *LPAE_NETLOGOFF;
typedef struct _AE_ACCLIM {
DWORD ae_al_compname;
DWORD ae_al_username;
DWORD ae_al_resname;
DWORD ae_al_limit;
} AE_ACCLIM, *PAE_ACCLIM, *LPAE_ACCLIM;
#define ACTION_LOCKOUT 00
#define ACTION_ADMINUNLOCK 01
typedef struct _AE_LOCKOUT {
DWORD ae_lk_compname; // Ptr to computername of client.
DWORD ae_lk_username; // Ptr to username of client (NULL
// if same as computername).
DWORD ae_lk_action; // Action taken on account:
// 0 means locked out, 1 means not.
DWORD ae_lk_bad_pw_count; // Bad password count at the time
// of lockout.
} AE_LOCKOUT, *PAE_LOCKOUT, *LPAE_LOCKOUT;
typedef struct _AE_GENERIC {
DWORD ae_ge_msgfile;
DWORD ae_ge_msgnum;
DWORD ae_ge_params;
DWORD ae_ge_param1;
DWORD ae_ge_param2;
DWORD ae_ge_param3;
DWORD ae_ge_param4;
DWORD ae_ge_param5;
DWORD ae_ge_param6;
DWORD ae_ge_param7;
DWORD ae_ge_param8;
DWORD ae_ge_param9;
} AE_GENERIC, *PAE_GENERIC, *LPAE_GENERIC;
//
// Special Values and Constants - Audit
//
//
// Audit entry types (field ae_type in audit_entry).
//
#define AE_SRVSTATUS 0
#define AE_SESSLOGON 1
#define AE_SESSLOGOFF 2
#define AE_SESSPWERR 3
#define AE_CONNSTART 4
#define AE_CONNSTOP 5
#define AE_CONNREJ 6
#define AE_RESACCESS 7
#define AE_RESACCESSREJ 8
#define AE_CLOSEFILE 9
#define AE_SERVICESTAT 11
#define AE_ACLMOD 12
#define AE_UASMOD 13
#define AE_NETLOGON 14
#define AE_NETLOGOFF 15
#define AE_NETLOGDENIED 16
#define AE_ACCLIMITEXCD 17
#define AE_RESACCESS2 18
#define AE_ACLMODFAIL 19
#define AE_LOCKOUT 20
#define AE_GENERIC_TYPE 21
//
// Values for ae_ss_status field of ae_srvstatus.
//
#define AE_SRVSTART 0
#define AE_SRVPAUSED 1
#define AE_SRVCONT 2
#define AE_SRVSTOP 3
//
// Values for ae_so_privilege field of ae_sesslogon.
//
#define AE_GUEST 0
#define AE_USER 1
#define AE_ADMIN 2
//
// Values for various ae_XX_reason fields.
//
#define AE_NORMAL 0
#define AE_USERLIMIT 0
#define AE_GENERAL 0
#define AE_ERROR 1
#define AE_SESSDIS 1
#define AE_BADPW 1
#define AE_AUTODIS 2
#define AE_UNSHARE 2
#define AE_ADMINPRIVREQD 2
#define AE_ADMINDIS 3
#define AE_NOACCESSPERM 3
#define AE_ACCRESTRICT 4
#define AE_NORMAL_CLOSE 0
#define AE_SES_CLOSE 1
#define AE_ADMIN_CLOSE 2
//
// Values for xx_subreason fields.
//
#define AE_LIM_UNKNOWN 0
#define AE_LIM_LOGONHOURS 1
#define AE_LIM_EXPIRED 2
#define AE_LIM_INVAL_WKSTA 3
#define AE_LIM_DISABLED 4
#define AE_LIM_DELETED 5
//
// Values for xx_action fields
//
#define AE_MOD 0
#define AE_DELETE 1
#define AE_ADD 2
//
// Types of UAS record for um_rectype field
//
#define AE_UAS_USER 0
#define AE_UAS_GROUP 1
#define AE_UAS_MODALS 2
//
// Bitmasks for auditing events
//
// The parentheses around the hex constants broke h_to_inc
// and have been purged from the face of the earth.
//
#define SVAUD_SERVICE 0x1
#define SVAUD_GOODSESSLOGON 0x6
#define SVAUD_BADSESSLOGON 0x18
#define SVAUD_SESSLOGON (SVAUD_GOODSESSLOGON | SVAUD_BADSESSLOGON)
#define SVAUD_GOODNETLOGON 0x60
#define SVAUD_BADNETLOGON 0x180
#define SVAUD_NETLOGON (SVAUD_GOODNETLOGON | SVAUD_BADNETLOGON)
#define SVAUD_LOGON (SVAUD_NETLOGON | SVAUD_SESSLOGON)
#define SVAUD_GOODUSE 0x600
#define SVAUD_BADUSE 0x1800
#define SVAUD_USE (SVAUD_GOODUSE | SVAUD_BADUSE)
#define SVAUD_USERLIST 0x2000
#define SVAUD_PERMISSIONS 0x4000
#define SVAUD_RESOURCE 0x8000
#define SVAUD_LOGONLIM 0x00010000
//
// Resource access audit bitmasks.
//
#define AA_AUDIT_ALL 0x0001
#define AA_A_OWNER 0x0004
#define AA_CLOSE 0x0008
#define AA_S_OPEN 0x0010
#define AA_S_WRITE 0x0020
#define AA_S_CREATE 0x0020
#define AA_S_DELETE 0x0040
#define AA_S_ACL 0x0080
#define AA_S_ALL ( AA_S_OPEN | AA_S_WRITE | AA_S_DELETE | AA_S_ACL)
#define AA_F_OPEN 0x0100
#define AA_F_WRITE 0x0200
#define AA_F_CREATE 0x0200
#define AA_F_DELETE 0x0400
#define AA_F_ACL 0x0800
#define AA_F_ALL ( AA_F_OPEN | AA_F_WRITE | AA_F_DELETE | AA_F_ACL)
// Pinball-specific
#define AA_A_OPEN 0x1000
#define AA_A_WRITE 0x2000
#define AA_A_CREATE 0x2000
#define AA_A_DELETE 0x4000
#define AA_A_ACL 0x8000
#define AA_A_ALL ( AA_F_OPEN | AA_F_WRITE | AA_F_DELETE | AA_F_ACL)
#ifdef __cplusplus
}
#endif
#endif // _LMAUDIT_
|
