Вход и выход из системы удаленной машины.

vadipok
Дата: 19.10.2014 20:34:09
Добрый вечер, коллеги!

Помогите куда копать дальше.
Необходимо из машины в локальной сети извлечь информацию о входе и выходе из системы пользователя.
Для этого использую Win32_LogonSession.
Не устраивает то, что этот класс хранит данные только во время работы, после выключения он стирается.
Может есть какие-то журналы в системе по истории входа и выхода?
Или более информативные классы.
Гугление не помогает.

Кусок программы С++:
+
    hres = pLoc->ConnectServer(
        _bstr_t(L"\\\\178.207.130.146\\root\\cimv2"),
        NULL,                              // User name
        NULL,                              // User password
        NULL,                              // Locale             
        NULL,                              // Security flags
        NULL,                              // Authority        
        NULL,                              // Context object 
        &pSvc                              // IWbemServices proxy
        );
    
    if (FAILED(hres))
    {
        cout << "Could not connect. Error code = 0x" << hex << hres << endl;
        pLoc->Release();     
        CoUninitialize();
        return 1;                // Program has failed.
    }
    
    // Step 6: --------------------------------------------------
    // Set security levels on a WMI connection ------------------

    hres = CoSetProxyBlanket(
       pSvc,                           // Indicates the proxy to set
       RPC_C_AUTHN_DEFAULT,            // RPC_C_AUTHN_xxx
       RPC_C_AUTHZ_DEFAULT,            // RPC_C_AUTHZ_xxx
       COLE_DEFAULT_PRINCIPAL,         // Server principal name 
       RPC_C_AUTHN_LEVEL_PKT_PRIVACY,  // RPC_C_AUTHN_LEVEL_xxx 
       RPC_C_IMP_LEVEL_IMPERSONATE,    // RPC_C_IMP_LEVEL_xxx
       NULL,                           // client identity
       EOAC_NONE                       // proxy capabilities 
    );

    if (FAILED(hres))
    {
        cout << "Could not set proxy blanket. Error code = 0x" << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();     
        CoUninitialize();
        return 1;               // Program has failed.
    }

    // Step 7: --------------------------------------------------
    // Use the IWbemServices pointer to make requests of WMI ----
    IEnumWbemClassObject* pEnumerator = NULL;
    IWbemClassObject *pclsObj = NULL;
    ULONG uReturn = 0;


    // Cleanup
    //pEnumerator->Release();


	//++++++++++++++++++++++++++++++++++++++++
	cout << "++++++++++++++++++++++++++++++++" << endl;

    hres = pSvc->ExecQuery(
        bstr_t("WQL"), 
		bstr_t("SELECT * from Win32_LogonSession"),
        WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 
        NULL,
        &pEnumerator);
    
    if (FAILED(hres))
    {
        cout << "Query for operating system name failed." << " Error code = 0x" << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();
        CoUninitialize();
        return 1;               // Program has failed.
    }

    // Step 8: -------------------------------------------------
    // Secure the enumerator proxy
    hres = CoSetProxyBlanket(
        pEnumerator,                    // Indicates the proxy to set
        RPC_C_AUTHN_DEFAULT,            // RPC_C_AUTHN_xxx
        RPC_C_AUTHZ_DEFAULT,            // RPC_C_AUTHZ_xxx
        COLE_DEFAULT_PRINCIPAL,         // Server principal name 
        RPC_C_AUTHN_LEVEL_PKT_PRIVACY,  // RPC_C_AUTHN_LEVEL_xxx 
        RPC_C_IMP_LEVEL_IMPERSONATE,    // RPC_C_IMP_LEVEL_xxx
        NULL,                           // client identity
        EOAC_NONE                       // proxy capabilities 
        );

    if (FAILED(hres))
    {
        cout << "Could not set proxy blanket on enumerator. Error code = 0x" << hex << hres << endl;
        pEnumerator->Release();
        pSvc->Release();
        pLoc->Release();     
        CoUninitialize();
        return 1;               // Program has failed.
    }

    // Step 9: -------------------------------------------------
    // Get the data from the query in step 7 -------------------
	
    pclsObj = NULL;
    uReturn = 0;

	//pEnumerator->;

    while (pEnumerator)
    {
        HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);

        if(0 == uReturn)
        {
            break;
        }


		/*
		[Provider("CIMWin32")]class Win32_LogonSession : Win32_Session
		{
		  string   AuthenticationPackage;
		  string   Caption;
		  string   Description;
		  datetime InstallDate;
		  string   LogonId;
		  uint32   LogonType;
		  string   Name;
		  datetime StartTime;
		  string   Status;
		};
		*/

        VARIANT vtProp1;
		VARIANT vtProp2;
		VARIANT vtProp3;
		VARIANT vtProp4;
		VARIANT vtProp5;
		VARIANT vtProp6;
		VARIANT vtProp7;
		VARIANT vtProp8;
		VARIANT vtProp9;

		wcout << " ####################### " << endl;
		wcout << " ####################### " << endl;

		hr = pclsObj->Get(L"AuthenticationPackage", 0, &vtProp1, 0, 0);
		wcout << " AuthenticationPackage: " << vtProp1.bstrVal << endl;
		VariantClear(&vtProp1);

		hr = pclsObj->Get(L"Caption", 0, &vtProp2, 0, 0);
		wcout << " Caption: " << vtProp2.cVal << endl;
		VariantClear(&vtProp2);

		hr = pclsObj->Get(L"Description", 0, &vtProp3, 0, 0);
		wcout << " Description: " << vtProp3.cVal << endl;
		VariantClear(&vtProp3);

		hr = pclsObj->Get(L"InstallDate", 0, &vtProp4, 0, 0);
		wcout << " InstallDate: " << vtProp4.uintVal << endl;
		VariantClear(&vtProp4);

		hr = pclsObj->Get(L"LogonId", 0, &vtProp5, 0, 0);
		wcout << " LogonId: " << vtProp5.uintVal << endl;
		VariantClear(&vtProp5);

		hr = pclsObj->Get(L"LogonType", 0, &vtProp6, 0, 0);
		wcout << " LogonType: " << vtProp6.iVal << endl;
		VariantClear(&vtProp6);

		hr = pclsObj->Get(L"Name", 0, &vtProp7, 0, 0);
		wcout << " Name: " << vtProp7.cVal << endl;
		VariantClear(&vtProp7);

		hr = pclsObj->Get(L"StartTime", 0, &vtProp8, 0, 0);
		wcout << " StartTime: " << _wtoi64(vtProp8.bstrVal) << endl;
		VariantClear(&vtProp8);

		hr = pclsObj->Get(L"Status", 0, &vtProp9, 0, 0);
		wcout << " Status: " << vtProp9.iVal << endl;
		VariantClear(&vtProp9);
		
        pclsObj->Release();
        pclsObj = NULL;
    }



    if( pclsObj )
    {
        pclsObj->Release();
    }


	
    // Cleanup
    pEnumerator->Release();


Вывод:
+
++++++++++++++++++++++++++++++++
 #######################
 #######################
 AuthenticationPackage: NTLM
 Caption: &#9568;
 Description: &#9568;
 InstallDate: 3435973836
 LogonId: 1528868
 LogonType: 0
 Name: &#9568;
 StartTime: 20141019160054
 Status: -13108
 #######################
 #######################
 AuthenticationPackage: Negotiate
 Caption: &#9568;
 Description: &#9568;
 InstallDate: 3435973836
 LogonId: 1528868
 LogonType: 5
 Name: &#9568;
 StartTime: 20141019160054
 Status: -13108
 #######################
 #######################
 AuthenticationPackage: Negotiate
 Caption: &#9568;
 Description: &#9568;
 InstallDate: 3435973836
 LogonId: 1528868
 LogonType: 5
 Name: &#9568;
 StartTime: 20141019160054
 Status: -13108
 #######################
 #######################
 AuthenticationPackage: NTLM
 Caption: &#9568;
 Description: &#9568;
 InstallDate: 3435973836
 LogonId: 1528868
 LogonType: 2
 Name: &#9568;
 StartTime: 20141019160055
 Status: -13108
 #######################
 #######################
 AuthenticationPackage: NTLM
 Caption: &#9568;
 Description: &#9568;
 InstallDate: 3435973836
 LogonId: 1535524
 LogonType: 3
 Name: &#9568;
 StartTime: 20141019160202
 Status: -13108