} $strComputer = "."; $wmi = new COM("winmgmts:\\\\" . $strComputer . "\\root\\cimv2"); $wmiEvent = $wmi->ExecNotificationQuery("SELECT * FROM __InstanceOperationEvent " . " Within .1 WHERE TargetInstance ISA 'Win32_Process'", "WQL"); $get_user = new Variant("", VT_BSTR); $get_domain = new Variant("", VT_BSTR); echo "Monitoring Processes ...\n"; while (true) { $evt = $wmiEvent->NextEvent; switch ($evt->Path_->Class) { case "__InstanceCreationEvent": $error = $evt->TargetInstance->GetOwner($get_user); if ($error != 0) { echo "Could not get Owner Info - Error: " . $error; } else { $evtCreated = win_time($evt->TargetInstance->CreationDate); $evt->TargetInstance->GetOwner($get_user, $get_domain); echo "New Process Created : " . $evtCreated . "\n"; echo "New Process Name : " . $evt->TargetInstance->Name . "\n"; echo "Process Owner : " . $get_domain . "\\" . $get_user; echo "\n" . "New Process Path : " . $evt->TargetInstance->ExecutablePath . "\n"; echo "New Process ID : " . $evt->TargetInstance->ProcessId . "\n"; echo "Parent Process ID : " . $evt->TargetInstance->ParentProcessId . "\n"; echo "New Process Priority : " . $evt->TargetInstance->Priority . "\n"; break; } case "__InstanceDeletionEvent": echo "Process Terminated : " . $evt->TargetInstance->ProcessId . "\n"; echo "Process Name : " . $evt->TargetInstance->Name . "\n"; break; echo "-------------------------------------\n";
$strSupportContactDescription = array($objItem->SupportContactDescription); $strSystemStartupOptions = array($objItem->SystemStartupOptions); $return_data['asset'] = array("AdminPasswordStatus" => $objItem->AdminPasswordStatus, "AutomaticManagedPagefile" => $objItem->AutomaticManagedPagefile, "AutomaticResetBootOption" => $objItem->AutomaticResetBootOption, "AutomaticResetCapability" => $objItem->AutomaticResetCapability, "BootOptionOnLimit" => $objItem->BootOptionOnLimit, "BootOptionOnWatchDog" => $objItem->BootOptionOnWatchDog, "BootROMSupported" => $objItem->BootROMSupported, "BootupState" => $objItem->BootupState, "Caption" => $objItem->Caption, "ChassisBootupState" => $objItem->ChassisBootupState, "CreationClassName" => $objItem->CreationClassName, "CurrentTimeZone" => $objItem->CurrentTimeZone, "DaylightInEffect" => $objItem->DaylightInEffect, "Description" => $objItem->Description, "DNSHostName" => $objItem->DNSHostName, "Domain" => $objItem->Domain, "DomainRole" => $objItem->DomainRole, "EnableDaylightSavingsTime" => $objItem->EnableDaylightSavingsTime, "FrontPanelResetStatus" => $objItem->FrontPanelResetStatus, "InfraredSupported" => $objItem->InfraredSupported, "InitialLoadInfo" => $strInitialLoadInfo, "KeyboardPasswordStatus" => $objItem->KeyboardPasswordStatus, "LastLoadInfo" => $objItem->LastLoadInfo, "Manufacturer" => $objItem->Manufacturer, "Model" => $objItem->Model, "Name" => $objItem->Name, "NameFormat" => $objItem->NameFormat, "NetworkServerModeEnabled" => $objItem->NetworkServerModeEnabled, "NumberOfLogicalProcessors" => $objItem->NumberOfLogicalProcessors, "NumberOfProcessors" => $objItem->NumberOfProcessors, "OEMLogoBitmap" => $strOEMLogoBitmap, "OEMStringArray" => $strOEMStringArray, "PartOfDomain" => $objItem->PartOfDomain, "PauseAfterReset" => $objItem->PauseAfterReset, "PCSystemType" => $objItem->PCSystemType, "PowerManagementCapabilities" => $strPowerManagementCapabilities, "PowerManagementSupported" => $objItem->PowerManagementSupported, "PowerOnPasswordStatus" => $objItem->PowerOnPasswordStatus, "PowerState" => $objItem->PowerState, "PowerSupplyState" => $objItem->PowerSupplyState, "PrimaryOwnerContact" => $objItem->PrimaryOwnerContact, "PrimaryOwnerName" => $objItem->PrimaryOwnerName, "ResetCapability" => $objItem->ResetCapability, "ResetCount" => $objItem->ResetCount, "ResetLimit" => $objItem->ResetLimit, "Roles" => $strRoles, "Status" => $objItem->Status, "SupportContactDescription" => $strSupportContactDescription, "SystemStartupDelay" => $objItem->SystemStartupDelay, "SystemStartupOptions" => $strSystemStartupOptions, "SystemStartupSetting" => $objItem->SystemStartupSetting, "SystemType" => $objItem->SystemType, "ThermalState" => $objItem->ThermalState, "TotalPhysicalMemory" => $objItem->TotalPhysicalMemory, "UserName" => $objItem->UserName, "WakeUpType" => $objItem->WakeUpType, "Workgroup" => $objItem->Workgroup); } // ---- Pull Event Log Data $return_data['events'] = array(); $x = 0; $colItems = $objWMIService->ExecQuery("SELECT * FROM Win32_NTLogEvent"); foreach ($objWMIService->instancesof("Win32_NTLogEvent") as $objItem) { $return_data['events'][$x] = array(); foreach ($objects_array as $disp_obj => $disp_type) { if ($disp_type == "string") { $return_data['events'][$x][$disp_obj] = trim($objItem->{$disp_obj}); } else { if ($disp_type == "time") { $return_data['events'][$x][$disp_obj] = win_time($objItem->{$disp_obj}); } else { if ($disp_type == "array") { if ($objItem->{$disp_obj} != NULL) { $return_data['events'][$x][$disp_obj] = array(); foreach ($objItem->{$disp_obj} as $string) { $return_data['events'][$x][$disp_obj][] = $string; } } } } } } $x++; } print_r($return_data);
$x = 0; $total = 0; $query = "BEGIN TRANSACTION; "; foreach ($colItems as $objItem) { foreach ($snorm as $key => $value) { if ($x == 0) { ${"norm_query_" . $value} = "BEGIN TRANSACTION;"; } ${"norm_query_" . $value} .= "\r\n\t\t\t\t\tINSERT OR IGNORE INTO " . $value . " (" . $key . ") VALUES ('" . $objItem->{$key} . "'); "; if ($x >= $batchsize) { ${"norm_query_" . $value} .= " COMMIT;"; $dbh->exec(${"norm_query_" . $value}); ${"norm_query_" . $value} = "BEGIN TRANSACTION;"; } } $query .= "INSERT INTO Events (CategoryID, ComputerName, EventCodeID, LogfileID, Message, RecordNumber, SourceNameID, TimeWritten, TypeID, UserID) VALUES\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tCategories\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tCategory = '" . $objItem->Category . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t'" . $objItem->ComputerName . "',\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tEventCodes\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tEventCode = '" . $objItem->EventCode . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tLogfiles\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tLogfile = '" . $objItem->LogFile . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t'" . str_replace(array("'"), "", $objItem->Message) . "',\r\n\t\t\t\t\t\t\t'" . $objItem->RecordNumber . "',\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tSourceNames\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tSourceName = '" . $objItem->SourceName . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t'" . win_time($objItem->TimeWritten) . "',\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tTypes\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tType = '" . $objItem->Type . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tUsers\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tUser = '******'\r\n\t\t\t\t\t\t\t)\r\n\t\t\t\t\t\t); "; if ($x < $batchsize) { $x++; } else { $total += $x; $x = 0; $dbh->exec($query . " COMMIT;"); $query = "\r\n\t\t\t\t\t\tBEGIN TRANSACTION; "; } } foreach ($snorm as $key => $value) { $dbh->exec(${"norm_query_" . $value} . " COMMIT;"); } $dbh->exec($query . " COMMIT;"); } }
$norm_query = "BEGIN TRANSACTION; "; foreach ($colItems as $objItem) { $norm_query .= "\r\n\t\t\t\tINSERT OR IGNORE INTO User (User) VALUES ('" . $objItem->User . "');"; $norm_query .= "\r\n\t\t\t\tINSERT OR IGNORE INTO InsertionString (InsertionString) VALUES ('"; $insertionStrings = array(); if ($objItem->InsertionStrings != NULL) { foreach ($objItem->InsertionStrings as $oiv) { $insertionStrings[] = $oiv; } } $norm_query .= trim(str_replace("'", "''", implode("|@|", $insertionStrings))) . "'); "; if ($x >= $batchsize) { $dbh->exec($norm_query .= " COMMIT;"); $norm_query = "BEGIN TRANSACTION;"; } $query .= "\r\n\t\t\t\tINSERT INTO Events (ComputerName, RecordNumber, TimeWritten, eventLogID, sourceID, EventIdentifier, EventCode, Type, Category, UserID, InsertionStringID) VALUES\r\n\t\t\t\t\t(\r\n\t\t\t\t\t\t'" . $objItem->ComputerName . "',\r\n\t\t\t\t\t\t'" . $objItem->RecordNumber . "',\r\n\t\t\t\t\t\t'" . win_time($objItem->TimeWritten) . "',\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\teventlogID\r\n\t\t\t\t\t\t\tFROM eventLog\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\teventLog = '" . $objItem->LogFile . "'\r\n\t\t\t\t\t\t),\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\tsourceID\r\n\t\t\t\t\t\t\tFROM source\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\tsource = '" . $objItem->SourceName . "'\r\n\t\t\t\t\t\t),\r\n\t\t\t\t\t\t'" . $objItem->EventIdentifier . "',\r\n\t\t\t\t\t\t'" . $objItem->EventCode . "',\r\n\t\t\t\t\t\t'" . $objItem->EventType . "',\r\n\t\t\t\t\t\t'" . $objItem->Category . "',\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\tUserID\r\n\t\t\t\t\t\t\tFROM User\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\tUser = '******'\r\n\t\t\t\t\t\t),\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\tInsertionStringID\r\n\t\t\t\t\t\t\tFROM InsertionString\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\tInsertionString = '" . trim(str_replace("'", "''", implode("|@|", $insertionStrings))) . "'\r\n\t\t\t\t\t\t)\r\n\t\t\t\t\t);"; if ($x < $batchsize) { $x++; } else { $total += $x; $x = 0; $dbh->exec($norm_query . " COMMIT;"); $dbh->exec($query . " COMMIT;"); $query = "BEGIN TRANSACTION;"; $norm_query = "BEGIN TRANSACTION;"; } } $dbh->exec($norm_query . " COMMIT;"); $dbh->exec($query . " COMMIT;"); $total += $x; }
// Echo "Year: " . $objItem->Year . "\n"; // }; // ---- Query Event Logs // Need a stored placeholder so we can pick up where we left off: // ("Win32_NTLogEvent where logfile='security' and RecordNumer >'12345'") // This would be best after a reboot or the exe exiting and running again print "Category, CategoryString, ComputerName, EventCode,\r\n EventIdentifier, EventType, Logfile, Message, RecordNumber,\r\n SourceName, TimeGenerated, TimeWritten, Type, User, InsertionStrings" . "\n"; $objects_array = array("Category" => "string", "CategoryString" => "string", "ComputerName" => "string", "EventCode" => "string", "EventIdentifier" => "string", "EventType" => "string", "Logfile" => "string", "Message" => "string", "RecordNumber" => "string", "SourceName" => "string", "TimeGenerated" => "time", "TimeWritten" => "time", "Type" => "string", "User" => "string", "InsertionStrings" => "array"); $colItems = $objWMIService->ExecQuery("SELECT * FROM Win32_NTLogEvent"); //This query can also be used foreach ($objWMIService->instancesof("Win32_NTLogEvent") as $objItem) { $line = ""; foreach ($objects_array as $disp_obj => $disp_type) { if ($disp_type == "string") { $line .= "\"" . trim($objItem->{$disp_obj}) . "\","; } else { if ($disp_type == "time") { $line .= "\"" . win_time($objItem->{$disp_obj}) . "\","; } else { if ($disp_type == "array") { $line .= "\""; foreach ($objItem->{$disp_obj} as $string) { $line .= $string . ","; } $line = substr($line, 0, -1) . "\","; } } } } print substr($line, 0, -1) . "\n"; }