}
$strComputer = ".";
$wmi = new COM("winmgmts:\\\\" . $strComputer . "\\root\\cimv2");
$wmiEvent = $wmi->ExecNotificationQuery("SELECT * FROM __InstanceOperationEvent " . " Within .1 WHERE TargetInstance ISA 'Win32_Process'", "WQL");
$get_user = new Variant("", VT_BSTR);
$get_domain = new Variant("", VT_BSTR);
echo "Monitoring Processes ...\n";
while (true) {
$evt = $wmiEvent->NextEvent;
switch ($evt->Path_->Class) {
case "__InstanceCreationEvent":
$error = $evt->TargetInstance->GetOwner($get_user);
if ($error != 0) {
echo "Could not get Owner Info - Error: " . $error;
} else {
$evtCreated = win_time($evt->TargetInstance->CreationDate);
$evt->TargetInstance->GetOwner($get_user, $get_domain);
echo "New Process Created : " . $evtCreated . "\n";
echo "New Process Name : " . $evt->TargetInstance->Name . "\n";
echo "Process Owner : " . $get_domain . "\\" . $get_user;
echo "\n" . "New Process Path : " . $evt->TargetInstance->ExecutablePath . "\n";
echo "New Process ID : " . $evt->TargetInstance->ProcessId . "\n";
echo "Parent Process ID : " . $evt->TargetInstance->ParentProcessId . "\n";
echo "New Process Priority : " . $evt->TargetInstance->Priority . "\n";
break;
}
case "__InstanceDeletionEvent":
echo "Process Terminated : " . $evt->TargetInstance->ProcessId . "\n";
echo "Process Name : " . $evt->TargetInstance->Name . "\n";
break;
echo "-------------------------------------\n";
$strSupportContactDescription = array($objItem->SupportContactDescription);
$strSystemStartupOptions = array($objItem->SystemStartupOptions);
$return_data['asset'] = array("AdminPasswordStatus" => $objItem->AdminPasswordStatus, "AutomaticManagedPagefile" => $objItem->AutomaticManagedPagefile, "AutomaticResetBootOption" => $objItem->AutomaticResetBootOption, "AutomaticResetCapability" => $objItem->AutomaticResetCapability, "BootOptionOnLimit" => $objItem->BootOptionOnLimit, "BootOptionOnWatchDog" => $objItem->BootOptionOnWatchDog, "BootROMSupported" => $objItem->BootROMSupported, "BootupState" => $objItem->BootupState, "Caption" => $objItem->Caption, "ChassisBootupState" => $objItem->ChassisBootupState, "CreationClassName" => $objItem->CreationClassName, "CurrentTimeZone" => $objItem->CurrentTimeZone, "DaylightInEffect" => $objItem->DaylightInEffect, "Description" => $objItem->Description, "DNSHostName" => $objItem->DNSHostName, "Domain" => $objItem->Domain, "DomainRole" => $objItem->DomainRole, "EnableDaylightSavingsTime" => $objItem->EnableDaylightSavingsTime, "FrontPanelResetStatus" => $objItem->FrontPanelResetStatus, "InfraredSupported" => $objItem->InfraredSupported, "InitialLoadInfo" => $strInitialLoadInfo, "KeyboardPasswordStatus" => $objItem->KeyboardPasswordStatus, "LastLoadInfo" => $objItem->LastLoadInfo, "Manufacturer" => $objItem->Manufacturer, "Model" => $objItem->Model, "Name" => $objItem->Name, "NameFormat" => $objItem->NameFormat, "NetworkServerModeEnabled" => $objItem->NetworkServerModeEnabled, "NumberOfLogicalProcessors" => $objItem->NumberOfLogicalProcessors, "NumberOfProcessors" => $objItem->NumberOfProcessors, "OEMLogoBitmap" => $strOEMLogoBitmap, "OEMStringArray" => $strOEMStringArray, "PartOfDomain" => $objItem->PartOfDomain, "PauseAfterReset" => $objItem->PauseAfterReset, "PCSystemType" => $objItem->PCSystemType, "PowerManagementCapabilities" => $strPowerManagementCapabilities, "PowerManagementSupported" => $objItem->PowerManagementSupported, "PowerOnPasswordStatus" => $objItem->PowerOnPasswordStatus, "PowerState" => $objItem->PowerState, "PowerSupplyState" => $objItem->PowerSupplyState, "PrimaryOwnerContact" => $objItem->PrimaryOwnerContact, "PrimaryOwnerName" => $objItem->PrimaryOwnerName, "ResetCapability" => $objItem->ResetCapability, "ResetCount" => $objItem->ResetCount, "ResetLimit" => $objItem->ResetLimit, "Roles" => $strRoles, "Status" => $objItem->Status, "SupportContactDescription" => $strSupportContactDescription, "SystemStartupDelay" => $objItem->SystemStartupDelay, "SystemStartupOptions" => $strSystemStartupOptions, "SystemStartupSetting" => $objItem->SystemStartupSetting, "SystemType" => $objItem->SystemType, "ThermalState" => $objItem->ThermalState, "TotalPhysicalMemory" => $objItem->TotalPhysicalMemory, "UserName" => $objItem->UserName, "WakeUpType" => $objItem->WakeUpType, "Workgroup" => $objItem->Workgroup);
}
// ---- Pull Event Log Data
$return_data['events'] = array();
$x = 0;
$colItems = $objWMIService->ExecQuery("SELECT * FROM Win32_NTLogEvent");
foreach ($objWMIService->instancesof("Win32_NTLogEvent") as $objItem) {
$return_data['events'][$x] = array();
foreach ($objects_array as $disp_obj => $disp_type) {
if ($disp_type == "string") {
$return_data['events'][$x][$disp_obj] = trim($objItem->{$disp_obj});
} else {
if ($disp_type == "time") {
$return_data['events'][$x][$disp_obj] = win_time($objItem->{$disp_obj});
} else {
if ($disp_type == "array") {
if ($objItem->{$disp_obj} != NULL) {
$return_data['events'][$x][$disp_obj] = array();
foreach ($objItem->{$disp_obj} as $string) {
$return_data['events'][$x][$disp_obj][] = $string;
}
}
}
}
}
}
$x++;
}
print_r($return_data);
$x = 0;
$total = 0;
$query = "BEGIN TRANSACTION; ";
foreach ($colItems as $objItem) {
foreach ($snorm as $key => $value) {
if ($x == 0) {
${"norm_query_" . $value} = "BEGIN TRANSACTION;";
}
${"norm_query_" . $value} .= "\r\n\t\t\t\t\tINSERT OR IGNORE INTO " . $value . " (" . $key . ") VALUES ('" . $objItem->{$key} . "'); ";
if ($x >= $batchsize) {
${"norm_query_" . $value} .= " COMMIT;";
$dbh->exec(${"norm_query_" . $value});
${"norm_query_" . $value} = "BEGIN TRANSACTION;";
}
}
$query .= "INSERT INTO Events (CategoryID, ComputerName, EventCodeID, LogfileID, Message, RecordNumber, SourceNameID, TimeWritten, TypeID, UserID) VALUES\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tCategories\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tCategory = '" . $objItem->Category . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t'" . $objItem->ComputerName . "',\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tEventCodes\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tEventCode = '" . $objItem->EventCode . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tLogfiles\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tLogfile = '" . $objItem->LogFile . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t'" . str_replace(array("'"), "", $objItem->Message) . "',\r\n\t\t\t\t\t\t\t'" . $objItem->RecordNumber . "',\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tSourceNames\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tSourceName = '" . $objItem->SourceName . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t'" . win_time($objItem->TimeWritten) . "',\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tTypes\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tType = '" . $objItem->Type . "'\r\n\t\t\t\t\t\t\t),\r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\t\tpkID\r\n\t\t\t\t\t\t\t\tFROM\r\n\t\t\t\t\t\t\t\t\tUsers\r\n\t\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\t\tUser = '******'\r\n\t\t\t\t\t\t\t)\r\n\t\t\t\t\t\t); ";
if ($x < $batchsize) {
$x++;
} else {
$total += $x;
$x = 0;
$dbh->exec($query . " COMMIT;");
$query = "\r\n\t\t\t\t\t\tBEGIN TRANSACTION; ";
}
}
foreach ($snorm as $key => $value) {
$dbh->exec(${"norm_query_" . $value} . " COMMIT;");
}
$dbh->exec($query . " COMMIT;");
}
}
$norm_query = "BEGIN TRANSACTION; ";
foreach ($colItems as $objItem) {
$norm_query .= "\r\n\t\t\t\tINSERT OR IGNORE INTO User (User) VALUES ('" . $objItem->User . "');";
$norm_query .= "\r\n\t\t\t\tINSERT OR IGNORE INTO InsertionString (InsertionString) VALUES ('";
$insertionStrings = array();
if ($objItem->InsertionStrings != NULL) {
foreach ($objItem->InsertionStrings as $oiv) {
$insertionStrings[] = $oiv;
}
}
$norm_query .= trim(str_replace("'", "''", implode("|@|", $insertionStrings))) . "'); ";
if ($x >= $batchsize) {
$dbh->exec($norm_query .= " COMMIT;");
$norm_query = "BEGIN TRANSACTION;";
}
$query .= "\r\n\t\t\t\tINSERT INTO Events (ComputerName, RecordNumber, TimeWritten, eventLogID, sourceID, EventIdentifier, EventCode, Type, Category, UserID, InsertionStringID) VALUES\r\n\t\t\t\t\t(\r\n\t\t\t\t\t\t'" . $objItem->ComputerName . "',\r\n\t\t\t\t\t\t'" . $objItem->RecordNumber . "',\r\n\t\t\t\t\t\t'" . win_time($objItem->TimeWritten) . "',\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\teventlogID\r\n\t\t\t\t\t\t\tFROM eventLog\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\teventLog = '" . $objItem->LogFile . "'\r\n\t\t\t\t\t\t),\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\tsourceID\r\n\t\t\t\t\t\t\tFROM source\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\tsource = '" . $objItem->SourceName . "'\r\n\t\t\t\t\t\t),\r\n\t\t\t\t\t\t'" . $objItem->EventIdentifier . "',\r\n\t\t\t\t\t\t'" . $objItem->EventCode . "',\r\n\t\t\t\t\t\t'" . $objItem->EventType . "',\r\n\t\t\t\t\t\t'" . $objItem->Category . "',\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\tUserID\r\n\t\t\t\t\t\t\tFROM User\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\tUser = '******'\r\n\t\t\t\t\t\t),\r\n\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT\r\n\t\t\t\t\t\t\t\tInsertionStringID\r\n\t\t\t\t\t\t\tFROM InsertionString\r\n\t\t\t\t\t\t\tWHERE\r\n\t\t\t\t\t\t\t\tInsertionString = '" . trim(str_replace("'", "''", implode("|@|", $insertionStrings))) . "'\r\n\t\t\t\t\t\t)\r\n\t\t\t\t\t);";
if ($x < $batchsize) {
$x++;
} else {
$total += $x;
$x = 0;
$dbh->exec($norm_query . " COMMIT;");
$dbh->exec($query . " COMMIT;");
$query = "BEGIN TRANSACTION;";
$norm_query = "BEGIN TRANSACTION;";
}
}
$dbh->exec($norm_query . " COMMIT;");
$dbh->exec($query . " COMMIT;");
$total += $x;
}
// Echo "Year: " . $objItem->Year . "\n";
// };
// ---- Query Event Logs
// Need a stored placeholder so we can pick up where we left off:
// ("Win32_NTLogEvent where logfile='security' and RecordNumer >'12345'")
// This would be best after a reboot or the exe exiting and running again
print "Category, CategoryString, ComputerName, EventCode,\r\n EventIdentifier, EventType, Logfile, Message, RecordNumber,\r\n SourceName, TimeGenerated, TimeWritten, Type, User, InsertionStrings" . "\n";
$objects_array = array("Category" => "string", "CategoryString" => "string", "ComputerName" => "string", "EventCode" => "string", "EventIdentifier" => "string", "EventType" => "string", "Logfile" => "string", "Message" => "string", "RecordNumber" => "string", "SourceName" => "string", "TimeGenerated" => "time", "TimeWritten" => "time", "Type" => "string", "User" => "string", "InsertionStrings" => "array");
$colItems = $objWMIService->ExecQuery("SELECT * FROM Win32_NTLogEvent");
//This query can also be used
foreach ($objWMIService->instancesof("Win32_NTLogEvent") as $objItem) {
$line = "";
foreach ($objects_array as $disp_obj => $disp_type) {
if ($disp_type == "string") {
$line .= "\"" . trim($objItem->{$disp_obj}) . "\",";
} else {
if ($disp_type == "time") {
$line .= "\"" . win_time($objItem->{$disp_obj}) . "\",";
} else {
if ($disp_type == "array") {
$line .= "\"";
foreach ($objItem->{$disp_obj} as $string) {
$line .= $string . ",";
}
$line = substr($line, 0, -1) . "\",";
}
}
}
}
print substr($line, 0, -1) . "\n";
}
