监听UAC发生
Monitor UAC occurs
我正在寻找捕获客户端计算机上发生的用户帐户控制的解决方案。我想开发 Powershell 的脚本并使用 Active Directory 2008 和 Windows 10 个客户端在环境中部署。目前,最终用户拥有完全的本地管理权限。我需要一份报告来检查他们真正需要提升权限的频率。
此致,
山猫
要查看何时显示 UAC 提示,您可以在具有注册码或组策略设置的设备上启用 UAC 审核,as covered here:
Uac Auditing is done by changing windows policy (Local\Group). The policy in interest is found at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
Audit Privilege Use will give you information about elevated usage using the UAC consent.exe dialog box in the System Event log. The Event IDs created by this: 4648 and 4624.
Audit Process Tracking will give you information about processes and their creation/termination. Event Id created by this: 4688.
Also, look at event id 4696 to see when a new token (user-logon handle) was assigned to process. Using all these events, you can get a clear picture of the timeline for every process that requested an elevated rights with UAC dialog.
完成后,您可以通过查找具有适当 ID 的 Windows 事件来审核 PowerShell 脚本中的这些事件,如下所示:
$UACEvents = Get-WinEvent -LogName System | where Id -in (4648, 4624)
然后您只需将其烘焙到您喜欢的任何过程中即可。
活动信息
Id Event
4624 A new account was logged in
4648 A logon was attempted using explicit credentials
4696 A primary token was assigned to process
我正在寻找捕获客户端计算机上发生的用户帐户控制的解决方案。我想开发 Powershell 的脚本并使用 Active Directory 2008 和 Windows 10 个客户端在环境中部署。目前,最终用户拥有完全的本地管理权限。我需要一份报告来检查他们真正需要提升权限的频率。
此致, 山猫
要查看何时显示 UAC 提示,您可以在具有注册码或组策略设置的设备上启用 UAC 审核,as covered here:
Uac Auditing is done by changing windows policy (Local\Group). The policy in interest is found at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
Audit Privilege Use will give you information about elevated usage using the UAC consent.exe dialog box in the System Event log. The Event IDs created by this: 4648 and 4624.
Audit Process Tracking will give you information about processes and their creation/termination. Event Id created by this: 4688. Also, look at event id 4696 to see when a new token (user-logon handle) was assigned to process. Using all these events, you can get a clear picture of the timeline for every process that requested an elevated rights with UAC dialog.
完成后,您可以通过查找具有适当 ID 的 Windows 事件来审核 PowerShell 脚本中的这些事件,如下所示:
$UACEvents = Get-WinEvent -LogName System | where Id -in (4648, 4624)
然后您只需将其烘焙到您喜欢的任何过程中即可。
活动信息
Id Event
4624 A new account was logged in
4648 A logon was attempted using explicit credentials
4696 A primary token was assigned to process