获取访问文件的用户名

发布于 2024-12-11 15:43:08 字数 1237 浏览 4 评论 0原文

我想获取已访问文件的用户名（添加、删除、重命名...）。实际上，我使用 filesystemwatcher 来监视文件访问，并且我已经激活了目录上的对象访问以通过事件日志获取用户信息。这个解决方案并不完美，因为有很多文件事件并且事件日志消息不是那么详细。只有一个 eventd id 用于写入数据。它用于添加文件、重命名、移动......每次写入数据。此外，我必须交叉检查事件日志消息是否与文件系统观察程序事件匹配。我更愿意更好地处理这个问题。所以我花了很多时间谷歌搜索、阅读……我知道 stackoverflow 上还有另一篇文章

获取打开文件的用户名

，但我认为应该有一个可能的解决方案，因为 Windows 事件可以获取用户名。

通过阅读几页，我发现应该有一个使用 netapi32.dll 的可能解决方案。示例代码在 http://vbcity.com/forums/t/133307.aspx?PageIndex= 2 对我不起作用。我无法获取 fileid，因此我将代码更改为

private ulong GetFileIdFromPath(string filePath)
{

  WinAPI.BY_HANDLE_FILE_INFORMATION objectFileInfo = new WinAPI.BY_HANDLE_FILE_INFORMATION();

  Thread.Sleep(200);

  FileInfo fi = new FileInfo(filePath);

  FileStream fs = fi.Open(FileMode.Open, FileAccess.Read, FileShare.Read);

  WinAPI.GetFileInformationByHandle(fs.Handle, out objectFileInfo);


  fs.Close();


 ulong fileIndex = ((ulong)objectFileInfo.FileIndexHigh << 32) + (ulong)objectFileInfo.FileIndexLow;

  return fileIndex; 

}

使用此代码我可以获取 fileid，但使用 fileid 和示例代码我无法获取用户名。

原文

I would like to get the username of an accessed file (add, delete, rename,...).
actually I use filesystemwatcher to monitor the file access and I have activated object access on an directory to get userinformation via eventlogs. This solution is not perfect, because there are a lot of file events and the eventlog messages are not so detailed. there is just one eventd id for write data. this it is used for add file, rename , move,... every write data. Additionally I had to crosscheck that the eventlog message matches the filesystemwatcher event. I would prefer handle this better. so i spend al lot of time googleing, reading, ... I know there is another post on stackoverflow

Get username of opened file

but i think there should be a possible solution because Windows Events can get the username.

with reading on a few pages i disovered that there should be a possible solution using netapi32.dll. the example code on
http://vbcity.com/forums/t/133307.aspx?PageIndex=2
doesn't work for me. i was unable to get the fileid so i changed the code to

private ulong GetFileIdFromPath(string filePath)
{

  WinAPI.BY_HANDLE_FILE_INFORMATION objectFileInfo = new WinAPI.BY_HANDLE_FILE_INFORMATION();

  Thread.Sleep(200);

  FileInfo fi = new FileInfo(filePath);

  FileStream fs = fi.Open(FileMode.Open, FileAccess.Read, FileShare.Read);

  WinAPI.GetFileInformationByHandle(fs.Handle, out objectFileInfo);


  fs.Close();


 ulong fileIndex = ((ulong)objectFileInfo.FileIndexHigh << 32) + (ulong)objectFileInfo.FileIndexLow;

  return fileIndex; 

}

with this code I'm able to get the fileid but with the fileid and the example code I'm unable to get the username.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

叹沉浮 2024-12-18 15:43:08

从我的上一个程序（两周前）开始 - 我被要求审核文件中的更改（也是用户名），

解决方案是由 filesystemwatcher 在事件之后 ->转到 Windows 的事件日志并进行 Xpath 搜索 - 查找执行该操作的用户。

   public static EventUnit DisplayEventAndLogInformation(string fileToSearch, DateTime actionTime)
        {
            StringBuilder sb = new StringBuilder();
            const string queryString = @"<QueryList>
  <Query Id=""0"" Path=""Security"">
    <Select Path=""Security"">*</Select>
  </Query>
</QueryList>";
            EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
            eventsQuery.ReverseDirection = true;
            EventLogReader logReader = new EventLogReader(eventsQuery);
            EventUnit e = new EventUnit();
            bool isStop = false;
            for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent())
            {
                foreach (var VARIABLE in eventInstance.Properties)
                    if (VARIABLE.Value.ToString().ToLower().Contains(fileToSearch.ToLower()) && actionTime.ToString("d/M/yyyy HH:mm:ss") == eventInstance.TimeCreated.Value.ToString("d/M/yyyy HH:mm:ss"))
                    {
                        foreach (var VARIABLE2 in eventInstance.Properties) sb.AppendLine(VARIABLE2.Value.ToString());
                        e.Message = sb.ToString();
                        e.User = (eventInstance.Properties.Count > 1) ? eventInstance.Properties[1].Value.ToString() : "n/a";
                        e.File = fileToSearch;
                        isStop = true;
                        break;
                    }
                if (isStop) break;
                try
                {
                    //    Console.WriteLine("Description: {0}", eventInstance.FormatDescription());
                }
                catch (Exception e2)
                {
                }
            }
            return e;
        }

From My last program ( 2 week ago) - I was asked to audit change in files ( also the user name)

the Solution was by filesystemwatcher and after an event -> goto the Event Log of windows and bu Xpath search - To find which user made the action.

   public static EventUnit DisplayEventAndLogInformation(string fileToSearch, DateTime actionTime)
        {
            StringBuilder sb = new StringBuilder();
            const string queryString = @"<QueryList>
  <Query Id=""0"" Path=""Security"">
    <Select Path=""Security"">*</Select>
  </Query>
</QueryList>";
            EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, queryString);
            eventsQuery.ReverseDirection = true;
            EventLogReader logReader = new EventLogReader(eventsQuery);
            EventUnit e = new EventUnit();
            bool isStop = false;
            for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent())
            {
                foreach (var VARIABLE in eventInstance.Properties)
                    if (VARIABLE.Value.ToString().ToLower().Contains(fileToSearch.ToLower()) && actionTime.ToString("d/M/yyyy HH:mm:ss") == eventInstance.TimeCreated.Value.ToString("d/M/yyyy HH:mm:ss"))
                    {
                        foreach (var VARIABLE2 in eventInstance.Properties) sb.AppendLine(VARIABLE2.Value.ToString());
                        e.Message = sb.ToString();
                        e.User = (eventInstance.Properties.Count > 1) ? eventInstance.Properties[1].Value.ToString() : "n/a";
                        e.File = fileToSearch;
                        isStop = true;
                        break;
                    }
                if (isStop) break;
                try
                {
                    //    Console.WriteLine("Description: {0}", eventInstance.FormatDescription());
                }
                catch (Exception e2)
                {
                }
            }
            return e;
        }

回复收藏 0 原文

~没有更多了~