Ticket #1058: events.au3

;4624
;4672
;4647
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Version=beta
#AutoIt3Wrapper_icon=pebkac.ico
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
;Irongeek's sloppy code for the PEBKAC Attack on the Windows Security Event Log, http://irongeek.com
#include <EventLog.au3>
#include <String.au3>
#include <array.au3>
_Main()

Func _Main()
    Local $hEventLog

ConsoleWrite ("Irongeek's PEBKAC Attack on the Windows Security Event Log ver .1" & @CRLF)
; Get log to work on
if $CmdLine[0] > 0 then
    $box=$CmdLine[1]
    ConsoleWrite ("Working on " & $box & "..." & @CRLF)
else
    $box=""
endif
$hEventLog = _EventLog__Open( $box, "System")
;$hEventLog = _EventLog__OpenBackup("", "c:\WINDOWS\system32\config\security")
$x=_EventLog__Count ($hEventLog)
;Iterate through log
MsgBox(1,"test",$x)
For $i=0 To $x
    $aEvent = _EventLog__Read($hEventLog)
    ;if $aEvent[6] = "4624" then
        for $j=0 to 14
        ConsoleWrite($j & ":   " & $aEvent[$j] & @CRLF )
        next
        ;msgbox(0,"",$aEvent[13] & @CRLF )
        ;$gooduser=GrabUsername ($aEvent[13])
        ;ConsoleWrite ("Successful  Login (" & $aEvent[1] & "): " & $gooduser & @CRLF)
    ;endif
next
_EventLog__Close($hEventLog)

EndFunc   ;==>_Main

Func GrabUsername($eventdescription)
    $aArray =_StringBetween($eventdescription,"User Name:", @cr)
    If IsArray($aArray) Then
        return StringStripWS($aArray[0], 1)
    EndIf
EndFunc