Log Viewer, behind the scenes

The log viewer in Parental Controls reads in the public available system logs and turns them into the data you can see in the control panel.  The logs are brought in from a couple of places, the System logs, the Application logs and the Parental controls log itself.  These logs are manipulated in various ways to find the information in the viewer itself.

I am not documenting the event numbers for the parental control log itself in this post, since this information was posted up on my blog previously.

The web, im, email, media, system clock changes, account changes and changes to settings logs are all 1 to 1 correspondants into the logs itself.  One entry in the log file ends up being one entry in the log viewer.

The Applications run log is generated by reading the applications log and matching start PIDs with end PIDs to find the duration the app ran for.  These are then cached as well so that the game events can use this information to get the durations for their logons.  It uses the events SE_AUDITID_ETW_PROCESS_CREATED and SE_AUDITID_ETW_PROCESS_EXIT to do the matching.

The game log uses the parental controls game event, which logs a PID the game ran as.  This PID is then looked up in the stored list of apps run from the application log to match the time it ran for.  The system looks for logs that are close to the time the game started with the right PID.

Logon times are generated from the system logs, matching the login times with the logoff times.  The logon events are logged with a LOGONID which can be matched in the both of the events to make sure you have the right logon and logoff event to get the times right.  This also deals with cases where there are overlapping logons (runas counts as a logon event).  This uses the events SE_AUDITID_ETW_BEGIN_LOGOFF, SE_AUDITID_ETW_LOGOFF and SE_AUDITID_ETW_SUCCESSFUL_LOGON.  It uses two log off events because windows generates one of them in some cases and one in the other.

Failed logon attempts are filtered to display the correct output.  WIndows generates a failed login attempt every time someone opens up the control panel and looks at the user list and every time someone opens up the parental controls panel, viewing the hub page.  This is because the way to check for blank passwords is to try and login with a blank password.  So the the logs are filtered to try and find the failed logins that are not generated by the various control panels and are real failed login attempts.  This problem should be addressed in the next version of windows, adding an API specifically to find if the password is blank or not.  The logon failures are logged into the system log with the log id of SE_AUDITID_ETW_LOGON_FAILURE.

The account changes are not manipulated, but the logs of the type SE_AUDITID_ETW_USER_CREATED, SE_AUDITID_ETW_USER_DELETED, SE_AUDITID_ETW_USER_DELETED and SE_AUDITID_ETW_LOCAL_GROUP_REM are processed to find which users are added/deleted as well as which users have been added into the administrators group.