WMI query to Read 'Microsoft-Windows-AppLocker/EXE and DLL' C#

Question

I have created an agent to read windows event using WMI. I ma using the agent from last 3 years to collect events. It is used in a SEIM product. The query looks like

SELECT * FROM Win32_NTLogEvent where LogFile = 'System' or logFile='Active Directory Web Services'

I am able to get the events properly. But Now I want to read apploacker events 'Microsoft-Windows-AppLocker/EXE and DLL' (Application and Security Logs -> Microsoft -> Windows -> AppLocker -> Exe And DLL).

I tried the below query but it returns zero record though I have 40+ records in it. I can see the record in event viewer.

SELECT * FROM Win32_NTLogEvent where LogFile = 'Microsoft-Windows-AppLocker/EXE and DLL'

I have tried with "wbemtest" but no record with no error.

I am not sure if this can be achieved by any other way using WMI. I know Powershell has a cmdlet and through which I am able to read 'Microsoft-Windows-AppLocker/EXE and DLL' events. But I want to read it using WMI.

Any pointers will be highly appreciated.

Thanks in advance to all viewers.

Answer 1

It seems that the WMI Query parses the registry location HKLM\SYSTEM\CurrentControlSet\Services\EventLog for available event logs (see MSDN Forum post). Check the list you find there with the result of the query Select * FROM Win32_NTEventLogFile.

To add a logfile for WMI operations, add a new key under the above registry location with the name of the log ('Microsoft-Windows-AppLocker/EXE and DLL' in your case). Now it should return that log with your WMI query.

Answer 2

Depending on the PowerShell version, you could use the "Get-WinEvent" command to simplify what you're doing.

https://msdn.microsoft.com/en-us/powershell/reference/5.0/microsoft.powershell.diagnostics/get-winevent

Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL"