winevt icon indicating copy to clipboard operation
winevt copied to clipboard

Published 20 hours ago verified publisher icon bannsec

Remote Authentication Error: Access Denied

Open Supermec0 opened this issue 6 years ago • 7 comments

Hi there -

This code is not working on remote computers. I'm running it on my computer trying to access a remote server's Events Log, and I keep getting "Access Denied." Very randomly it'll connect just fine and return the correct result. On the server, my connection attempts are seen with very random username/password combination, example is shown below. What is wrong here, and why do i keep on getting the message to reinstall winevt library. I followed the instructions to reinstall, yet still getting the same thing.

################### 1st Attempt logged on server: The state of a transaction has changed.

Subject: Security ID: SYSTEM Account Name: (Removed for security reasons, but it logged correct computer name) Account Domain: (Removed, but logged correct domain name) Logon ID: 0x3E7

Transaction Information: RM Transaction ID: {52758235-f5c5-11e8-811b-005056881f92} New State: 48 Resource Manager: {dd00c1d6-e775-11e3-a98a-cbd2b538aa0c}

2nd Attempt: An account failed to log on.

Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed: Security ID: NULL SID Account Name: rberos V1. Account Domain: (Removed, but logged correct domain name)

Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 ################## From my compiler: inquiry = EventLog.Query("ForwardedEvents","*",username="given", password="given", server="IP_address"). ################## Output on my compiler: WARNING:winevt:Looks like you didn't successfully compile your own out-of-line pyd. Falling back to in-ine mode. This is going to be less efficient and it's recommended you compile your own. To fix this, do the following: 1) Check this page and install the correct compiler for your version of python: https://blogs.msdn.microsoft.com/pythonengineering/2016/04/11/unable-to-find-vcvarsall-bat/ 2) Re-install winevt (pip install -U winevt)

ERROR:EventLog.Query:Access is denied. <Query path=ForwardedEvents query=*>

Supermec0 avatar Dec 05 '18 03:12 Supermec0

whoa.. yeah something definitely got into a strange state. how reproducible is this? i.e.: is it reliably happening each time?

So it looks like you're using this over domain auth, do you get the same error when not using domain authentication?

What are the operating system versions for those communicating systems?

bannsec avatar Dec 05 '18 04:12 bannsec

Yes it’s reproducible, as i said it works very randomly.

Whether i enter the domain name or not, it’s the same thing that keeps happening.

My compiler is on Windows 10, remote server is Server 16, windows.

On Tue, Dec 4, 2018 at 10:25 PM bannsec [email protected] wrote:

whoa.. yeah something definitely got into a strange state. how reproducible is this? i.e.: is it reliably happening each time?

So it looks like you're using this over domain auth, do you get the same error when not using domain authentication?

What are the operating system versions for those communicating systems?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/bannsec/winevt/issues/6#issuecomment-444354319, or mute the thread https://github.com/notifications/unsubscribe-auth/Al_sR8PG6j9HGUEC41PyxKAauTTYLx6hks5u10qqgaJpZM4ZB8fv .

Supermec0 avatar Dec 05 '18 04:12 Supermec0

any update on this? Thanks!

Supermec0 avatar Dec 17 '18 18:12 Supermec0

Sorry, haven't had a chance to look at this yet.

On Mon, Dec 17, 2018, 1:19 PM Supermec0 <[email protected] wrote:

any update on this? Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/bannsec/winevt/issues/6#issuecomment-447945388, or mute the thread https://github.com/notifications/unsubscribe-auth/AHR34BPejX2Jfd71uGnWW3gNrryfp3J7ks5u5-AcgaJpZM4ZB8fv .

bannsec avatar Dec 18 '18 12:12 bannsec

My solution was as follows: Just reinstall your package in your IDE of choice. (mine is PyCharm) regards

joerg

ramzahn avatar Feb 19 '19 11:02 ramzahn

Any update on this issue? I'm seeing the same Windows 10 to Windows Server 2008 R2. Sometimes it works but most times I get Access denied msg. Tried uninstalling and reinstalling with no change still same intermittent results.

jduncan8142 avatar Apr 02 '19 19:04 jduncan8142

Hi! I join the author of this question. I run the script on windows 7 x64, target remote server Windows 2008 r2 x64, I have the same error: ################################# This notification is also annoying, but other functions work with it locally.

WARNING: winevt: pyv. Falling back to in-ine mode. Compile your own. To fix this, do the following:

  1. Check this page and install the correct compiler for your version of python: https://blogs.msdn.microsoft.com/pythonengineering/2016/04/11/unable-to-find-vcvarsall-bat/
  2. Re-install winevt (pip install -U winevt)

ERROR: EventLog.Query: Access Denied. Traceback (most recent call last): File "D: /Programs/Projects/parsers/get_eventlog_v2.py", line 14, in for event in query: File "D: \ Programs \ Python \ Python37 \ lib \ site-packages \ winevt \ EventLog \ Query.py", line 68, in next if not evtapi.EvtNext (self.handle, 1, evt_array, 60, 0, ret): File "D: \ Programs \ Python \ Python37 \ lib \ site-packages \ winevt \ EventLog \ Query.py", line 101, in handle return self .__ handle AttributeError: 'Query' object has no attribute '_Query__handle' ################################# Thank you for your feedback

DemetriusStorm avatar May 22 '19 06:05 DemetriusStorm