TestimoX

API Reference

Class

RegistryAuditPolicyDb

Edit on GitHub
Namespace ComputerX.Audit
Assembly ComputerX
Source ComputerX/Audit/RegistryAuditPolicyDb.Backup.cs:15
Modifiers static

Reads/writes the raw audit policy registry database (HKLM\SECURITY\Policy\PolAdtEv) and converts to/from subcategory settings.

Inheritance

  • Object
  • RegistryAuditPolicyDb

Methods

public static AuditPolicyDbBackupResult Backup(AuditPolicyDbBackupOptions options) #
ComputerX/Audit/RegistryAuditPolicyDb.Backup.cs:15
Returns: AuditPolicyDbBackupResult

Creates a binary backup of PolAdtEv and optionally emits JSON and .reg files.

Parameters

options ComputerX.Audit.AuditPolicyDbBackupOptions requiredposition: 0
public static List<AuditSubcategorySetting> Decode(Byte[] data, AuditOsLayout layout = Unknown) #
ComputerX/Audit/RegistryAuditPolicyDb.cs:162
Returns: List<AuditSubcategorySetting>

Decodes raw registry DB bytes into subcategory settings using an OS layout map.

Parameters

data System.Byte[] requiredposition: 0
layout ComputerX.Audit.AuditOsLayout = Unknown optionalposition: 1
public static RegistryDiagnostics DiagnoseAccess(String host) #
ComputerX/Audit/RegistryAuditPolicyDb.Diagnostics.cs:51
Returns: RegistryDiagnostics

Performs comprehensive diagnostics on registry access for audit policy.

Parameters

host System.String requiredposition: 0
public static Boolean EncodeAndWrite(String host, IEnumerable<AuditSubcategorySetting> items, out String backupPath, Boolean adjustAcl) #
ComputerX/Audit/RegistryAuditPolicyDb.cs:183
Returns: Boolean

Encodes provided settings back into the DB and writes them, optionally adjusting ACLs temporarily.

Parameters

host System.String requiredposition: 0
items System.Collections.Generic.IEnumerable{ComputerX.Audit.AuditSubcategorySetting} requiredposition: 1
backupPath System.String@ requiredposition: 2
adjustAcl System.Boolean requiredposition: 3
public static RegistryAuditResult TryRead(String host, Boolean adjustAcl = false) #
ComputerX/Audit/RegistryAuditPolicyDb.cs:29
Returns: RegistryAuditResult

Reads the PolAdtEv value from the target host (local or remote).

Parameters

host System.String requiredposition: 0
Target computer; null/empty for local.
adjustAcl System.Boolean = false optionalposition: 1
When true, temporarily grants Administrators read access to HKLM\SECURITY\Policy to overcome ACL blocks, then reverts. Use only as a last resort. If cleanup fails, HKLM\SECURITY permissions could remain too broad.
public static Boolean TryWrite(String host, Byte[] data) #
ComputerX/Audit/RegistryAuditPolicyDb.cs:133
Returns: Boolean

Writes the PolAdtEv value to the target host.

Parameters

host System.String requiredposition: 0
data System.Byte[] requiredposition: 1