SeAuditPrivilegePoC - The parameter is incorrect

Question

SeAuditPrivilegePoC - The parameter is incorrect

Closed this issue 2 years ago · 4 comments

I think the PInvoke signature for AuthzRegisterSecurityEventSource is not correct. I get an error "Code 0x00000057 : The parameter is incorrect."
I have SeAuditPrivilege enabled for my user.

Answer 1 · 2022-10-14T00:29:51.000Z

Thanks for reporting.
I will check next week as I am busy this week.

Did you execute the PoC with administrative privilege?
On the first execution, the PoC requires administrative privilege to install a new event source.
The reason for that error may be that the event source is not installed.

Answer 2 · 2022-10-14T14:36:48.000Z

Yeah i am executing with admin, i also tried SYSTEM. The event source is successfully installed.
Running on Win10 21H2

Answer 3 · 2022-10-14T20:26:10.000Z

I tried it on Win11 and Win10 1903 but failed to reproduce your issue.
It seems that my P/Invoke signature does not wrong with Microsoft document.
Please let me know if you know how to reproduce the issue.

Answer 4 · 2022-10-17T15:43:51.000Z

OK i did some more investigating, turns out the event log source must be on an NTFS partition, instead of the HGFS vmware shared folder i was trying to execute from. Works fine copied to C:\