Created
November 20, 2025 00:05
-
-
Save secdev02/835ba9d8b6c7a2dcb61bf84f9d1cb549 to your computer and use it in GitHub Desktop.
CVEWRITEEVENT
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -RunAsAdministrator | |
| <# | |
| .SYNOPSIS | |
| Test and search for CveEventWrite events in the Application event log. | |
| .DESCRIPTION | |
| This script can write CVE events using CveEventWrite API and search for them | |
| in the Application event log. The events are logged by Microsoft-Windows-Audit-CVE provider. | |
| .PARAMETER CveId | |
| The CVE ID to log (e.g., "CVE-2020-0601") | |
| .PARAMETER AdditionalDetails | |
| Optional additional details to include with the event | |
| .PARAMETER SearchOnly | |
| Only search for existing CVE events without writing a new one | |
| .EXAMPLE | |
| .\Test-CveEventWrite.ps1 -CveId "CVE-2020-0601" -AdditionalDetails "Test event from PowerShell" | |
| .EXAMPLE | |
| .\Test-CveEventWrite.ps1 -SearchOnly | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$false)] | |
| [string]$CveId = "CVE-2020-0601", | |
| [Parameter(Mandatory=$false)] | |
| [string]$AdditionalDetails = "Test event generated by PowerShell script", | |
| [Parameter(Mandatory=$false)] | |
| [switch]$SearchOnly | |
| ) | |
| # Define the P/Invoke signature for CveEventWrite | |
| Add-Type @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class CveEventWriter { | |
| [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
| public static extern int CveEventWrite( | |
| string cveId, | |
| string additionalDetails | |
| ); | |
| public const int ERROR_SUCCESS = 0; | |
| public const int ERROR_INVALID_PARAMETER = 87; | |
| } | |
| "@ | |
| function Write-CveEvent { | |
| param( | |
| [string]$CveId, | |
| [string]$AdditionalDetails | |
| ) | |
| Write-Host "`n[*] Writing CVE event..." -ForegroundColor Cyan | |
| Write-Host " CVE ID: $CveId" -ForegroundColor Yellow | |
| Write-Host " Details: $AdditionalDetails" -ForegroundColor Yellow | |
| try { | |
| $result = [CveEventWriter]::CveEventWrite($CveId, $AdditionalDetails) | |
| if ($result -eq 0) { | |
| Write-Host "`n[+] Successfully wrote CVE event!" -ForegroundColor Green | |
| Write-Host " Event logged to: Application Event Log" -ForegroundColor Green | |
| Write-Host " Provider: Microsoft-Windows-Audit-CVE" -ForegroundColor Green | |
| return $true | |
| } else { | |
| Write-Host "`n[-] Failed to write CVE event. Error code: $result" -ForegroundColor Red | |
| switch ($result) { | |
| 87 { Write-Host " ERROR_INVALID_PARAMETER" -ForegroundColor Red } | |
| 234 { Write-Host " ERROR_MORE_DATA - Event size too large" -ForegroundColor Red } | |
| default { Write-Host " Unknown error" -ForegroundColor Red } | |
| } | |
| return $false | |
| } | |
| } catch { | |
| Write-Host "`n[-] Exception occurred: $_" -ForegroundColor Red | |
| return $false | |
| } | |
| } | |
| function Search-CveEvents { | |
| param( | |
| [string]$CveIdFilter = "*", | |
| [int]$MaxEvents = 100 | |
| ) | |
| Write-Host "`n[*] Searching for CVE events in Application log..." -ForegroundColor Cyan | |
| # Provider GUID: 85a62a0d-7e17-485f-9d4f-749a287193a6 | |
| # Source names: Microsoft-Windows-Audit-CVE or Audit-CVE | |
| try { | |
| # Search by provider name | |
| $events = Get-WinEvent -FilterHashtable @{ | |
| LogName = 'Application' | |
| ProviderName = 'Microsoft-Windows-Audit-CVE' | |
| } -MaxEvents $MaxEvents -ErrorAction SilentlyContinue | |
| if (-not $events) { | |
| # Try alternate provider name | |
| $events = Get-WinEvent -FilterHashtable @{ | |
| LogName = 'Application' | |
| ProviderName = 'Audit-CVE' | |
| } -MaxEvents $MaxEvents -ErrorAction SilentlyContinue | |
| } | |
| if ($events) { | |
| Write-Host "[+] Found $($events.Count) CVE event(s)" -ForegroundColor Green | |
| foreach ($event in $events) { | |
| Write-Host "`n----------------------------------------" -ForegroundColor Gray | |
| Write-Host "Time Created: $($event.TimeCreated)" -ForegroundColor White | |
| Write-Host "Event ID: $($event.Id)" -ForegroundColor White | |
| Write-Host "Level: $($event.LevelDisplayName)" -ForegroundColor White | |
| Write-Host "Message: $($event.Message)" -ForegroundColor White | |
| # Try to extract CVE ID from message | |
| if ($event.Message -match "(CVE-\d{4}-\d+)") { | |
| Write-Host "CVE ID: $($matches[1])" -ForegroundColor Yellow | |
| } | |
| } | |
| } else { | |
| Write-Host "[-] No CVE events found in Application log" -ForegroundColor Yellow | |
| Write-Host " This could mean:" -ForegroundColor Gray | |
| Write-Host " - No CVE events have been logged yet" -ForegroundColor Gray | |
| Write-Host " - Events may have been cleared" -ForegroundColor Gray | |
| Write-Host " - Insufficient permissions to read events" -ForegroundColor Gray | |
| } | |
| } catch { | |
| Write-Host "[-] Error searching for events: $_" -ForegroundColor Red | |
| } | |
| } | |
| function Find-CveEventWriteDlls { | |
| Write-Host "`n[*] Searching for DLLs containing CveEventWrite..." -ForegroundColor Cyan | |
| $systemRoot = $env:SystemRoot | |
| $searchPaths = @( | |
| (Join-Path $systemRoot "System32"), | |
| (Join-Path $systemRoot "SysWOW64") | |
| ) | |
| $foundDlls = @() | |
| foreach ($path in $searchPaths) { | |
| if (Test-Path $path) { | |
| Write-Host " Searching: $path" -ForegroundColor Gray | |
| # Primary DLL that exports CveEventWrite | |
| $advapi32 = Join-Path $path "advapi32.dll" | |
| if (Test-Path $advapi32) { | |
| $foundDlls += $advapi32 | |
| } | |
| } | |
| } | |
| if ($foundDlls.Count -gt 0) { | |
| Write-Host "`n[+] Found DLL(s) with CveEventWrite:" -ForegroundColor Green | |
| foreach ($dll in $foundDlls) { | |
| Write-Host " $dll" -ForegroundColor Yellow | |
| } | |
| } | |
| # Show provider information | |
| Write-Host "`n[*] CVE Event Provider Information:" -ForegroundColor Cyan | |
| Write-Host " Provider GUID: 85a62a0d-7e17-485f-9d4f-749a287193a6" -ForegroundColor White | |
| Write-Host " Provider Name: Microsoft-Windows-Audit-CVE" -ForegroundColor White | |
| Write-Host " Event Log: Application" -ForegroundColor White | |
| Write-Host " DLL: advapi32.dll" -ForegroundColor White | |
| } | |
| # Main execution | |
| Write-Host "========================================" -ForegroundColor Cyan | |
| Write-Host " CVE Event Write Test Script" -ForegroundColor Cyan | |
| Write-Host "========================================" -ForegroundColor Cyan | |
| # Find DLLs | |
| Find-CveEventWriteDlls | |
| # Write event if not in search-only mode | |
| if (-not $SearchOnly) { | |
| Write-CveEvent -CveId $CveId -AdditionalDetails $AdditionalDetails | |
| Start-Sleep -Seconds 2 | |
| } | |
| # Search for events | |
| Search-CveEvents -CveIdFilter $CveId | |
| Write-Host "`n========================================" -ForegroundColor Cyan | |
| Write-Host "[*] Script completed" -ForegroundColor Cyan | |
| Write-Host "========================================`n" -ForegroundColor Cyan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment