Get username from AMT audit logs

Get username from AMT audit logs


Im getting the event logs from a vPro processor from a Java Application, inside an array of bytes, with this:

EventRecordBytes = WsmanUtils.getBase64Bytes(eventRecords[index].toString());

I can get many data, such as audit evt id, etc, for example:

// combine the AuditAppID and EventID bytes to get auditEventEnum

auditEventEnum = EventRecordBytes[1] * 1000;

auditEventEnum += EventRecordBytes[3];

Do you know an easy way to get the user that try to perform a KVM session?


12 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

What AMT version are you working with?  You should be able to get the user name for any event that recorded via the audit log:

One of the following structures appears in each audit log record.


HTTP Digest user details

typedef _HTTPDigestInitiatorType


    uint8 Username_length;

    uint8 Username[];

} HTTPDigestInitiatorType;


Hello Gael.

Im working with all versions... its a large machines park. Since 4....

Almost is 7

Do you have some code explaining the conversion that I must perform?

Tks in advance

You might want to take a look at the Open Developer's Toolkit.  Ylian has added a wsman javascript stack.  You can download the source code and see if you can get an idea of how to use it.

Perfect, Ill check it and post here as soon as I find the asnwer.

Thank you very much

Hi Gael.

What I have from Open Dev Toolkit does not help a lot, because it have not implemented what I want to do, that is get the username or SID from events, mainly, I want to get the user that perform (or try to) a KVM session.

So far, what I get is:

when we get a event type kerberosSIDInitiatorType when reading audit log, we get this event for example:


converting to an byte array we get:
[0, 18, 0, 8, 1, -40, 31, 0, 0, 24, 1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, -40, 98, 106, 65, -32, 21, -122, -43, -3, 40, 102, 78, 81, -43, -112, 98, 0, 13, 49, 48, 46, 53, 48, 46, 49, 50, 53, 46, 49, 48, 48, 0]

In the atached image you can see in details what is each information.

The doubt is how to convert the iten 4 (InitiatorData), that have the user SID, Domain size and Domain)?

the other information can be extracted normally. We are using Java.

For more information:

typedef _KerberosSIDInitiatorType

uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

Field Description
UserInDomain - SID number of the user
Domain_length - Length of domain ( up to 255)
Domain - Kerberos domain ( up to 255 bytes long)



Downloadimage/png amt.png20.86 KB

We solve the problem here. Follow the solution, feel fre to contact me if you have doubts:

If Initiator Type == 1, so, we have the user from AD SID, using this SID we can retrieve all user info from AD.

We are using the Intel® WS-Management Java Client Library here as the base for development.

Take a look in the picture from the post above. We will have to use this information:

typedef _KerberosSIDInitiatorType
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

The SID is the composition from Domain[] + UserInDomain

In Java, we need some Libraries to get the user from AD. You can see the part of our code here:

byte bytesUser[] = HandleBytesUtil.getDataArrayByEventRecordBytes(5, 4, EventRecordBytes);
int domainLength = EventRecordBytes[9];
byte kerberosDomainBytes[] = HandleBytesUtil.getDataArrayByEventRecordBytes(10,domainLength, EventRecordBytes);
timestampOffset = domainLength + 10;
usuarioEvent = HandleBytesUtil.getUserKerberos(bytesUser, kerberosDomainBytes);

Here is the class that manipulates SID related data:

import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Calendar;


import com.sun.jna.platform.win32.Advapi32Util;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.Advapi32Util.Account;
import com.sun.jna.platform.win32.WinNT.PSID;

public class HandleBytesUtil {

* @param idx index
* @param length length of bytes the data
* @param eventRecordBytes byteArray with all informations
* @return the bytes that represent the data
public static byte[] getDataArrayByEventRecordBytes(int idx,int length,byte eventRecordBytes[]){
byte byteArray[] = new byte[length];
for(int i = 0;i < byteArray.length; i++) {
byteArray[i] = eventRecordBytes[idx++];
return byteArray;

* Combine both arrays of bytes to get SID of User
* @param bytesUser
* @param kerberosDomainBytes
* @return domain\\user
public static String getUserKerberos(byte[] bytesUser, byte[] kerberosDomainBytes) {

//combine the bytes of the user with bytes of the domainKerberos to convert to SID
//using con.sun.jna.*
byte domainUserBytes[] = new byte[kerberosDomainBytes.length + bytesUser.length];
domainUserBytes = Arrays.copyOf(kerberosDomainBytes, domainUserBytes.length);

int i = kerberosDomainBytes.length;
for(byte b : bytesUser){
domainUserBytes[i]= b;

PSID sid = new WinNT.PSID(domainUserBytes);
Account ac = Advapi32Util.getAccountBySid(sid);
return ac.fqn;
}catch (Exception e) {
LogCreator.doWriteTxt("Erro obtendo SID do usuario");
return "NA";

* convert the timestamp bytes to calendar in UTC
* @param byteArray of 4 positions 32 bits
* @return Calendar
public static Calendar getTimestampToCalendar(byte[] byteArrayTime){
// convert the timestamp bytes to timeInUTC
ByteBuffer timeBuffer = ByteBuffer.wrap(byteArrayTime);
timeBuffer = ByteBuffer.allocate(byteArrayTime.length);
Calendar calendar = Calendar.getInstance();

for(int i = 0; i < byteArrayTime.length ;i++){
long timeInUTC = timeBuffer.getInt();
// convert timeInUTC to Java dateTime format. Note that
// Audit log return time in UTC time. You may want to
// convert to local time
// multiply by 1000 ... the time returned is second
calendar.setTimeInMillis((timeInUTC) * 1000);

return calendar;


Hope that this will be usefull for someone.

Thank you so much for providing your solution.  This would make a great blog.  Would you consider blogging this on IDZ?  I could blog it, but I'd rather you got the credit for it.


Hello Gael.

I'm writing a post and will send as soon as I finish. :-)



Thanks Juliano!   Your blog has been published and will be tweeted via @intelswblog  as well as my twitter account.

Leave a Comment

Please sign in to add a comment. Not a member? Join today