Get username from AMT audit logs

Get username from AMT audit logs


Im getting the event logs from a vPro processor from a Java Application, inside an array of bytes, with this:

EventRecordBytes = WsmanUtils.getBase64Bytes(eventRecords[index].toString());

I can get many data, such as audit evt id, etc, for example:

// combine the AuditAppID and EventID bytes to get auditEventEnum

auditEventEnum = EventRecordBytes[1] * 1000;

auditEventEnum += EventRecordBytes[3];

Do you know an easy way to get the user that try to perform a KVM session?


Juliano Marcos Martins
12 帖子 / 0 全新

What AMT version are you working with?  You should be able to get the user name for any event that recorded via the audit log:

One of the following structures appears in each audit log record.


HTTP Digest user details

typedef _HTTPDigestInitiatorType


    uint8 Username_length;

    uint8 Username[];

} HTTPDigestInitiatorType;


Follow me on Twitter: @GaelHof Facebook:

Hello Gael.

Im working with all versions... its a large machines park. Since 4....

Almost is 7

Do you have some code explaining the conversion that I must perform?

Tks in advance

Juliano Marcos Martins

You might want to take a look at the Open Developer's Toolkit.  Ylian has added a wsman javascript stack.  You can download the source code and see if you can get an idea of how to use it.

Follow me on Twitter: @GaelHof Facebook:

Perfect, Ill check it and post here as soon as I find the asnwer.

Thank you very much

Juliano Marcos Martins

Hi Gael.

What I have from Open Dev Toolkit does not help a lot, because it have not implemented what I want to do, that is get the username or SID from events, mainly, I want to get the user that perform (or try to) a KVM session.

So far, what I get is:

when we get a event type kerberosSIDInitiatorType when reading audit log, we get this event for example:


converting to an byte array we get:
[0, 18, 0, 8, 1, -40, 31, 0, 0, 24, 1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, -40, 98, 106, 65, -32, 21, -122, -43, -3, 40, 102, 78, 81, -43, -112, 98, 0, 13, 49, 48, 46, 53, 48, 46, 49, 50, 53, 46, 49, 48, 48, 0]

In the atached image you can see in details what is each information.

The doubt is how to convert the iten 4 (InitiatorData), that have the user SID, Domain size and Domain)?

the other information can be extracted normally. We are using Java.

For more information:

typedef _KerberosSIDInitiatorType

uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

Field Description
UserInDomain - SID number of the user
Domain_length - Length of domain ( up to 255)
Domain - Kerberos domain ( up to 255 bytes long)



下载 amt.png20.86 KB
Juliano Marcos Martins

We solve the problem here. Follow the solution, feel fre to contact me if you have doubts:

If Initiator Type == 1, so, we have the user from AD SID, using this SID we can retrieve all user info from AD.

We are using the Intel® WS-Management Java Client Library here as the base for development.

Take a look in the picture from the post above. We will have to use this information:

typedef _KerberosSIDInitiatorType
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

The SID is the composition from Domain[] + UserInDomain

In Java, we need some Libraries to get the user from AD. You can see the part of our code here:

byte bytesUser[] = HandleBytesUtil.getDataArrayByEventRecordBytes(5, 4, EventRecordBytes);
int domainLength = EventRecordBytes[9];
byte kerberosDomainBytes[] = HandleBytesUtil.getDataArrayByEventRecordBytes(10,domainLength, EventRecordBytes);
timestampOffset = domainLength + 10;
usuarioEvent = HandleBytesUtil.getUserKerberos(bytesUser, kerberosDomainBytes);

Here is the class that manipulates SID related data:

import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Calendar;


import com.sun.jna.platform.win32.Advapi32Util;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.Advapi32Util.Account;
import com.sun.jna.platform.win32.WinNT.PSID;

public class HandleBytesUtil {

* @param idx index
* @param length length of bytes the data
* @param eventRecordBytes byteArray with all informations
* @return the bytes that represent the data
public static byte[] getDataArrayByEventRecordBytes(int idx,int length,byte eventRecordBytes[]){
byte byteArray[] = new byte[length];
for(int i = 0;i < byteArray.length; i++) {
byteArray[i] = eventRecordBytes[idx++];
return byteArray;

* Combine both arrays of bytes to get SID of User
* @param bytesUser
* @param kerberosDomainBytes
* @return domain\\user
public static String getUserKerberos(byte[] bytesUser, byte[] kerberosDomainBytes) {

//combine the bytes of the user with bytes of the domainKerberos to convert to SID
//using con.sun.jna.*
byte domainUserBytes[] = new byte[kerberosDomainBytes.length + bytesUser.length];
domainUserBytes = Arrays.copyOf(kerberosDomainBytes, domainUserBytes.length);

int i = kerberosDomainBytes.length;
for(byte b : bytesUser){
domainUserBytes[i]= b;

PSID sid = new WinNT.PSID(domainUserBytes);
Account ac = Advapi32Util.getAccountBySid(sid);
return ac.fqn;
}catch (Exception e) {
LogCreator.doWriteTxt("Erro obtendo SID do usuario");
return "NA";

* convert the timestamp bytes to calendar in UTC
* @param byteArray of 4 positions 32 bits
* @return Calendar
public static Calendar getTimestampToCalendar(byte[] byteArrayTime){
// convert the timestamp bytes to timeInUTC
ByteBuffer timeBuffer = ByteBuffer.wrap(byteArrayTime);
timeBuffer = ByteBuffer.allocate(byteArrayTime.length);
Calendar calendar = Calendar.getInstance();

for(int i = 0; i < byteArrayTime.length ;i++){
long timeInUTC = timeBuffer.getInt();
// convert timeInUTC to Java dateTime format. Note that
// Audit log return time in UTC time. You may want to
// convert to local time
// multiply by 1000 ... the time returned is second
calendar.setTimeInMillis((timeInUTC) * 1000);

return calendar;


Hope that this will be usefull for someone.

Juliano Marcos Martins

Thank you so much for providing your solution.  This would make a great blog.  Would you consider blogging this on IDZ?  I could blog it, but I'd rather you got the credit for it.


Follow me on Twitter: @GaelHof Facebook:

Hello Gael.

I'm writing a post and will send as soon as I finish. :-)


Juliano Marcos Martins


Follow me on Twitter: @GaelHof Facebook:
Juliano Marcos Martins

Thanks Juliano!   Your blog has been published and will be tweeted via @intelswblog  as well as my twitter account.

Follow me on Twitter: @GaelHof Facebook: