functionGet-LoggedCode { # read all raw events $logInfo = @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 } Get-WinEvent-FilterHashtable$logInfo | # take each raw set of data... ForEach-Object { # create a new object and extract the interesting # parts from the raw data to compose a "cooked" # object with useful data [PSCustomObject]@{ # when this was logged Time = $_.TimeCreated # script code that was logged Code = $_.Properties[2].Value # if code was split into multiple log entries, # determine current and total part PartCurrent = $_.Properties[0].Value PartTotal = $_.Properties[1].Value
# if total part is 1, code is not fragmented IsMultiPart = $_.Properties[1].Value -ne1 # path of script file (this is empty for interactive # commands) Path = $_.Properties[4].Value # log level # by default, only level "Warning" will be logged Level = $_.LevelDisplayName # user who executed the code (SID) User = $_.UserId } } }
Time : 25.05.201810:57:36 Code : functionGet-LoggedCode { # read all raw events $logInfo = @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 } Get-WinEvent-FilterHashtable$logInfo | # take each raw set of data... ForEach-Object { # create a new object and extract the interesting # parts from the raw data to compose a "cooked" # object with useful data: [PSCustomObject]@{ # when this was logged: Time = $_.TimeCreated # script code that was logged: Code = $_.Properties[2].Value # if code was split into multiple log entries, # determine current and total part: PartCurrent = $_.Properties[0].Value PartTotal = $_.Properties[1].Value
# if total part is 1, code is not fragmented: IsMultiPart = $_.Properties[1].Value -ne1 # path of script file (this is empty for interactive # commands) Path = $_.Properties[4].Value # log level # by default, only level "Warning" will be logged: Level = $_.LevelDisplayName # user who executed the code (SID) User = $_.UserId } } }
请注意这只是一个例子。通过以上代码,您可以查询您关心的任意事件 ID 的日志。例如以上代码,可以获取最新安装的 4 条更新:
1 2 3 4 5 6 7 8 9
PS> . 'C:\Users\tobwe\Documents\PowerShell\Untitled5.ps1'<# script is not saved yet #> Installation Successful: Windows successfully installed the following update: Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.269.69.0) Installation Successful: Windows successfully installed the following update: 9WZDNCRFJ1XX-FITBIT.F ITBIT Installation Successful: Windows successfully installed the following update: Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.269.28.0) Installation Successful: Windows successfully installed the following update: 9WZDNCRFHVQM-MICROSOF T.WINDOWSCOMMUNICATIONSAPPS
Get-WinEvent-FilterHashtable$filter | ForEach-Object { # create a ReplacementStrings array # this array holds the information that is inserted # into the event message template text $ReplacementStrings = $_.Properties | ForEach-Object { $_.Value }
# return a new object with the required information [PSCustomObject]@{ Time = $_.TimeCreated # index 0 contains the name of the update Name = $ReplacementStrings[0] User = $_.UserId.Value } }
这段代码返回以安装更新的美观的列表:
Time Name
---- ----
25.05.2018 09:00:20 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
25.05.2018 07:59:44 9WZDNCRFJ1XX-FITBIT.FITBIT
24.05.2018 11:04:15 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
24.05.2018 08:36:26 9WZDNCRFHVQM-MICROSOFT.WINDOWSCOMMUNICATIONSAPPS
24.05.2018 08:34:30 9N4WGH0Z6VHQ-Microsoft.HEVCVideoExtension
24.05.2018 08:34:24 9WZDNCRFJ2QK-ZDFGemeinntzigeAnstaltdes.ZDFmediathek
23.05.2018 11:57:42 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
23.05.2018 07:37:11 9WZDNCRFHVQM-MICROSOFT.WINDOWSCOMMUNICATIONSAPPS
23.05.2018 07:36:57 9WZDNCRFJ3PT-MICROSOFT.ZUNEMUSIC
23.05.2018 04:01:11 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
22.05.2018 12:26:55 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
22.05.2018 08:34:28 9NBLGGH5FV99-Microsoft.MSPaint
22.05.2018 08:33:25 9WZDNCRFJ364-MICROSOFT.SKYPEAPP
25.04.2018 07:48:41 An account was successfully logged on....
25.04.2018 07:48:40 An account was successfully logged on....
24.04.2018 18:18:17 An account was successfully logged on....
...
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a processin the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0if no session key was requested.
这个结果很难处理。如果您希望基于这段文本做一些自动化处理,您需要解析这段文本。
有一个简单得多的方法:您见到的消息只是一个文本模板,Windows 以“替换字符串”的方式插入相关的信息。他们是从 Get-0EventLog 接收到的事件数据的一部分。该数据存在一个数组中,整个数组对应一个事件 ID 的信息。
当您确定了哪个信息存放在哪个数组元素中,要解析出您关心的信息十分容易:
1 2 3 4 5 6 7 8 9 10
Get-EventLog-LogName Security -InstanceId4624 | ForEach-Object { # translate the raw data into a new object [PSCustomObject]@{ Time = $_.TimeGenerated User = "{0}\{1}"-f$_.ReplacementStrings[5], $_.ReplacementStrings[6] Type = $_.ReplacementStrings[10] Path = $_.ReplacementStrings[17] } }