我想解析Windows事件日誌以列出已在設備上卸載的每個軟件以及由誰。如何獲取在Windows上卸載應用程序的用戶的用戶名?
這裏是我想出了到現在爲止:
- 匹配的事件1040(applciation卸載):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
- 獲得 「用戶」,在給定的事件:
Get-WinEvent -MaxEvents 10 | foreach {
$sid = $_.userid;
if($sid -eq $null) { return; }
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
Write-Host $objUser.Value;
}
但它首先outputing錯誤:
Error: Attempted to perform an unauthorized operation.. At line:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach { + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
然後輸出2個的用戶列表...
編輯:下面是無用的,因爲我自從意識到第二個命令行沒有(總是)輸出正確的結果...
我試圖將這些結合起來:
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"
但我得到這個錯誤在PowerShell窗口:
At line:1 char:325 + ... rityIdentifier(); AD\user = S-1-5-21-935981524-3360503449-101602611-2988 ... + ~ An expression was expected after '('. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression
有人可以幫我解決這個問題嗎?提前:)
一點毛病丟失後分號'if($ sid -eq $ null){return; }', – BenH
您是否刪除了評論sodawillow?我不太習慣PowerShell,爲什麼如果它在一個文件中調試更容易? – druid
其實我意識到第二個命令行只是部分工作: Get-WinEvent:無法檢索有關安全日誌的信息。錯誤:嘗試執行未經授權的操作 .. 在行:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach {~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:NotSpecified:(:) [Get-WinEvent] LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand 然後它輸出一個2個用戶的列表... – druid