1. 首頁
  2. 問答
  3. 如何獲取在Windows上卸載應用程序的用戶的用戶名?

如何獲取在Windows上卸載應用程序的用戶的用戶名?

2017-03-08 52 views
0

我想解析Windows事件日誌以列出已在設備上卸載的每個軟件以及由誰。如何獲取在Windows上卸載應用程序的用戶的用戶名?

這裏是我想出了到現在爲止:

  • 匹配的事件1040(applciation卸載):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
  • 獲得 「用戶」,在給定的事件:
Get-WinEvent -MaxEvents 10 | foreach { 
     $sid = $_.userid; 
     if($sid -eq $null) { return; } 
     $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); 
     $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); 
     Write-Host $objUser.Value; 
    }

但它首先outputing錯誤:

Error: Attempted to perform an unauthorized operation.. At line:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach { + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEvent‌​Command

然後輸出2個的用戶列表...

編輯:下面是無用的,因爲我自從意識到第二個命令行沒有(總是)輸出正確的結果...

我試圖將這些結合起來:

PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"

但我得到這個錯誤在PowerShell窗口:

At line:1 char:325 + ... rityIdentifier(); AD\user = S-1-5-21-935981524-3360503449-101602611-2988 ... + ~ An expression was expected after '('. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression

有人可以幫我解決這個問題嗎?提前:)

來源

2017-03-08 druid

+0

一點毛病丟失後分號'if($ sid -eq $ null){return; }', – BenH

+0

您是否刪除了評論sodawillow?我不太習慣PowerShell,爲什麼如果它在一個文件中調試更容易? – druid

+0

其實我意識到第二個命令行只是部分工作: Get-WinEvent:無法檢索有關安全日誌的信息。錯誤:嘗試執行未經授權的操作 .. 在行:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach {~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:NotSpecified:(:) [Get-WinEvent] LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand 然後它輸出一個2個用戶的列表... – druid

回答

0

這裏

感謝你的兩個功能結合使用:

Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | % { 
    $objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid) 
    $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 
    [pscustomobject]@{ 
     User = $objUser.Value 
     timecreated = $_.timecreated 
     level = $_.level 
     id = $_.id 
     message = $_.message 
     ProviderName = $_.ProviderName 
    } 
} | Export-Csv -Append C:\BCM\eventerr.csv -notype

這裏,它是一個非常長的oneliner:

PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | % {$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]);[pscustomobject]@{User = $objUser.Value;timecreated = $_.timecreated;level = $_.level;id = $_.id;message = $_.message;ProviderName = $_.ProviderName}} | Export-Csv -Append C:\BCM\eventerr.csv -notype"

來源

2017-03-08 22:00:52 BenH

+0

謝謝,但它不適用於我的結局。如果我使用你的第一個命令它會輸出: New-Object:找不到構造函數。無法爲類型System.Security.Principal.SecurityIdentifier找到適當的構造函數。 在線:2 char:15 + ... $ objSID = New-Object System.Security.Principal.SecurityIdentifier(... + ~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:ObjectNotFound:(:) [New -object],PSArgumentException + FullyQualifiedErrorId:CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand – druid

+0

其中第二個輸出: =:術語'='不被識別爲cmdlet,函數,腳本文件的名稱,或可操作的程序檢查名稱的拼寫,或者如果包含路徑,請驗證路徑是否正確,然後再試。 在行:1 char:176 + ... ct System.Security.Principal.SecurityIdentifier( .userid); = .Transl ... +〜 + CategoryInfo:ObjectNotFound:(=:String)[],CommandNotFoundException + FullyQualifiedErrorId:CommandNotFoundException – druid

+0

@druid System.Security.Principal.SecurityIdentifier自.NET 2.0開始出現。你在運行什麼操作系統和版本的PowerShell? – BenH

相關問題

 相關問題