1. 首页
  2. 问答
  3. 如何获取在Windows上卸载应用程序的用户的用户名?

如何获取在Windows上卸载应用程序的用户的用户名?

2017-03-08 83 views
0

我想解析Windows事件日志以列出已在设备上卸载的每个软件以及由谁。如何获取在Windows上卸载应用程序的用户的用户名?

这里是我想出了到现在为止:

  • 匹配的事件1040(applciation卸载):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
  • 获得 “用户”,在给定的事件:
Get-WinEvent -MaxEvents 10 | foreach { 
     $sid = $_.userid; 
     if($sid -eq $null) { return; } 
     $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); 
     $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); 
     Write-Host $objUser.Value; 
    }

但它首先outputing错误:

Error: Attempted to perform an unauthorized operation.. At line:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach { + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEvent‌​Command

然后输出2个的用户列表...

编辑:下面是无用的,因为我自从意识到第二个命令行没有(总是)输出正确的结果...

我试图将这些结合起来:

PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"

但我得到这个错误在PowerShell窗口:

At line:1 char:325 + ... rityIdentifier(); AD\user = S-1-5-21-935981524-3360503449-101602611-2988 ... + ~ An expression was expected after '('. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression

有人可以帮我解决这个问题吗?提前:)

来源

2017-03-08 druid

+0

一点毛病丢失后分号'if($ sid -eq $ null){return; }', – BenH

+0

您是否删除了评论sodawillow?我不太习惯PowerShell,为什么如果它在一个文件中调试更容易? – druid

+0

其实我意识到第二个命令行只是部分工作: Get-WinEvent:无法检索有关安全日志的信息。错误:尝试执行未经授权的操作 .. 在行:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach {~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:NotSpecified:(:) [Get-WinEvent] LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand 然后它输出一个2个用户的列表... – druid

回答

0

这里

感谢你的两个功能结合使用:

Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | % { 
    $objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid) 
    $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 
    [pscustomobject]@{ 
     User = $objUser.Value 
     timecreated = $_.timecreated 
     level = $_.level 
     id = $_.id 
     message = $_.message 
     ProviderName = $_.ProviderName 
    } 
} | Export-Csv -Append C:\BCM\eventerr.csv -notype

这里,它是一个非常长的oneliner:

PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | % {$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]);[pscustomobject]@{User = $objUser.Value;timecreated = $_.timecreated;level = $_.level;id = $_.id;message = $_.message;ProviderName = $_.ProviderName}} | Export-Csv -Append C:\BCM\eventerr.csv -notype"

来源

2017-03-08 22:00:52 BenH

+0

谢谢,但它不适用于我的结局。如果我使用你的第一个命令它会输出: New-Object:找不到构造函数。无法为类型System.Security.Principal.SecurityIdentifier找到适当的构造函数。 在线:2 char:15 + ... $ objSID = New-Object System.Security.Principal.SecurityIdentifier(... + ~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:ObjectNotFound:(:) [New -object],PSArgumentException + FullyQualifiedErrorId:CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand – druid

+0

其中第二个输出: =:术语'='不被识别为cmdlet,函数,脚本文件的名称,或可操作的程序检查名称的拼写,或者如果包含路径,请验证路径是否正确,然后再试。 在行:1 char:176 + ... ct System.Security.Principal.SecurityIdentifier( .userid); = .Transl ... +〜 + CategoryInfo:ObjectNotFound:(=:String)[],CommandNotFoundException + FullyQualifiedErrorId:CommandNotFoundException – druid

+0

@druid System.Security.Principal.SecurityIdentifier自.NET 2.0开始出现。你在运行什么操作系统和版本的PowerShell? – BenH

相关问题

 相关问题