我想解析Windows事件日志以列出已在设备上卸载的每个软件以及由谁。如何获取在Windows上卸载应用程序的用户的用户名?
这里是我想出了到现在为止:
- 匹配的事件1040(applciation卸载):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
- 获得 “用户”,在给定的事件:
Get-WinEvent -MaxEvents 10 | foreach {
$sid = $_.userid;
if($sid -eq $null) { return; }
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
Write-Host $objUser.Value;
}
但它首先outputing错误:
Error: Attempted to perform an unauthorized operation.. At line:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach { + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
然后输出2个的用户列表...
编辑:下面是无用的,因为我自从意识到第二个命令行没有(总是)输出正确的结果...
我试图将这些结合起来:
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"
但我得到这个错误在PowerShell窗口:
At line:1 char:325 + ... rityIdentifier(); AD\user = S-1-5-21-935981524-3360503449-101602611-2988 ... + ~ An expression was expected after '('. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression
有人可以帮我解决这个问题吗?提前:)
一点毛病丢失后分号'if($ sid -eq $ null){return; }', – BenH
您是否删除了评论sodawillow?我不太习惯PowerShell,为什么如果它在一个文件中调试更容易? – druid
其实我意识到第二个命令行只是部分工作: Get-WinEvent:无法检索有关安全日志的信息。错误:尝试执行未经授权的操作 .. 在行:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach {~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:NotSpecified:(:) [Get-WinEvent] LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand 然后它输出一个2个用户的列表... – druid