如何通过WMI读取应用程序和服务日志?

huangapple
go评论103阅读模式
英文:

How to read Applications and Services Logs via WMI?

问题

我可以通过PowerShell的WMI来获取所有事件日志消息,如下所示:

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"

要枚举所有事件日志,可以使用以下命令:

Get-WmiObject win32_nteventlogfile

但是,要解析显示在"Applications and Service Logs"下的其他所有日志,我尚未找到方法。

通过PowerShell,您可以获取日志文件列表:

Get-WinEvent -ListLog *

但是,如果尝试读取其他日志文件,可能会得不到任何结果。例如,尝试读取"Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"文件可能会返回空结果:

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"

这个问题可能是因为日志文件的实际名称与显示的名称不同。在事件查看器中,名称显示为不同的格式。要查找正确的日志文件名称,您可能需要查看日志文件的实际目录,以获取准确的名称。

英文:

I can get all event log messages via WMI in powershell like

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"

To enumerate all event logs I use

Get-WmiObject win32_nteventlogfile
FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
26218496 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      75510
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 OAlerts                C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx                             39
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
12652544 Security               C:\WINDOWS\System32\Winevt\Logs\Security.evtx                         18840
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
 8458240 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           15108
   69632 Windows Azure          C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx                        0
 2166784 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx                1656

So far found not a way to parse all other logs showing up under Applications and Service Logs

如何通过WMI读取应用程序和服务日志?

With Powershell I can get the log files via

Get-WinEvent -ListLog *

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            15728640        1656 Windows PowerShell
Circular             1052672           0 Windows Azure
Circular            20971520       15123 System
Circular            20971520       19404 Security
Circular             1052672          39 OAlerts
Circular            20971520           0 Key Management Service
Circular             1052672           0 Internet Explorer
Circular            20971520           0 HardwareEvents
Circular            26214400       75525 Application
Circular             1052672           0 WitnessClientAdmin
Circular             1052672             Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular             1052672             Windows Networking Vpn Plugin Platform/Operational
Circular             1052672           0 SMSApi
Circular             1052672          66 Setup
Circular             1052672           0 OpenSSH/Operational
Circular             1052672           0 OpenSSH/Admin
Circular             1052672             Network Isolation Operational
Circular             1052672           0 Microsoft-WS-Licensing/Admin
Circular             1052672           0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular             1052672           0 Microsoft-Windows-WWAN-SVC-Events/Operational

But when I try to read other log files then I get nothing. When I try to read e.g. the Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant file I get nothing back:

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"

The log file has a different name

 Directory of C:\Windows\System32\winevt\Logs

12/26/2019  07:55 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

In the event viewer the name is displayed as

如何通过WMI读取应用程序和服务日志?

What would be the correct log file name I need to enter to the WMI query to read the events?

答案1

得分: 2

晚来总比不来好,我猜。

在注册表中创建以下键:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic

不需要任何值,只需创建该键。
然后,您应该能够运行像这样的查询:

select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'
英文:

Better late than never I guess.

Create the following key in registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic

No values required, just the key.
You should then be able to run a query like this

select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'

huangapple
  • 本文由 发表于 2020年1月7日 01:32:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/59616483.html
  • powershell
  • wmi
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定