我可以在 powershell 中通过 WMI 获取所有事件日志消息,例如
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"
枚举我使用的所有事件日志
Get-WmiObject win32_nteventlogfile
FileSize LogfileName Name NumberOfRecords
-------- ----------- ---- ---------------
26218496 Application C:\WINDOWS\System32\Winevt\Logs\Application.evtx 75510
69632 HardwareEvents C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx 0
69632 Internet Explorer C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx 0
69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx 0
69632 OAlerts C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx 39
69632 Parameters C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx 0
12652544 Security C:\WINDOWS\System32\Winevt\Logs\Security.evtx 18840
69632 State C:\WINDOWS\System32\Winevt\Logs\State.evtx 0
8458240 System C:\WINDOWS\System32\Winevt\Logs\System.evtx 15108
69632 Windows Azure C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx 0
2166784 Windows PowerShell C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx 1656
到目前为止,还没有找到一种方法来解析显示在应用程序和服务日志下的所有其他日志
使用 Powershell 我可以通过
获取日志文件Get-WinEvent -ListLog *
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
Circular 15728640 1656 Windows PowerShell
Circular 1052672 0 Windows Azure
Circular 20971520 15123 System
Circular 20971520 19404 Security
Circular 1052672 39 OAlerts
Circular 20971520 0 Key Management Service
Circular 1052672 0 Internet Explorer
Circular 20971520 0 HardwareEvents
Circular 26214400 75525 Application
Circular 1052672 0 WitnessClientAdmin
Circular 1052672 Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular 1052672 Windows Networking Vpn Plugin Platform/Operational
Circular 1052672 0 SMSApi
Circular 1052672 66 Setup
Circular 1052672 0 OpenSSH/Operational
Circular 1052672 0 OpenSSH/Admin
Circular 1052672 Network Isolation Operational
Circular 1052672 0 Microsoft-WS-Licensing/Admin
Circular 1052672 0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular 1052672 0 Microsoft-Windows-WWAN-SVC-Events/Operational
但是当我尝试读取其他日志文件时,却一无所获。当我尝试阅读时Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant 文件我什么也没得到:
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"
日志文件有不同的名字
Directory of C:\Windows\System32\winevt\Logs
12/26/2019 07:55 PM 69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
在事件查看器中名称显示为
我需要输入 WMI 查询以读取事件的正确日志文件名是什么?
最佳答案
我想迟到总比不到好。
在注册表中创建以下键值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic
不需要值,只需键。 然后您应该能够像这样运行查询
select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'
关于powershell - 如何通过 WMI 读取应用程序和服务日志?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59616483/