如何获取安全ID 4663,其中消息为0x1|0x4|等。
我尝试过不同的代码,我只想将大约5个代码记录到CSV,我可以导出到CSV,并且我只能提取4663个ID,但我不能过滤消息访问掩码,它是消息字段中的文本,任何人都有任何想法,这是我迄今为止建立的代码:-
$Results = foreach($server in "server-name")
{
Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select Timecreated, ID, Message | Get-EventLog "Security" -before 4/10/2013 -InstanceId 4663 | % {
New-Object psobject -Property @{
Index = $_.Index
TimeGenerated = $_.TimeGenerated
"Account Name" = $_.ReplacementStrings[1]
"Object Type" = $_.ReplacementStrings[5]
"Object Name" = $_.ReplacementStrings[6]
}
} | Write-Host
这得到了的记录
#$Results = foreach($server in "file-server")
#{
# Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select #Timecreated, ID, Message | Write-Host
结果应为
帐户名:对象名:WHERE记录是以下访问掩码之一:"0x0"、"0x1"、
因此,让我们深入了解窗口事件消息。
每条消息都有一个模板。你可以看看像这样的模板
(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
select Id, Version, Template |
Format-List
我们可以深入查找我们正在寻找的事件,也可以像一样
(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
Where-Object {$_.Id -eq 4663} |
select Id, Version, Template |
Format-List
我们可以看到在windows中使用了两个版本的模板。我们还可以看到专有名称是什么。
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="ObjectServer" inType="win:UnicodeString" outType="xs:string"/>
<data name="ObjectType" inType="win:UnicodeString" outType="xs:string"/>
<data name="ObjectName" inType="win:UnicodeString" outType="xs:string"/>
<data name="HandleId" inType="win:Pointer" outType="win:HexInt64"/>
<data name="AccessList" inType="win:UnicodeString" outType="xs:string"/>
<data name="AccessMask" inType="win:HexInt32" outType="win:HexInt32"/>
<data name="ProcessId" inType="win:Pointer" outType="win:HexInt64"/>
<data name="ProcessName" inType="win:UnicodeString" outType="xs:string"/>
<data name="ResourceAttributes" inType="win:UnicodeString" outType="xs:string"/>
</template>
在帖子中,我们想要获得访问掩码。我们可以在模板中看到
<data name="AccessMask" inType="win:HexInt32" outType="win:HexInt32"/>
因此,我们将获得所有符合我们想要的ID 4663的事件,并将输出限制为10
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10
我们将把输出转换成XML并进行解析,直到我们得到这些设置,然后创建一个PSObject来存储所有这些设置。然后,我们将把每个PSObject添加到一个ArrayList中。
$ArrayList = New-Object System.Collections.ArrayList
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10 | %{
$XML = [xml]$_.toXml()
$PsObject = New-Object psobject
$XML.Event.EventData.Data | %{
$PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
}
$ArrayList.add($PsObject) | out-null
}
$ArrayList | Select AccessMask
我们只在数组列表上选择AccessMask,这很好。
在结束语中,我已经为此编写了一个函数。
function Parse-WindowsEvents(){
param(
[Parameter(Position=1, ValueFromPipeline)]
[object[]]$Events
)
process{
$ArrayList = New-Object System.Collections.ArrayList
$Events | %{
$EventObj = $_
$EventObjFullName = $_.GetType().FullName
if($EventObjFullName -like "System.Diagnostics.EventLogEntry"){
$EventObj = Get-WinEvent -LogName security -FilterXPath "*[System[EventRecordID=$($_.get_Index())]]"
}elseif($EventObjFullName -like "System.Diagnostics.Eventing.Reader.EventLogRecord"){
}else{
throw "Not An Event System.Diagnostics.Eventing.Reader.EventLogRecord or System.Diagnostics.EventLogEntry"
}
$PsObject = New-Object psobject
$EventObj.psobject.properties | %{
$PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.Value
}
$XML = [xml]$EventObj.toXml()
$PsObject2 = New-Object psobject
$XML.Event.EventData.Data | %{
$PsObject2 | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
}
$PsObject | Add-Member -MemberType NoteProperty -Name ParsedMessage -Value $PsObject2
$ArrayList.add($PsObject) | out-null
}
return $ArrayList
}
}
使用示例
Get-EventLog -LogName Security | select -first 3 | Parse-WindowsEvents | select id, recordid -ExpandProperty parsedmessage | fl
或
get-winevent -logName security | parse-winevents
该函数将向名为ParsedMessage 的对象添加一个新属性
Get-winEvent -Logname Security | where {($_.Id -eq '4663') -and ($_.Message -match '0x0' -or $_Message -Match '0x1' -or $_.Message -match '0x4' -or $_.Message -match '0x20' -or $_.Message -match '0x40' -or $_.Message -match '0x10000')}
这就是你要找的吗?