我正在尝试做的事情:使用 get-winevent (ID: 4624) 使用 Powershell 获取用户登录统计信息。如果您知道更好的方法,我不反对其他建议。我已经让它工作了,但它的格式不是我需要的。这是我拥有的 Powershell 代码(我是 Powershell 新手,但有些东西类似于 PHP,我很熟悉):
$LogonIDs = "4624"
$computers = get-content "c:\computers.txt"
foreach($pc in $computers) {
if(test-connection $pc -count 1 -quiet) {
write-host "Acquiring information for $pc"
foreach ($item in $LogonIDs) {
(Get-WinEvent -computername $pc -max 2000 -FilterHashtable @{Logname='security';Id=$item} `
| Select TimeCreated,Message `
| fl * `
| findstr /G:c:\search.lst) `
-replace "^[\s]+","" `
-replace "[\s]+"," " `
| out-file -append "c:\scripts\winevent\$LogonIDs.txt"
}
}
else {
write-host "Couldn't ping $pc"
}
}
search.lst 有以下信息:
TimeCreated
Account Name:
Logon Type:
Logon GUID:
Logon Type:
Process Name:
该脚本将导出如下内容:
TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 7:19:39 AM
Account Name: COMPUTERNAME$
Logon Type: 2
Account Name: [USERNAME]
Logon GUID: {AKEJ38DJ-3K45-3LKD-3LKD-DKEJ3787DJJ3}
Process Name: C:\Windows\System32\winlogon.exe
TimeCreated : 5/2/2013 6:50:42 AM
Account Name: -
Logon Type: 3
Account Name: COMPUTERNAME$
Logon GUID: {K458D890-3KJ8-DK3J-DK39-3LDJK23LD909}
Process Name: -
TimeCreated : 5/2/2013 6:27:22 AM
Account Name: COMPUTERNAME$
Logon Type: 5
Account Name: SYSTEM
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\services.exe
这个脚本导出了所有很棒的东西,但是我在使用 Powershell 格式化和解析不需要的信息方面很糟糕。我可以使用 PHP 格式化我需要的所有内容,但是如果有人可以帮助我使用 Powershell 清除特定信息,那就太好了。
1) Explode at TimeCreated to create array
2) If Logon Type = 2, proceed, else skip to next value;
3) If Process Name contains winlogon.exe, proceed, else skip to next value;
4) If GUID = {00000000-0000-0000-0000-000000000000}, skip to next value;
5) If GUID != {00000000-0000-0000-0000-000000000000}, Account Name[0] = computername, Account Name[1] = Username, build new array with this information
这是我用来执行此操作的 PHP:
$file = "4624.txt";
$file_explode = explode("TimeCreated",$file);
while(list($k,$v) = each($file_explode)) {
$account_name = "";
$time = "";
if(preg_match("/Logon Type\:[\s]+2/msU",$v)) {
if(preg_match("/winlogon\.exe/msU",$v)) {
if(strstr($v,"{00000000-0000-0000-0000-000000000000}")) {
continue;
}
else {
preg_match("/[\s]+\:[\s]+(.*)$/msU",$v,$time);
preg_match_all("/Account Name\:[\s]+(.*)$/msU",$v,$account_name);
$new_arr[] = array(
"time" => $time[1],
"computer_name" => $account_name[1][0],
"user" => $account_name[1][1]
);
}
}
}
}
我不能使用那个 PHP(我刚刚发现)的原因是我不能将 4624.txt 发布到我的 Web 服务器,因为它包含 PII(个人身份信息)。如果有人可以帮助我,我将永远欠你的债;]
-亚当