我有一个接受以下输入的脚本
“发件人 IP=10.10.10.10”
它应该返回最后登录的用户。
首先,它会尝试检测操作系统
其次,它将尝试检测用户配置文件
最后,它会尝试将 Security Identifier 转换为用户帐户,即 DOMAIN\username
这是代码的相关部分
$Sender_IP = $my_hash.Get_Item("sender-ip")
try
{
<#Gather information on the computer corresponding to $Sender_IP#>
$Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop
}
catch [Exception]
{
$userId = "Unknown/CannotDetectOS "
return $output = "userId=" + $userId
}
try
{
$Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Sender_IP -ErrorAction Stop
}
catch [Exception]
{
$userId = "Unknown/CannotDetectUserProfile "
return $output+= "userId=" + $userId
}
$Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending
$LastUser = $Win32User | Select-Object -First 1
try
{
$UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID)
$userId = $UserSID.Translate([System.Security.Principal.NTAccount])
}
catch [Exception]
{
$userId = "Unknown/CannotDetectUserSID "
return $output = "userId=" + $userId
}
$userId = $userId.Value
if ($userId -ne $NULL){
$output = "userId=" + $userId
}
elseif ($userID -eq $NULL)
{
$userId = "Unknown/UserID"
$output = "userId=" + $userId
}
$output.replace("\","/")
据我了解,需要打开 WMI 服务才能检测 Windows 操作系统,即
$Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop
和 Windows 用户配置文件,即
$Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Sender_IP -ErrorAction Stop
但是需要开启什么服务才能正确翻译Security Identifier,即
$Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending
$LastUser = $Win32User | Select-Object -First 1
try
{
$UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID)
$userId = $UserSID.Translate([System.Security.Principal.NTAccount])
}
catch [Exception]
{
$userId = "Unknown/CannotDetectUserSID "
return $output = "userId=" + $userId
}
一周我将使用“sender-ip=10.10.10.10”运行脚本并获取实际用户,下周脚本抛出“CannotDetectUserProfile”,下周脚本抛出“CannotDetectOS”等
需要开启什么服务,可以通过powershell远程实现吗?