我想分析一个特殊的Windows应用程序(Windows 7企业版,64位)的事件日志。
我需要一个特殊的事件,这个事件会在几秒钟前被记录下来。
这是我的VBScript代码,它会产生完全错误的结果(错误的事件数):
strComputer = "." ' Dieser Computer
' Retrieving Specific Events from an Event Log
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\" & strComputer & "\root\cimv2")
Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate now() ' CONVERT_TO_LOCAL_TIME
dim var_wql
var_wql = "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '< ... >' AND SourceName = '< ... >' AND EventCode = '< ... >' AND (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')"
Set colLoggedEvents = objWMIService.ExecQuery(var_wql)
...
行数(anzahl = colLoggedEvents.count)必须为0或1,其他任何内容都是不可能的。
wql语句有什么问题?我想查看过去的最后几秒(从现在开始)。
感谢。
托米
答案 0 :(得分:0)
语法错误。如果我将objWMIService行改为this,它对我有用。
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & strComputer & "\root\cimv2")
更新以获取在过去10秒内创建的所有事件日志并写入日志文件。
On Error Resume Next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\.\root\cimv2")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")
strSystemDrive = WshShell.ExpandEnvironmentStrings("%SystemDrive%")
Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate now() ' CONVERT_TO_LOCAL_TIME
var_wql = "SELECT * FROM Win32_NTLogEvent WHERE (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')"
Set LogFile = objFSO.CreateTextFile(strSystemDrive & "\Temp\EvtLog.txt", True)
Set colLoggedEvents = objWMIService.ExecQuery(var_wql)
For Each objEvent in colLoggedEvents
LogFile.WriteLine "Computer Name : " & objEvent.ComputerName
LogFile.WriteLine "Logfile : " & objEvent.Logfile
LogFile.WriteLine "Type : " & objEvent.Type
LogFile.WriteLine "User : " & objEvent.User
LogFile.WriteLine "Category : " & objEvent.Category
LogFile.WriteLine "Category String : " & objEvent.CategoryString
If IsArray(objEvent.Data) Then
For i = 0 To UBound(objEvent.Data)
strData = strData & objEvent.Data(i) & ","
Next
LogFile.WriteLine "Data : " & strData
Else
LogFile.WriteLine "Data : " & objEvent.Data
End If
LogFile.WriteLine "Event Code : " & objEvent.EventCode
LogFile.WriteLine "Event Identifier : " & objEvent.EventIdentifier
LogFile.WriteLine "Message : " & objEvent.Message
LogFile.WriteLine "Record Number : " & objEvent.RecordNumber
LogFile.WriteLine "Source Name : " & objEvent.SourceName
LogFile.WriteLine "Time Generated : " & objEvent.TimeGenerated
LogFile.WriteLine "Time Written : " & objEvent.TimeWritten
If IsArray(objEvent.InsertionStrings) Then
For i = 0 To UBound(objEvent.InsertionStrings)
strInsert = strInsert & objEvent.InsertionStrings(i) & ","
Next
LogFile.WriteLine "Insertion Strings: " & strInsert
Else
LogFile.WriteLine "Insertion Strings: " & objEvent.InsertionStrings
End If
LogFile.WriteLine "----------------------------------------------------------------------------------------------------------"
Next
输出样本(并非所有字段都用于每个事件) -
----------------------------------------------------------------------------------------------------------
Computer Name : Randy-PC
Logfile : Application
Type : Information
User :
Category : 0
Category String :
Data :
Event Code : 9019
Event Identifier : 1073750843
Message : The Desktop Window Manager was unable to start because the desktop composition setting is disabled
Record Number : 37395
Source Name : Desktop Window Manager
Time Generated : 20160903031728.000000-000
Time Written : 20160903031728.000000-000
Insertion Strings:
----------------------------------------------------------------------------------------------------------