如何获取在Windows上卸载应用程序的用户的用户名?

时间:2017-03-08 21:34:03

标签: windows powershell events logging uninstall

我正在尝试解析Windows事件日志,以列出已在设备上卸载的所有软件以及由谁登录。

这是我到现在想出的:

  • 匹配事件1040(applciation uninstall):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
  • 获取活动中提供的“用户”:
Get-WinEvent -MaxEvents 10 | foreach {
      $sid = $_.userid;
      if($sid -eq $null) { return; }
      $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
      $objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
      Write-Host $objUser.Value;
    }

但它首先输出错误:

  

错误:尝试执行未经授权的操作..在行:1   char:1 + Get-WinEvent -MaxEvents 10 | foreach {+   ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo:NotSpecified :( :)   [Get-WinEvent],Exception + FullyQualifiedErrorId:   LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEvent命令

然后它输出一个包含2个用户的列表......

编辑:以下没用,因为我意识到第二个命令行没有(总是?)输出正确的结果......

我尝试将这些结合起来:

PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"

但是我在powershell窗口中收到了这个错误:

  

在第1行:char:325   + ... rityIdentifier(); AD \ user = S-1-5-21-935981524-3360503449-101602611-2988 ...   +〜'''之后预计会出现一个表达式。       + CategoryInfo:ParserError:(:) [],ParentContainsErrorRecordException       + FullyQualifiedErrorId:ExpectedExpression

有人可以帮我解决这个问题吗?

提前致谢:)

1 个答案:

答案 0 :(得分:1)

这里结合了两个功能:

for (int i = 1; i < password.length() -1; i++)
{
     char l = password.charAt(i);
     if (password.length() < 8 && !Character.isLetter(l) || !Character.isDigit(l))
     {
        return false;
     }
}
return true;

在这里它是一个非常长的oneliner:

Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | ? {$_.userid} | % {
    $objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid)
    $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
    [pscustomobject]@{
        User = $objUser.Value
        timecreated = $_.timecreated
        level = $_.level
        id = $_.id
        message = $_.message
        ProviderName = $_.ProviderName
    }
} | Export-Csv -Append C:\BCM\eventerr.csv -notype

编辑:添加了PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | ? {$_.userid} | % {$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid); $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]);[pscustomobject]@{User = $objUser.Value;timecreated = $_.timecreated;level = $_.level;id = $_.id;message = $_.message;ProviderName = $_.ProviderName}} | Export-Csv -Append C:\BCM\eventerr.csv -notype" 过滤器,用于删除日志中没有用户ID解析Where-Object错误消息的条目。

相关问题
最新问题