以下是我尝试用于从Windows事件日志文件中提取信息的代码之一:
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & "." & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent where LogFile='Application'")
WScript.Echo "Application Log Count:" & colEvents.count
Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent where LogFile='System'")
WScript.Echo "System Log Count:" & colEvents.count
Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent where LogFile='Security'")
WScript.Echo "Security Log Count:" & colEvents.count
我的问题是,这只能访问“应用程序”和“系统”日志文件,而不能访问“安全”日志文件。即使我使用这组代码:
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & "." & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery("Select * from Win32_NTEventLogFile")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.name
Next
Output:
C:\Windows\System32\Winevt\Logs\Application.evtx
C:\Windows\System32\Winevt\Logs\HardwareEvents.evtx
C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx
C:\Windows\System32\Winevt\Logs\Key Management Service.evtx
C:\Windows\System32\Winevt\Logs\Lenovo-Customer Feedback.evtx
C:\Windows\System32\Winevt\Logs\OAlerts.evtx
C:\Windows\System32\Winevt\Logs\PreEmptive.evtx
C:\Windows\System32\Winevt\Logs\Reason.evtx
C:\Windows\System32\Winevt\Logs\System.evtx
C:\Windows\System32\Winevt\Logs\Windows PowerShell.evtx
仍未包含安全文件。我正在使用Windows 10机器。我已尝试使用WMI的所有其他代码但仍无法访问安全日志文件。我的安全事件可通过事件查看器获得,并有数千条记录。