Get-Winevent Filterhashtable格式错误

时间:2018-01-23 09:06:59

标签: powershell

当我尝试运行此脚本时:

$Filename = ""U:\logfile_analysis\raw_data\SavedSecurity.evtx""
$EventIDsLogon.ToString() = "4624"
$EventIDsLogoff.ToString() = "4647"
$EventIDsLogonFailure.ToString() = "4625"
$EventIDsLockScreen.ToString() = "4800"
$EventIDsUnlockScreen.ToString() = "4801"
$EventIDstemp = $EventIDsLogon, $EventIDsLogoff, $EventIDsLogonFailure, $EventIDsLockScreen, $EventIDsUnlockScreen -join ","
$EventIDsSummary = $EventIDstemp.Trim()
#Write-Host $EventIDsSummary
Write-Host "Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}"
pause
Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}

并查看

的输出
Write-host "Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}"

输出是:

Get-WinEvent -FilterHashtable @{Path='U:\logfile_analysis\raw_data\SavedSecurity.evtx'; ID=4624,4647,4625,4800,4801}

当我将Write-Host的输出复制到PowerShell控制台时,它可以工作:

PS> Get-WinEvent -FilterHashtable @{Path='U:\logfile_analysis\raw_data\SavedSecurity.evtx'; ID=4624,4647,4625,4800,4801}


    ProviderName: Microsoft-Windows-Security-Auditing

    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    04.12.2017 13:56:56           4624 Informationen    Ein Konto wurde erfolgreich angemeldet...
    04.12.2017 13:56:56           4647 Informationen    Benutzerinitiierte Abmeldung:...
    04.12.2017 13:56:48           4801 Informationen    Die Arbeitsstation wurde entsperrt...
    04.12.2017 13:56:48           4624 Informationen    Ein Konto wurde erfolgreich angemeldet...
    04.12.2017 13:56:48           4624 Informationen    Ein Konto wurde erfolgreich angemeldet...
******** truncated ****

但是:

Get-WinEvent -FilterHashtable @{Path='$Filename'; ID=$EventIDsSummary}

没用。

错误消息是:

  

Get-WinEvent:找不到路径'U:\ logfile_analysis \ $ Filename',因为它不存在。

我尝试在""添加@{Path="$Filename"...。 我尝试在''添加@Path="$Filename"...。 我试图操纵$Filename variable and add“”, the variable $ Filename`看起来像

$Filename = '"U:\logfile_analysis\raw_data\SavedSecurity.evtx"'
$Filename = ""U:\logfile_analysis\raw_data\SavedSecurity.evtx""
$Filename = "'U:\logfile_analysis\raw_data\SavedSecurity.evtx'"

没有成功。

深入了解问题,@Path='$Filename' 路径必须在两个“”之内,如何添加脚本工作的那些?

1 个答案:

答案 0 :(得分:0)

感谢您的提示@ / lo%c3%afc-michel和@ ansgar-wiechers。我想我用以下代码解决了这个问题:

$Filename="c:\temp"
$EventIDsLogon="4624"
$EventIDsLogoff="4647"
$EventIDsLogonFailure="4625"
$EventIDsLockScreen="4800"
$EventIDsUnlockScreen="4801"
$EventIDstemp=@($EventIDsLogon,$EventIDsLogoff,$EventIDsLogonFailure,$EventIDsLockScreen, $EventIDsUnlockScreen) 
echo $Filename
echo $EventIDstemp
Get-WinEvent -FilterHashtable @{Path=$Filename; ID=$EventIDstemp}