我是Windows Management Instrumentation(WMI)的初学者。我正在使用C ++在WMI上从Windows日志文件收集数据(“在此程序中访问安全日志”)。我能够使用WMI程序读取并显示日志文件中的内容,以及Stack Overflow用户提到的有价值的更正。非常感谢您的帮助。
此外,我试图将数据保存到文件中。由于无法直接将其转换为XML文件,因此我使用下面给出的程序将bstr(数据类型由“ vtProp.bstrVal”返回)转换为字符串,然后将其保存到文本文件中。我的意图是将日志文件中的信息显示为用户界面中的表格。如果是XML文件,那会容易得多。那么,有什么方法可以使用Windows查询或其他方式将内容导出到XML文件吗?
我作为“ pclsObj-> Get()”函数的参数传递的属性是Message,以便在控制台或文件中显示Message标记下的所有详细信息。我想询问的第二件事是关于这些属性。查看XML文件(从evtx文件保存)后,我发现了类似的标签,例如Data,Tasks等。但是,当我尝试显示它们时,抛出异常,提示访问文件有问题。
程序:
#define _WIN32_DCOM
#include <iostream>
using namespace std;
#include <comdef.h>
#include <Wbemidl.h>
#include<string>
#include<fstream>
#pragma comment(lib, "wbemuuid.lib")
int main()//(int argc, char **argv)
{
HRESULT hres;
// Step 1: --------------------------------------------------
// Initialize COM. ------------------------------------------
hres = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hres))
{
cout << "Failed to initialize COM library. Error code = 0x"
<< hex << hres << endl;
return 1; // Program has failed.
}
cout << "Initilized the COM" << endl;
// Step 2: --------------------------------------------------
// Set general COM security levels --------------------------
hres = CoInitializeSecurity(
NULL,
-1, // COM authentication
NULL, // Authentication services
NULL, // Reserved
RPC_C_AUTHN_LEVEL_DEFAULT, // Default authentication
RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation
NULL, // Authentication info
EOAC_NONE, // Additional capabilities
NULL // Reserved
);
if (FAILED(hres))
{
cout << "Failed to initialize security. Error code = 0x"
<< hex << hres << endl;
CoUninitialize();
return 1; // Program has failed.
}
// Step 3: ---------------------------------------------------
// Obtain the initial locator to WMI -------------------------
IWbemLocator *pLoc = NULL;
//string amp;
hres = CoCreateInstance(
CLSID_WbemLocator,
0,
CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *)&pLoc);//& pLoc);
if (FAILED(hres))
{
cout << "Failed to create IWbemLocator object."
<< " Err code = 0x"
<< hex << hres << endl;
CoUninitialize();
return 1; // Program has failed.
}
// Step 4: -----------------------------------------------------
// Connect to WMI through the IWbemLocator::ConnectServer method
IWbemServices *pSvc = NULL;
// Connect to the root\cimv2 namespace with
// the current user and obtain pointer pSvc
// to make IWbemServices calls.
hres = pLoc->ConnectServer(
_bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace
NULL, // User name. NULL = current user
NULL, // User password. NULL = current
0, // Locale. NULL indicates current
NULL, // Security flags.
0, // Authority (for example, Kerberos)
0, // Context object
&pSvc // pointer to IWbemServices proxy
);
if (FAILED(hres))
{
cout << "Could not connect. Error code = 0x"
<< hex << hres << endl;
pLoc->Release();
CoUninitialize();
return 1; // Program has failed.
}
cout << "Connected to ROOT\\CIMV2 WMI namespace" << endl;
cout << "Connected to WMI" << endl;
// Step 5: --------------------------------------------------
// Set security levels on the proxy -------------------------
hres = CoSetProxyBlanket(
pSvc, // Indicates the proxy to set
RPC_C_AUTHN_WINNT, // RPC_C_AUTHN_xxx
RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx
NULL, // Server principal name
RPC_C_AUTHN_LEVEL_CALL, // RPC_C_AUTHN_LEVEL_xxx
RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx
NULL, // client identity
EOAC_NONE // proxy capabilities
);
if (FAILED(hres))
{
cout << "Could not set proxy blanket. Error code = 0x"
<< hex << hres << endl;
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 1; // Program has failed.
}
cout << "Security level set on wmi connection" << endl;
// Step 6: --------------------------------------------------
// Use the IWbemServices pointer to make requests of WMI ----
// For example, get the name of the operating system
IEnumWbemClassObject* pEnumerator = NULL;
hres = pSvc->ExecQuery(
bstr_t("WQL"),
//bstr_t("wevtutil gl Security /f:XML"),
bstr_t("SELECT * FROM Win32_NTLogEvent Where (Logfile = 'Security')"),
//bstr_t(Cquery),
//bstr_t("wevtutil gl Security /f:XML"),
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,
NULL,
&pEnumerator);
if (FAILED(hres))
{
cout << "Query for operating system name failed."
<< " Error code = 0x"
<< hex << hres << endl;
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 1; // Program has failed.
}
cout << "data is obtained from the operating system" << endl;
// Step 7: -------------------------------------------------
// Get the data from the query in step 6 -------------------
IWbemClassObject *pclsObj = NULL;
ULONG uReturn = 0;
ofstream ofs("log.txt");
while (pEnumerator)
{
HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1,
&pclsObj, &uReturn);
if (0 == uReturn)
{
break;
}
VARIANT vtProp;
char* data;
// Get the value of the Name property
hr = pclsObj->Get(L"Message", 0, &vtProp, 0, 0);//& vtProp, 0, 0);
wcout << " Message : " << vtProp.bstrVal << endl; //Display the value in under Message tag
_bstr_t b = vtProp.bstrVal;
ofs << " Message : " << (char*)b << endl; //Saving it into a text file
VariantClear(&vtProp);
pclsObj->Release();
}
ofs.close();
// Cleanup
// ========
pSvc->Release();
pLoc->Release();
pEnumerator->Release();
CoUninitialize();
cin.get();
return 0; // Program successfully completed.
}
当我尝试访问标记下的信息时,会引发以下异常:
Exception thrown at 0x0F831D73 (ucrtbased.dll) in test_project.exe:
0xC0000005: Access violation reading location 0x00000000.
请帮我解决上述问题,因为我真的很难弄清楚WMI程序。
谢谢