Question

我不确定有什么区别。它们看起来都像主键。一个人与另一个人有什么不同吗？微软docs对该字段的解释很少。

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">


<EventID>20</EventID> 

<Version>0</Version> 

<Level>4</Level> 

<Task>116</Task> 

<Opcode>0</Opcode> 

<Keywords>0x800000000000000</Keywords> 

<TimeCreated SystemTime="2015-12-27T04:56:25.280553800Z" /> 

<EventRecordID>7178</EventRecordID> 

<Correlation /> 

<Execution ProcessID="7992" ThreadID="1376" /> 

<Channel>Microsoft-Windows-Audio/PlaybackManager</Channel> 

<Computer>John-Desktop</Computer> 

<Security UserID="S-1-5-21-2026109775-3903604127-447048412-1001" /> 

</System>

Answer 1

EventRecordID 是该特定事件日志中事件的索引号。

例如，写入事件日志的第一个事件将具有1作为EventRecordID，然后下一个事件将具有2，依此类推

EventID 用于标识不同类型的事件。

以下是事件ID及其含义的一些示例：

Event ID    Meaning

528         A user successfully logged on to a computer
529         The logon attempt was made with an unknown user name or bad password
530         The user account tried to log on outside of the allowed time
531         A logon attempt was made using a disabled account
532         A logon attempt was made using an expired account

在Windows事件日志中，Windows EventId和EventRecordID有什么区别

1 个答案: