当我使用不带where
子句的WMI时,它可以返回一些结果。但是,当我将其与where
子句一起使用时,它不会返回任何结果。例如,我的事件日志的事件代码为4798,但是WMI不返回它。
procedure GetLogEvents(domain, user, password: string; Proc: TEventLogResultProc);
const
wbemFlagForwardOnly = $00000020;
var
FSWbemLocator : OLEVariant;
FWMIService : OLEVariant;
FWbemObjectSet: OLEVariant;
FWbemObject : OLEVariant;
oEnum : IEnumvariant;
iValue : LongWord;
i : integer;
Res: TEventLog;
begin;
FSWbemLocator := CreateOleObject('WbemScripting.SWbemLocator');
try
FWMIService := FSWbemLocator.ConnectServer(domain, 'root\CIMV2', user, password);
except
FWMIService := FSWbemLocator.ConnectServer('localhost', 'root\CIMV2', '', '');
end;
FWbemObjectSet:= FWMIService.ExecQuery('SELECT Category,'+
' ComputerName,'+
' EventCode,'+
' Message,'+
' RecordNumber,'+
' EventType,'+
' TimeGenerated,'+
' TimeWritten,'+
' User,'+
' Type,'+
' EventIdentifier,'+
' SourceName FROM Win32_NTLogEvent '+
' Where EventCode="4798" or EventCode="5140" or EventCode="5142" '+
' or EventCode="5143" or EventCode="5144" or ' +
' EventCode="4663" or EventCode="4659" or EventCode="4656" or EventCode="4907" '+
' or EventCode="4663" or EventCode="4660" or EventCode="4670"','WQL',wbemFlagForwardOnly);
oEnum := IUnknown(FWbemObjectSet._NewEnum) as IEnumVariant;
while oEnum.Next(1, FWbemObject, iValue) = 0 do
begin
try Res.Category := String(FWbemObject.Category); except end;
try Res.ComputerName := String(FWbemObject.ComputerName); except end;
try Res.sMessage := String(FWbemObject.Message); except end;
try Res.RecordNumber := Integer(FWbemObject.RecordNumber); except end;
try Res.EventCode := Integer(FWbemObject.EventCode); except end;
try Res.EventType := String(FWbemObject.EventType); except end;
try Res.TimeGenerated := String(FWbemObject.TimeGenerated); except end;
try Res.TimeWritten := String(FWbemObject.TimeWritten); except end;
try Res.SourceName := String(FWbemObject.SourceName); except end;
try Res.User := String(FWbemObject.User); except end;
try Res.sType := String(FWbemObject.Type); except end;
try Res.EventIdentifier := String(FWbemObject.EventIdentifier); except end;
Proc(Res);
FWbemObject:=Unassigned;
end;
end;