Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/powershell/13.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Powershell 如何通过WMI读取应用程序和服务日志?_Powershell_Wmi - Fatal编程技术网
Fatal编程技术网
  • powershell/
  • Powershell 如何通过WMI读取应用程序和服务日志?

Powershell 如何通过WMI读取应用程序和服务日志?

powershell

Powershell 如何通过WMI读取应用程序和服务日志?,powershell,wmi,Powershell,Wmi,我可以通过powershell中的WMI获取所有事件日志消息,如 Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'" 要枚举我使用的所有事件日志 Get-WmiObject win32_nteventlogfile FileSize LogfileName Name

我可以通过powershell中的WMI获取所有事件日志消息,如

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"
要枚举我使用的所有事件日志

Get-WmiObject win32_nteventlogfile
FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
26218496 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      75510
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 OAlerts                C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx                             39
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
12652544 Security               C:\WINDOWS\System32\Winevt\Logs\Security.evtx                         18840
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
 8458240 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           15108
   69632 Windows Azure          C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx                        0
 2166784 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx                1656
到目前为止,还没有找到解析应用程序和服务日志下显示的所有其他日志的方法

使用Powershell,我可以通过

Get-WinEvent -ListLog *

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            15728640        1656 Windows PowerShell
Circular             1052672           0 Windows Azure
Circular            20971520       15123 System
Circular            20971520       19404 Security
Circular             1052672          39 OAlerts
Circular            20971520           0 Key Management Service
Circular             1052672           0 Internet Explorer
Circular            20971520           0 HardwareEvents
Circular            26214400       75525 Application
Circular             1052672           0 WitnessClientAdmin
Circular             1052672             Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular             1052672             Windows Networking Vpn Plugin Platform/Operational
Circular             1052672           0 SMSApi
Circular             1052672          66 Setup
Circular             1052672           0 OpenSSH/Operational
Circular             1052672           0 OpenSSH/Admin
Circular             1052672             Network Isolation Operational
Circular             1052672           0 Microsoft-WS-Licensing/Admin
Circular             1052672           0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular             1052672           0 Microsoft-Windows-WWAN-SVC-Events/Operational
但是当我尝试读取其他日志文件时,我什么也得不到。当我尝试阅读例如Microsoft Windows应用程序体验/程序兼容性助手文件时,我没有得到任何回复:

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"
日志文件具有不同的名称

 Directory of C:\Windows\System32\winevt\Logs

12/26/2019  07:55 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
在事件查看器中,名称显示为

我需要输入到WMI查询以读取事件的正确日志文件名是什么?

我想晚做总比不做好

在注册表中创建以下项:

HKEY\u LOCAL\u MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft Windows程序兼容性助手/analysis

不需要值,只需要键。 然后,您应该能够运行这样的查询

select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'
我已经创建了密钥计算机\HKEY\U LOCAL\U MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft Windows程序兼容性助手/分析,但查询仍然返回0命中数日志文件是否实际包含数据?你能告诉我它到底记录了什么吗?我无法在我的环境中测试它,因为日志文件对我来说是空的。