如何获取Powershell>；获取WinEvent>；安全性>；信息>；匹配0x1或0x4的访问掩码

如何获取消息为0x1 | 0x4 |等的安全ID 4663

我尝试了不同的代码，我只想将大约5个代码记录到CSV，我可以导出到CSV，我只能提取4663个ID，但我无法在消息访问掩码上进行过滤，该掩码是消息字段中的文本，任何人都有任何想法，以下是我迄今为止构建的代码：-

$Results = foreach($server in "server-name")
{
    Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select Timecreated, ID, Message | Get-EventLog "Security" -before 4/10/2013 -InstanceId 4663 | % {
    New-Object psobject -Property @{
        Index = $_.Index
        TimeGenerated = $_.TimeGenerated
        "Account Name" = $_.ReplacementStrings[1]
        "Object Type" = $_.ReplacementStrings[5]
        "Object Name" = $_.ReplacementStrings[6]
    }
} | Write-Host

这是记录

#$Results = foreach($server in "file-server")
#{
#    Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select #Timecreated, ID, Message | Write-Host

结果应该是

帐户名称：对象名称：其中记录是访问掩码之一：“0x0”、“0x1”、“0x2”、“0x4”、“0x20”、“0x40”、“0x10000”

---

这就是您要查找的吗？

因此，让我们更深入地了解窗口事件消息

每条消息都有一个模板。您可以像这样查看模板

(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
    select Id, Version, Template |
    Format-List

我们可以深入挖掘，找到我们正在寻找的活动，也可以像

(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
        Where-Object {$_.Id -eq 4663} |
        select Id, Version, Template |
        Format-List

我们可以看到windows中使用了两个版本的模板。我们还可以看到专有名称是什么

Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
             <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
             <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
             <data name="ObjectServer" inType="win:UnicodeString" outType="xs:string"/>
             <data name="ObjectType" inType="win:UnicodeString" outType="xs:string"/>
             <data name="ObjectName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="HandleId" inType="win:Pointer" outType="win:HexInt64"/>
             <data name="AccessList" inType="win:UnicodeString" outType="xs:string"/>
             <data name="AccessMask" inType="win:HexInt32" outType="win:HexInt32"/>
             <data name="ProcessId" inType="win:Pointer" outType="win:HexInt64"/>
             <data name="ProcessName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="ResourceAttributes" inType="win:UnicodeString" outType="xs:string"/>
           </template>

我们将把输出转换成XML并向下解析以获得这些设置，然后创建一个PSObject来存储所有这些设置。然后我们将每个PSObject添加到ArrayList中

$ArrayList = New-Object System.Collections.ArrayList
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10 | %{
    $XML = [xml]$_.toXml()
    $PsObject =  New-Object psobject
    $XML.Event.EventData.Data | %{
        $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
    }
    $ArrayList.add($PsObject) | out-null
}

$ArrayList | Select AccessMask

我们在arraylist上只选择了AccessMask，这很好

最后我写了一个函数

function Parse-WindowsEvents(){
    param(
        [Parameter(Position=1, ValueFromPipeline)]
        [object[]]$Events
    )
    process{
        $ArrayList = New-Object System.Collections.ArrayList
        $Events  | %{
            $EventObj = $_
            $EventObjFullName = $_.GetType().FullName
            if($EventObjFullName -like "System.Diagnostics.EventLogEntry"){   
                $EventObj = Get-WinEvent -LogName security -FilterXPath "*[System[EventRecordID=$($_.get_Index())]]"
            }elseif($EventObjFullName -like "System.Diagnostics.Eventing.Reader.EventLogRecord"){

            }else{
                throw "Not An Event System.Diagnostics.Eventing.Reader.EventLogRecord or System.Diagnostics.EventLogEntry"
            }
            $PsObject =  New-Object psobject
            $EventObj.psobject.properties | %{
                $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.Value
            }
            $XML = [xml]$EventObj.toXml()
            $PsObject2 = New-Object psobject
            $XML.Event.EventData.Data | %{
                $PsObject2 | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
            }
            $PsObject | Add-Member -MemberType NoteProperty -Name ParsedMessage -Value $PsObject2
            $ArrayList.add($PsObject) | out-null
        }
        return $ArrayList
    }
}

示例用法

Get-EventLog -LogName Security | select -first 3 | Parse-WindowsEvents | select id, recordid -ExpandProperty parsedmessage | fl

或

---

该函数将向名为ParsedMessage的对象添加一个新属性

Im无法100%确定您想要实现什么。就像你在试图解析信息一样？这是惊人的ArcSet，这是一个很好的解释，这将进入我的Evernote笔记。这是一种享受。祝您度过愉快的一天。@DavidArmstrong我在底部添加了一个可重用的函数感谢ArcSet，它看起来不错，但我就是受不了这些错误，这是我放在行中调用该函数的内容：get winevent-ComputerName$ComputerName-logname security |-FilterXPath“*[System[EventID=4663]”-MaxEvents 5显然我错了。以下是我所拥有的：获取WinEvent-ComputerName$ComputerName-logname安全性-FilterXPath“*[System[EventID=4663]]”-MaxEvents 5 |其中{（$.Message-match'\b0x0\b'-或$.Message-match'\b0x1\b'-或$.Message-match'\b0x4\b'-或$.Message-match'\b0x20\b'-或$.Message-match'\X1000\b'}}@DavidArmstrong

Get WinEvent-ComputerName$ComputerName-logname security-FilterXPath“*[System[EventID=4663]]”-MaxEvents 5 | Parse WindowsEvents |？{@（“0x10000”、“0x40”、“0x20”、“0x4”、“0x1”、“0x0”）-包含$.\ParsedMessage.AccessMask}

使用我的帖子中的函数，将函数粘贴到这条线上方，为延迟弧集提供策略，这很有效，只是花了我一点时间过滤掉我需要的字段，真是太感谢你了。这太棒了。我的筛选：$AccessMask=$PsObject |选择字符串模式“Access Mask.*？”-AllMatches | foreach{$\.matches.value}$AccessMask=$AccessMask-replace“（\t）{2}|”，“$AccountName=$PsObject |选择字符串模式“帐户名”。\n”-AllMatches | foreach{$\.matches.value}$AccountName=$AccountName-replace“（\t）{2}”我在我需要的4个文件上使用了这个过滤器，这样我就可以看到谁最后访问了一个文件。非常感谢ArcSetThanks Leon花时间分享您的专业知识，这太棒了，最后我使用了ArcSet的代码，因为我更容易添加所需的其他信息。祝你度过愉快的一天。我只是想让你投票支持Leon，因为我使用了你的过滤和ArcSet的代码来检索和过滤数据。

$ArrayList = New-Object System.Collections.ArrayList
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10 | %{
    $XML = [xml]$_.toXml()
    $PsObject =  New-Object psobject
    $XML.Event.EventData.Data | %{
        $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
    }
    $ArrayList.add($PsObject) | out-null
}

$ArrayList | Select AccessMask

function Parse-WindowsEvents(){
    param(
        [Parameter(Position=1, ValueFromPipeline)]
        [object[]]$Events
    )
    process{
        $ArrayList = New-Object System.Collections.ArrayList
        $Events  | %{
            $EventObj = $_
            $EventObjFullName = $_.GetType().FullName
            if($EventObjFullName -like "System.Diagnostics.EventLogEntry"){   
                $EventObj = Get-WinEvent -LogName security -FilterXPath "*[System[EventRecordID=$($_.get_Index())]]"
            }elseif($EventObjFullName -like "System.Diagnostics.Eventing.Reader.EventLogRecord"){

            }else{
                throw "Not An Event System.Diagnostics.Eventing.Reader.EventLogRecord or System.Diagnostics.EventLogEntry"
            }
            $PsObject =  New-Object psobject
            $EventObj.psobject.properties | %{
                $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.Value
            }
            $XML = [xml]$EventObj.toXml()
            $PsObject2 = New-Object psobject
            $XML.Event.EventData.Data | %{
                $PsObject2 | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
            }
            $PsObject | Add-Member -MemberType NoteProperty -Name ParsedMessage -Value $PsObject2
            $ArrayList.add($PsObject) | out-null
        }
        return $ArrayList
    }
}

Get-EventLog -LogName Security | select -first 3 | Parse-WindowsEvents | select id, recordid -ExpandProperty parsedmessage | fl

get-winevent -logName security | parse-winevents