WMI 工作:事件記錄
本文內容
事件記錄檔的 WMI 工作會從事件記錄檔取得事件資料,並執行備份或清除記錄檔等作業。 如需其他範例,請參閱 位於 的 TechNet ScriptCenter https://www.microsoft.com/technet 。
本主題所示的腳本範例只會從本機電腦取得資料。 如需如何使用腳本從遠端電腦取得資料的詳細資訊,請參閱 連線到遠端電腦上的 WMI 。
下列程式描述如何執行腳本。
執行指令碼
複製程式碼,並將它儲存在副檔名為 .vbs 的檔案中,例如 filename.vbs 。 請確定文字編輯器不會將.txt副檔名新增至檔案。
開啟命令提示字元視窗,並流覽至您儲存檔案的目錄。
在命令提示字元中輸入 cscript filename.vbs 。
如果您無法存取事件記錄檔,請檢查您是否從提升許可權的命令提示字元執行。 某些事件記錄檔,例如安全性事件記錄檔,可能會受到使用者存取控制 (UAC) 保護。
注意
根據預設,cscript 會在命令提示字元視窗中顯示腳本的輸出。 因為 WMI 腳本可以產生大量的輸出,所以您可能會想要將輸出重新導向至檔案。 在命令提示字元中輸入 cscript filename.vbs > outfile.txt ,將 filename.vbs 腳本的輸出重新導向至 outfile.txt 。
下表列出可用來從本機電腦取得各種資料類型的腳本範例。
...擷取安全性事件記錄檔的相關資訊嗎?
連線到Win32_NTEventlogFile 安全性 許可權。 如需詳細資訊,請參閱 使用 VBScript 執行特殊許可權作業 。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Wscript.Echo "Maximum Size: " _
& objLogfile.MaxFileSize
Next
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'security'}
foreach ($objLogFile in $colLogFiles)
{
"Record Number: " + $objLogFile.NumberOfRecords
"Maximum Size: " + $objLogFile.MaxFileSize
}
...備份事件記錄檔?
使用 Win32_NTEventlogFile BackupEventLog 備份 許可權。 如需詳細資訊,請參閱 使用 VBScript 執行特殊許可權作業 。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
WScript.Echo "File saved as c:\scripts\applications.evt"
Next
$strComputer = 「.」 $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'Application'}foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.BackupEventlog("c:\scripts\applications.evt")
"File saved as c:\scripts\applications.evt"
}
...備份事件記錄檔多次?
使用 Win32_NTEventlogFile BackupEventLog 備份 許可權。 如需詳細資訊,請參閱 使用 VBScript 執行特殊許可權作業 。
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog("c:\scripts\" & strBackupName & "_application.evt")
objLogFile.ClearEventLog()
WScript.Echo "File saved: " & strBackupName & "_application.evt"
Next
$CurDate = Get-Date $strBackupName = $curDate.Year.ToString () + 「_」 + $curDate.Month.ToString () + 「_」 + $CurDate.Day.ToString () $strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'}
foreach ($objLogFile in $colLogFiles)
{
$BackupFile = $objLogFile.BackupEventlog("c:\scripts" + $strBackupName + "_application.evt")
"File saved: c:\scripts" + $strBackupName + "_application.evt"
}
...判斷事件記錄檔中的記錄數目?
使用 Win32_NTEventlogFile NumberOfRecords 屬性的值。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
$strComputer = 「.」 $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'System'}foreach ($objLogFile in $colLogFiles)
{
$objLogFile.NumberOfRecords
}
...清除我的事件記錄檔嗎?
使用 Win32_NTEventlogFile ClearEventLog
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.ClearEventLog()
WScript.Echo "Cleared application event log file"
Next
$strComputer = 「.」 $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'System'}foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.ClearEventlog()
"Cleared application event log file"
}
...從事件記錄檔讀取事件嗎?
使用 Win32_NTLogEvent
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'System'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User
Next
$strComputer = 「.」 $colLogFiles = Get-WmiObject -Class Win32_NTLogEvent -ComputerName $strComputer |Where-Object {$_.LogFile -eq 'System'}foreach ($objEvent in $colLoggedEvents)
{
"Category: " + $objEvent.Category
"Computer Name: " + $objEvent.ComputerName
"Event Code: " + $objEvent.EventCode
"Message: " + $objEvent.Message
"Record Number: " + $objEvent.RecordNumber
"Source Name: " + $objEvent.SourceName
"Time Written: " + $objEvent.TimeWritten
"Event Type: " + $objEvent.Type
"User: " + $objEvent.Use
}
腳本和應用程式的 WMI 工作
WMI C++ 應用程式範例
TechNet ScriptCenter