如何获取在 windows 上卸载应用程序的用户的用户名?
How to get the user name of the user who uninstalled an application on windows?
我正在尝试解析 windows 事件日志以列出设备上卸载的每个软件以及卸载者。
这是我到目前为止的想法:
- 匹配事件 1040(应用程序卸载):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
- 获取活动中给出的"User":
Get-WinEvent -MaxEvents 10 | foreach {
$sid = $_.userid;
if($sid -eq $null) { return; }
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
Write-Host $objUser.Value;
}
但它首先输出一个错误:
Error: Attempted to perform an unauthorized operation.. At line:1
char:1 + Get-WinEvent -MaxEvents 10 | foreach { +
~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:)
[Get-WinEvent], Exception + FullyQualifiedErrorId :
LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
然后它输出一个包含 2 个用户的列表...
编辑:以下是无用的,因为我意识到第二个命令行不会(总是?)输出正确的结果...
我试着像这样组合这些:
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"
但是我在 powershell 中得到这个错误 window:
At line:1 char:325
+ ... rityIdentifier(); AD\user = S-1-5-21-935981524-3360503449-101602611-2988 ...
+ ~ An expression was expected after '('.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedExpression
有人可以帮我解决这个问题吗?
提前致谢:)
这是你的两个函数的组合:
Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | ? {$_.userid} | % {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
[pscustomobject]@{
User = $objUser.Value
timecreated = $_.timecreated
level = $_.level
id = $_.id
message = $_.message
ProviderName = $_.ProviderName
}
} | Export-Csv -Append C:\BCM\eventerr.csv -notype
这是一个非常长的单行:
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | ? {$_.userid} | % {$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid); $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]);[pscustomobject]@{User = $objUser.Value;timecreated = $_.timecreated;level = $_.level;id = $_.id;message = $_.message;ProviderName = $_.ProviderName}} | Export-Csv -Append C:\BCM\eventerr.csv -notype"
编辑:添加了 Where-Object 过滤器以删除日志中没有用户 ID 的条目以解决 A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.SecurityIdentifier. 错误消息。
我正在尝试解析 windows 事件日志以列出设备上卸载的每个软件以及卸载者。
这是我到目前为止的想法:
- 匹配事件 1040(应用程序卸载):
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | Export-Csv -Append C:\BCM\eventerr.csv -notype"
- 获取活动中给出的"User":
Get-WinEvent -MaxEvents 10 | foreach {
$sid = $_.userid;
if($sid -eq $null) { return; }
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
Write-Host $objUser.Value;
}
但它首先输出一个错误:
Error: Attempted to perform an unauthorized operation.. At line:1 char:1 + Get-WinEvent -MaxEvents 10 | foreach { + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], Exception + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand
然后它输出一个包含 2 个用户的列表...
编辑:以下是无用的,因为我意识到第二个命令行不会(总是?)输出正确的结果...
我试着像这样组合这些:
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -MaxEvents 10 -FilterHashTable @{logname=’application’; id=1040; StartTime=(get-date).AddDays(-1)} | select timecreated, level, id, message, ProviderName, User | foreach {$sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value;}| Export-Csv -Append C:\BCM\eventerr.csv -notype"
但是我在 powershell 中得到这个错误 window:
At line:1 char:325 + ... rityIdentifier(); AD\user = S-1-5-21-935981524-3360503449-101602611-2988 ... + ~ An expression was expected after '('. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression
有人可以帮我解决这个问题吗?
提前致谢:)
这是你的两个函数的组合:
Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | ? {$_.userid} | % {
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
[pscustomobject]@{
User = $objUser.Value
timecreated = $_.timecreated
level = $_.level
id = $_.id
message = $_.message
ProviderName = $_.ProviderName
}
} | Export-Csv -Append C:\BCM\eventerr.csv -notype
这是一个非常长的单行:
PowerShell -ExecutionPolicy ByPass -Command "Get-WinEvent -FilterHashTable @{logname='application'; id=1040; StartTime=(get-date).AddDays(-10)} | ? {$_.userid} | % {$objSID = New-Object System.Security.Principal.SecurityIdentifier ($_.userid); $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]);[pscustomobject]@{User = $objUser.Value;timecreated = $_.timecreated;level = $_.level;id = $_.id;message = $_.message;ProviderName = $_.ProviderName}} | Export-Csv -Append C:\BCM\eventerr.csv -notype"
编辑:添加了 Where-Object 过滤器以删除日志中没有用户 ID 的条目以解决 A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.SecurityIdentifier. 错误消息。