如何在远程机器上使用配置文件安装 Sysmon

How to Installing Sysmon with Config file on Remote Machine

我要完成的任务

一个程序将 Sysmon 复制到远程机器使用给定的配置安装它 捕获规范中列出的所有事件的文件.

我能够成功复制所有文件。 但是当我尝试在远程机器上 运行 安装程序 sysmon64.exe ,它给我一个错误。

PS C:\Users\Administrator> C:\Users\Administrator\Documents\Sysmon.ps1

错误:

System Monitor v12.0 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

NotSpecified: (:String) [], RemoteException
    + CategoryInfo          : NotSpecified: (:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : 192.168.0.5
 

Usage:
Install:                 c:\windows\cpsysmon\Sysmon64.exe -i [<configfile>]
Update configuration:    c:\windows\cpsysmon\Sysmon64.exe -c [<configfile>]
Install event manifest:  c:\windows\cpsysmon\Sysmon64.exe -m
Print schema:            c:\windows\cpsysmon\Sysmon64.exe -s
Uninstall:               c:\windows\cpsysmon\Sysmon64.exe -u [force]
  -c   Update configuration of an installed Sysmon driver or dump the
       current configuration if no other argument is provided. Optionally
       take a configuration file.
  -i   Install service and driver. Optionally take a configuration file.
  -m   Install the event manifest (done on service install as well).
  -s   Print configuration schema definition of the specified version.
       Specify 'all' to dump all schema versions (default is latest).
  -u   Uninstall service and driver. Adding force causes uninstall to proceed
       even when some components are not installed.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event 
log when it starts.
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are written to the System 
event log.
Use the '-? config' command for configuration file documentation.More examples are available on the Sysinternals website.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
Neither install nor uninstall requires a reboot.

脚本

$Session = New-PSSession -ComputerName 192.168.0.5 -Credential "Study\Administrator"

Copy-Item "C:\Users\Administrator\Desktop\Sysmon\*.*" -ToSession $Session -Destination C:\Windows\cpsysmon\  -Recurse

Invoke-Command -Session $session -ScriptBlock {cmd.exe /C "c:\windows\cpsysmon\Sysmon64.exe" /silent -Wait}

我认为你只需要更换

cmd.exe /C "c:\windows\cpsysmon\Sysmon64.exe" /silent -Wait

来自

cmd.exe /C "c:\windows\cpsysmon\Sysmon64.exe" -i -n -accepteula