powershell Get-Winevent -FilterXML

Question

当我运行以下查询时...

C:\>powershell "Get-WinEvent -FilterXML ""<QueryList><Query><Select Path='System'>*[System[(EventID=1074 or EventID=6013) and TimeCreated[@SystemTime&gt;='2015-01-23T05:00:00.000Z' and @SystemTime&lt;='2015-01-27T17:59:59.999Z']]]</Select></Query></QueryList>" ""

...I获取表格格式的输出：

ProviderName: EventLog

TimeCreated                     Id LevelDisplayName Message

-----------   -- ---------------- -------

1/27/2015 12:00:00 PM         6013 Information      The system uptime is 349...

.....

但是当我尝试使用Select-Object时...

C:\>powershell "Get-WinEvent -FilterXML ""<QueryList><Query><Select Path='System'>*[System[(EventID=1074 or EventID=6013) and TimeCreated[@SystemTime&gt;='2015-01-23T05:00:00.000Z' and @SystemTime&lt;='2015-01-27T17:59:59.999Z']]]</Select></Query></QueryList>" | Select-Object TimeCreated""

...I收到以下错误：

'Select-Object' is not recognized as an internal or external command, operable program or batch file.

为什么我会得到这个错误？我在32位的Server2008Standard Edition上运行它，我必须通过正常的命令提示符运行它。

Answer 1

这个问题是一个特殊字符的问题，并从CMD中对它们进行转义。

这个最简单的解决方案是将命令转换为Base64字符串，并使用-EncodedCommand参数运行Powershell。这样就不需要在提示符中出现特殊字符。

来自Powershell帮助：

#To use the -EncodedCommand parameter:
$command = 'dir "c:\program files" '
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -encodedCommand $encodedCommand

完成上述操作后，它通过CMD运行，没有出现错误。为方便起见，这是要使用的以下Base64字符串：RwBlAHQALQBXAGkAbgBFAHYAZQBuAHQAIAAtAEYAaQBsAHQAZQByAFgATQBMACAAIgA8AFEAdQBlAHIAeQBMAGkAcwB0AD4APABRAHUAZQByAHkAPgA8AFMAZQBsAGUAYwB0ACAAUABhAHQAaAA9ACcAUwB5AHMAdABlAG0AJwA+ACoAWwBTAHkAcwB0AGUAbQBbACgARQB2AGUAbgB0AEkARAA9ADEAMAA3ADQAIABvAHIAIABFAHYAZQBuAHQASQBEAD0ANgAwADEAMwApACAAYQBuAGQAIABUAGkAbQBlAEMAcgBlAGEAdABlAGQAWwBAAFMAeQBzAHQAZQBtAFQAaQBtAGUAJgBnAHQAOwA9ACcAMgAwADEANQAtADAAMQAtADIAMwBUADAANQA6ADAAMAA6ADAAMAAuADAAMAAwAFoAJwAgAGEAbgBkACAAQABTAHkAcwB0AGUAbQBUAGkAbQBlACYAbAB0ADsAPQAnADIAMAAxADUALQAwADEALQAyADcAVAAxADcAOgA1ADkAOgA1ADkALgA5ADkAOQBaACcAXQBdAF0APAAvAFMAZQBsAGUAYwB0AD4APAAvAFEAdQBlAHIAeQA+ADwALwBRAHUAZQByAHkATABpAHMAdAA+ACIAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFQAaQBtAGUAQwByAGUAYQB0AGUAZAA=