如何记录powershell和任务计划程序发出的所有dns请求？

Question

我要记录dns请求历史记录。因此，我在下面编写了powershell脚本。

$PROC_ID = Get-WinEvent microsoft-windows-dns-client/operational -MaxEvents 1 -FilterXPath "*[System/EventID=3006]" | Select-Object -ExpandProperty processid   
$TIMESTAMP = Get-WinEvent microsoft-windows-dns-client/operational -MaxEvents 1 -FilterXPath "*[System/EventID=3006]" | Select-Object -ExpandProperty timecreated     
$LOG_MSG = Get-WinEvent microsoft-windows-dns-client/operational -MaxEvents 1 -FilterXPath "*[System/EventID=3006]" | Select-Object -ExpandProperty message  

$PROC_NAME = Get-Process -id $PROC_ID | Select-Object -ExpandProperty processname  
$TIMESTAMP_SPLIT = $TIMESTAMP -split " "       
$LOG_DATE = $TIMESTAMP_SPLIT[0]        
$LOG_TIME = $TIMESTAMP_SPLIT[1]       
$LOG_URL = $LOG_MSG -replace '^\S{2}\s([^,]+).+','$1'

$LOG = "$LOG_DATE`t$LOG_TIME`t$PROC_ID`t$PROC_NAME`t$LOG_URL"  
$LOG >> C:\dns.csv

并制定了3006事件发生时运行脚本的任务调度。

C:\>schtasks /query /tn dns_history /fo list /v

Folder:                                 \
HostName:                               LG
TaskName:                               \dns_history
Next Run Time:                          N/A
Status:                                 Ready
Logon Mode:                             Interactive/Background
Last Run Time:                          2017-05-14 오후 4:39:07
Last Result:                            0
Author:                                 lg\Administrator
Task To Run:                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file C:\Test\Powershell\dns.ps1
Start In:                               N/A
Comment:                                N/A
Scheduled Task State:                   Enabled
Idle Time:                              Disabled
Power Management:                       Stop On Battery Mode, No Start On Batteries
Run As User:                            LG\administrator
Delete Task If Not Rescheduled:         Disabled
Stop Task If Runs X Hours and X Mins:   72:00:00
Schedule:                               Scheduling data is not available in this format.
Schedule Type:                          When an event occurs
Start Time:                             N/A
Start Date:                             N/A
End Date:                               N/A
Days:                                   N/A
Months:                                 N/A
Repeat: Every:                          N/A
Repeat: Until: Time:                    N/A
Repeat: Until: Duration:                N/A
Repeat: Stop If Still Running:          N/A

这就是结果。

​

​

但并没有记录所有dns请求。

​

​

我的脚本只记录同时发生的dns请求中的最后一个dns请求。是不是任务调度器的限制？如何记录所有dns请求？

​

​

并且在运行restless1987的代码时，出现下面的错误。

Register-WMIEvent : Wrong Class. 
Location D:\test.ps1:9 Character:1
+ Register-WMIEvent -query "Select * From __InstanceCreationEvent within 3 $filter ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Register-WmiEvent], ManagementException
    + FullyQualifiedErrorId : System.Management.ManagementException,Microsoft.PowerShell.Commands.RegisterWmiEventCommand

Answer 1

Taskscheduler在某些情况下可能非常不可靠。

如果您碰巧遇到这种情况，也许您可以注册一个powershell wmi事件观察器，以记录在那里创建的每个实例。

仍然有一些事情要做，但它应该是一个起点。您必须调整过滤器，使其从正确的日志文件中获取事件。

$class = 'Win32_NtEventLog'
$EventCode = 3006
$filter = "Where TargetInstance ISA '$class' and eventcode = '$EventCode'"

$codeblock = {
    $eventargs.newevent.targetinstance #<- should have all info you need
}

Register-WMIEvent -query "Select * From __InstanceCreationEvent within 3 $filter" `
-messageData "DNS event " -sourceIdentifier "New DNS query" -Action $codeblock

While ($true){
    Start-Sleep 5
}