需要在事件日志中对特定U盘进行XPath筛选

Question

每当我拿出win10 BitLocker USB启动盘(TSK)时，我都会尝试让设备关机。我已经启用了DriverFrameworks-UserMode/Operational Logging来生成适当的日志，我想在日志中抓取特定U盘的InstanceID。

如果我执行以下操作，它可以从所有删除的USB中拉出所有2102个事件：

Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath '*[System[(EventID=2102)]]'

但是，当我尝试筛选一个特定的驱动器时，它就会出错：

Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath '*[System[(EventID=2102)]] and *[UserData[UMDFHostDeviceRequest[@instanceID="SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}"]]]'

无论我是尝试将所有&更改为&，还是更改上面发布的原始up，都会出现以下错误：

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Ope ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception               
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand 

任何帮助都将不胜感激。

2102事件Id 2102常规选项卡(事件查看器)-消息

  Forwarded a finished Pnp or Power operation (27, 23) to the lower driver for device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} with status 0x0


    Logname: Microsoft-Windows-DriverFrameworks-UserMode/Operational
    Source: DriverFrameworks-UserMode     Logged: [Date]
    Event ID: 2102                        Task Category: Pnp or Power Management to a particular device
    Level: Information                    Keywords: 
    User : LOCAL SERVICE                  Computer: [Computername]
    Op Code: (2)

2102 XML View事件Id 2102详细信息选项卡(事件查看器)- XML视图

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
    <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" /> 
    <EventID>2102</EventID> 
    <Version>1</Version> 
    <Level>4</Level> 
    <Task>37</Task> 
    <Opcode>2</Opcode> 
    <Keywords>0x8000000000000000</Keywords> 
    <TimeCreated SystemTime="2020-09-28T22:54:17.6538118Z" /> 
    <EventRecordID>1883</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="6580" ThreadID="22636" /> 
    <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel> 
    <Computer>Roswell</Computer> 
    <Security UserID="S-1-5-19" /> 
   </System>
- <UserData>
 - <UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
     <LifetimeId>{c09c68ed-af3b-4e1a-b2dd-17e74f17dba3}</LifetimeId> 
     <InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}</InstanceId> 
     <RequestMajorCode>27</RequestMajorCode> 
     <RequestMinorCode>23</RequestMinorCode> 
     <Argument1>0x0</Argument1> 
     <Argument2>0x0</Argument2> 
     <Argument3>0x0</Argument3> 
     <Argument4>0x0</Argument4> 
     <Status>0</Status> 
    </UMDFHostDeviceRequest>
   </UserData>
  </Event>

Answer 1

尝尝这个

$instance = 'SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}'

Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath "*[System[EventID=2102]] and [UserData[UMDFHostDeviceRequest[@instanceID='$instance']]]"

Answer 2

将@instanceID更改为InstanceId和XML转义实例id字符串为我做了这件事。在您的示例中，命令应如下所示：

Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath "*[System[(EventID=2102)]] and *[UserData[UMDFHostDeviceRequest[InstanceId='SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}']]]"