如何获取匹配0x1或0x4的Powershell > Get-WinEvent > Security > Message > Access Mask

Question

如何获取安全ID 4663，其中消息为0x1|0x4|等。

我已经尝试了不同的代码，我只想将大约5个代码记录到CSV，我可以导出到CSV，我只能提取4663 ID，但我不能过滤消息访问掩码，这是消息字段中的文本，任何人有任何想法，这是我到目前为止建立的代码：

$Results = foreach($server in "server-name")
{
    Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select Timecreated, ID, Message | Get-EventLog "Security" -before 4/10/2013 -InstanceId 4663 | % {
    New-Object psobject -Property @{
        Index = $_.Index
        TimeGenerated = $_.TimeGenerated
        "Account Name" = $_.ReplacementStrings[1]
        "Object Type" = $_.ReplacementStrings[5]
        "Object Name" = $_.ReplacementStrings[6]
    }
} | Write-Host

这将获取记录

#$Results = foreach($server in "file-server")
#{
#    Get-WinEvent -ComputerName $Server -logname security -MaxEvents 10 -ErrorAction SilentlyContinue | where {$_.id -eq "4663"} | select #Timecreated, ID, Message | Write-Host

结果应该是

帐户名:对象名:其中记录为访问掩码之一："0x0"，"0x1"，"0x2"，"0x4"，"0x20"，"0x40"，"0x10000“

Answer 1

因此，让我们更深入地了解窗口事件消息。

每条消息都有一个模板。您可以查看这些模板，如

(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
    select Id, Version, Template |
    Format-List

我们可以向下挖掘以找到我们正在寻找的事件，还可以像这样

(Get-WinEvent -ListProvider * -ErrorAction Ignore).Events |
        Where-Object {$_.Id -eq 4663} |
        select Id, Version, Template |
        Format-List

我们可以看到windows中使用的模板有两个版本。我们还可以看到正确的名称是什么。

Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
             <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
             <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
             <data name="ObjectServer" inType="win:UnicodeString" outType="xs:string"/>
             <data name="ObjectType" inType="win:UnicodeString" outType="xs:string"/>
             <data name="ObjectName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="HandleId" inType="win:Pointer" outType="win:HexInt64"/>
             <data name="AccessList" inType="win:UnicodeString" outType="xs:string"/>
             <data name="AccessMask" inType="win:HexInt32" outType="win:HexInt32"/>
             <data name="ProcessId" inType="win:Pointer" outType="win:HexInt64"/>
             <data name="ProcessName" inType="win:UnicodeString" outType="xs:string"/>
             <data name="ResourceAttributes" inType="win:UnicodeString" outType="xs:string"/>
           </template>

在帖子中，我们想要获取访问掩码。我们可以在模板中看到

<data name="AccessMask" inType="win:HexInt32" outType="win:HexInt32"/>

因此，我们将获取满足所需ID 4663的所有事件，并将输出限制为10

Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10

我们将把输出转换成可扩展标记语言，并向下解析到这些设置，然后创建一个PSObject来存储所有这些设置。然后，我们将每个PSObject添加到一个ArrayList。

$ArrayList = New-Object System.Collections.ArrayList
Get-WinEvent -logname security -FilterXPath "*[System[EventID=4663]]" -MaxEvents 10 | %{
    $XML = [xml]$_.toXml()
    $PsObject =  New-Object psobject
    $XML.Event.EventData.Data | %{
        $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
    }
    $ArrayList.add($PsObject) | out-null
}

$ArrayList | Select AccessMask

我们只在数组列表中选择AccessMask，这样就很好了。

在结束语中，我为此编写了一个函数。

function Parse-WindowsEvents(){
    param(
        [Parameter(Position=1, ValueFromPipeline)]
        [object[]]$Events
    )
    process{
        $ArrayList = New-Object System.Collections.ArrayList
        $Events  | %{
            $EventObj = $_
            $EventObjFullName = $_.GetType().FullName
            if($EventObjFullName -like "System.Diagnostics.EventLogEntry"){   
                $EventObj = Get-WinEvent -LogName security -FilterXPath "*[System[EventRecordID=$($_.get_Index())]]"
            }elseif($EventObjFullName -like "System.Diagnostics.Eventing.Reader.EventLogRecord"){

            }else{
                throw "Not An Event System.Diagnostics.Eventing.Reader.EventLogRecord or System.Diagnostics.EventLogEntry"
            }
            $PsObject =  New-Object psobject
            $EventObj.psobject.properties | %{
                $PsObject | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.Value
            }
            $XML = [xml]$EventObj.toXml()
            $PsObject2 = New-Object psobject
            $XML.Event.EventData.Data | %{
                $PsObject2 | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_."#text"
            }
            $PsObject | Add-Member -MemberType NoteProperty -Name ParsedMessage -Value $PsObject2
            $ArrayList.add($PsObject) | out-null
        }
        return $ArrayList
    }
}

示例用法

Get-EventLog -LogName Security | select -first 3 | Parse-WindowsEvents | select id, recordid -ExpandProperty parsedmessage | fl

或

get-winevent -logName security | parse-winevents

该函数将向名为ParsedMessage的对象添加一个新属性

Answer 2

Get-winEvent -Logname Security | where {($_.Id -eq '4663') -and ($_.Message -match '0x0' -or $_Message -Match '0x1' -or $_.Message -match '0x4' -or $_.Message -match '0x20' -or $_.Message -match '0x40' -or $_.Message -match '0x10000')}

这就是你要找的东西吗？