事件記錄檔的 WMI 工作會從事件記錄檔取得事件數據,並執行備份或清除記錄檔等作業。 如需其他範例,請參閱techNet ScriptCenter at https://www.microsoft.com/technet。
本主題中顯示的腳本範例只會從本機計算機取得數據。 如需如何使用文稿從遠端電腦取得資料的詳細資訊,請參閱 遠端電腦上連線到 WMI。
下列程式描述如何執行腳本。
執行腳本
- 複製程序代碼,並將它儲存在擴展名為 .vbs 的檔案中,例如 filename.vbs。 請確定文字編輯器不會將 .txt 擴展名新增至檔案。
- 開啟命令提示字元視窗,並流覽至您儲存盤案的目錄。
- 在命令提示字元中輸入 cscript filename.vbs。
- 如果您無法存取事件記錄檔,請檢查您是否正在從提高許可權的命令提示字元執行。 某些事件記錄檔,例如安全性事件記錄檔,可能會受到使用者訪問控制 (UAC) 的保護。
注意
根據預設,cscript 會在命令提示字元視窗中顯示文稿的輸出。 由於 WMI 命令稿可能會產生大量的輸出,因此您可能會想要將輸出重新導向至檔案。 在命令提示字元中輸入 cscript filename.vbs > outfile.txt,將 filename.v bs 的輸出重新導向至 outfile.txt。
下表列出可用來從本機計算機取得各種數據類型的腳本範例。
| ...擷取安全性事件記錄檔的相關信息? |
連接到 Win32_NTEventlogFile 類別時,請包含 Security 許可權。 如需詳細資訊,請參閱使用 VBScript 執行特殊許可權作業。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Wscript.Echo "Maximum Size: " _
& objLogfile.MaxFileSize
Next
|
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'security'}
foreach ($objLogFile in $colLogFiles)
{
"Record Number: " + $objLogFile.NumberOfRecords
"Maximum Size: " + $objLogFile.MaxFileSize
}
|
|
| ...備份事件記錄檔? |
使用 Win32_NTEventlogFile 類別和 BackupEventLog 方法。 連線到 WMI 時,您可能需要包含 備份 許可權。 如需詳細資訊,請參閱使用 VBScript 執行特殊許可權作業。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
WScript.Echo "File saved as c:\scripts\applications.evt"
Next
|
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'Application'}foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.BackupEventlog("c:\scripts\applications.evt")
"File saved as c:\scripts\applications.evt"
}
|
|
| ...多次備份事件記錄檔? |
使用 Win32_NTEventlogFile 和 BackupEventLog 方法之前,請確定備份檔具有唯一的名稱。 作系統不允許您覆寫現有的備份檔;您必須先移動備份檔或重新命名備份檔,才能再次執行腳本。 連線到 WMI 時,您可能需要包含 備份 許可權。 如需詳細資訊,請參閱使用 VBScript 執行特殊許可權作業。
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog("c:\scripts\" & strBackupName & "_application.evt")
objLogFile.ClearEventLog()
WScript.Echo "File saved: " & strBackupName & "_application.evt"
Next
|
$CurDate = Get-Date $strBackupName = $curDate.Year.ToString() + “_” + $curDate.Month.ToString() + “_” + $CurDate.Day.ToString()$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'}
foreach ($objLogFile in $colLogFiles)
{
$BackupFile = $objLogFile.BackupEventlog("c:\scripts" + $strBackupName + "_application.evt")
"File saved: c:\scripts" + $strBackupName + "_application.evt"
}
|
|
| ...判斷事件記錄檔中的記錄數目? |
使用 Win32_NTEventlogFile 類別,並檢查 NumberOfRecords 屬性的值。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
|
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'System'}foreach ($objLogFile in $colLogFiles)
{
$objLogFile.NumberOfRecords
}
|
|
| ...清除我的事件記錄檔嗎? |
使用 Win32_NTEventlogFile 類別和 ClearEventLog 方法。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.ClearEventLog()
WScript.Echo "Cleared application event log file"
Next
|
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'System'}foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.ClearEventlog()
"Cleared application event log file"
}
|
|
| ...從事件記錄檔讀取事件嗎? |
使用 Win32_NTLogEvent 類別。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'System'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User
Next
|
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTLogEvent -ComputerName $strComputer |Where-Object {$_.LogFile -eq 'System'}foreach ($objEvent in $colLoggedEvents)
{
"Category: " + $objEvent.Category
"Computer Name: " + $objEvent.ComputerName
"Event Code: " + $objEvent.EventCode
"Message: " + $objEvent.Message
"Record Number: " + $objEvent.RecordNumber
"Source Name: " + $objEvent.SourceName
"Time Written: " + $objEvent.TimeWritten
"Event Type: " + $objEvent.Type
"User: " + $objEvent.Use
}
|
|
-
文稿和應用程式的 WMI 工作
-
WMI C++應用程式範例
-
TechNet ScriptCenter