信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
邪恶八进制信息安全团队综合整理。
写入到自定义事件日志
描述
使用 EventCreate.exe 实用程序将事件写入到名为 Scriptsutility 的自定义事件日志。需要 Windows XP 或 Windows Server 2003。
脚本代码
Set WshShell = WScript.CreateObject("WScript.Shell")
strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _
Chr(34) & "Test event." & Chr(34)
WshShell.Run strcommand
将事件写入到本地事件日志
描述
将事件写入到本地计算机上的应用程序事件日志。
脚本代码
Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
"Payroll application successfully installed."
将事件写入到远程事件日志
描述
将事件写入到名为 PrimaryServer 的远程计算机上的应用程序事件日志。
脚本代码
Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
"Payroll application successfully installed." , \\PrimaryServer
创建事件日志备份的唯一文件名
描述
备份和清除应用程序事件日志,基于当前的日期为每个备份生成一个唯一的文件名。
脚本代码
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog("c:\scripts\" & strBackupName & _
"_application.evt")
objLogFile.ClearEventLog()
Next
系统事件日志属性
描述
报告当前记录在系统事件日志中的事件的数目。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
安全日志属性
描述
检索安全日志的属性。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
Next
从事件日志中检索某一天发生的事件
描述
从所有的事件日志中检索在某个特定的日期发生的所有事件。
脚本代码
Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = CDate("2/18/2002")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Wscript.Echo objEvent.LogFile
Next
从事件日志中检索特定的事件
描述
从系统事件日志中检索所有事件代码为 6008 的事件。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '6008'")
Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count
从事件日志中检索所有的事件
描述
从计算机上的所有事件日志中检索所有的事件。注意:这主要是一个演示脚本。它可能会花几个小时或更长时间运行,这取决于事件日志中记录的数量。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Next
在查询事件日志中查询“停止”事件
描述
在系统事件日志中查询与“停止“事件(蓝屏)有关的事件。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System'" _
& " and SourceName = 'SaveDump'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Event date: " & objEvent.TimeGenerated
Wscript.Echo "Description: " & objEvent.Message
Next
查询特定的事件日志
描述
从 System 事件日志中检索所有的事件。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Application'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Next
分析固定列宽格式的日志
描述
将 NetSetup 日志中的信息提取到单个字段和记录中。
脚本代码
Const ForReading = 1
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("C:\Windows\Debug\Netsetup.log", _
ForReading)
Do While objTextFile.AtEndOfStream <> True
strLinetoParse = objTextFile.ReadLine
dtmEventDate = Mid(strLinetoParse, 1, 6)
dtmEventTime = Mid(strLinetoParse, 7, 9)
strEventDescription = Mid(strLinetoParse, 16)
Wscript.Echo "Date: " & dtmEventDate
Wscript.Echo "Time: " & dtmEventTime
Wscript.Echo "Description: " & strEventDescription & VbCrLf
Loop
objFSO.Close
分析逗号分隔符格式的值日志
描述
将 DHCP Server 日志中的信息提取到单个字段和记录中。
脚本代码
Const ForReading = 1
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("C:\Windows\System32\DHCP\" _
& "DhcpSrvLog-Mon.log", ForReading)
Do While objTextFile.AtEndOfStream <> True
If inStr(objtextFile.Readline, ",") Then
arrDHCPRecord = split(objTextFile.Readline, ",")
wscript.echo "Event ID: " & arrDHCPRecord(0)
wscript.echo "Date: " & arrDHCPRecord(1)
wscript.echo "Time: " & arrDHCPRecord(2)
wscript.echo "Description: " & arrDHCPRecord(3)
wscript.echo "IP Address: " & arrDHCPRecord(4)
wscript.echo "Host Name: " & arrDHCPRecord(5)
wscript.echo "MAC Address: " & arrDHCPRecord(6)
Else
objTextFile.Skipline
End If
i = i + 1
Loop
事件日志属性
描述
检索计算机上所有事件日志的属性列表(Security 事件日志除外)。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objInstalledLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For each objLogfile in objInstalledLogFiles
Wscript.Echo "Name: " & objLogfile.LogFileName
Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
If objLogfile.OverWriteOutdated > 365 Then
Wscript.Echo "Overwrite Outdated Records: Never." & VbCrLf
ElseIf objLogfile.OverWriteOutdated = 0 Then
Wscript.Echo "Overwrite Outdated Records: As needed." & VbCrLf
Else
Wscript.Echo "Overwrite Outdated Records After: " & _
objLogfile.OverWriteOutdated & " days" & VbCrLf
End If
Next
Create a Custom Event Log
描述
Creates a custom event log named Scripts.
脚本代码
Const NO_VALUE = Empty
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\Scripts\", _
NO_VALUE
将先前日期的事件日志事件复制到数据库
描述
从所有的事件日志中检索以前记录的事件,并且将这些记录写入带有 DSN Name EventLogs 的数据库。需要 Windows XP 或 Windows Server 2003。
脚本代码
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
objRS.AddNew
objRS("Category") = objEvent.Category
objRS("ComputerName") = objEvent.ComputerName
objRS("EventCode") = objEvent.EventCode
objRS("Message") = objEvent.Message
objRS("RecordNumber") = objEvent.RecordNumber
objRS("SourceName") = objEvent.SourceName
objRS("TimeWritten") = objEvent.TimeWritten
objRS("Type") = objEvent.Type
objRS("User") = objEvent.User
objRS.Update
Next
objRS.Close
objConn.Close
将事件日志事件复制到数据库
描述
从所有的事件日志中检索事件,并且这些事件记录在带有 DSN Name EventLogs 的数据库中。
脚本代码
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colRetrievedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent")
For Each objEvent in colRetrievedEvents
objRS.AddNew
objRS("Category") = objEvent.Category
objRS("ComputerName") = objEvent.ComputerName
objRS("EventCode") = objEvent.EventCode
objRS("Message") = objEvent.Message
objRS("RecordNumber") = objEvent.RecordNumber
objRS("SourceName") = objEvent.SourceName
objRS("TimeWritten") = objEvent.TimeWritten
objRS("Type") = objEvent.Type
objRS("User") = objEvent.User
objRS.Update
Next
objRS.Close
objConn.Close
配置事件日志属性
描述
将所有日志的最大大小设置为 250 MB,并使该日志能够改写时间超过 14 天的任何事件。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For each objLogfile in colLogFiles
strLogFileName = objLogfile.Name
Set wmiSWbemObject = GetObject _
("winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2:" _
& "Win32_NTEventlogFile.Name='" & strLogFileName & "'")
wmiSWbemObject.MaxFileSize = 2500000000
wmiSWbemObject.OverwriteOutdated = 14
wmiSWbemObject.Put_
Next
备份和清除大型事件日志
描述
如果事件日志文件的大小大于 20 MB,就将其备份和清除。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For each objLogfile in colLogFiles
If objLogFile.FileSize > 100000 Then
strBackupLog = objLogFile.BackupEventLog _
("c:\scripts\" & objLogFile.LogFileName & ".evt")
objLogFile.ClearEventLog()
End If
Next
备份和清除事件日志
描述
备份和清除应用程序事件日志。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Application event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
异步事件日志查询
描述
使用异步查询检索所有事件日志中的所有事件。这种方法比使用异步查询检索大量事件更快一些。
脚本代码
Const POPUP_DURATION = 10
Const OK_BUTTON = 0
Set objWSHShell = Wscript.CreateObject("Wscript.Shell")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent"
Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _
"Event Retrieval", OK_BUTTON)
Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)
WScript.Echo "Asynchronous operation is done."
End Sub
Sub SINK_OnObjectReady(objEvent, objAsyncContext)
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
End Sub
向事件日志条目添加 WMI 数据
描述
写入包括附加信息(例如用户名和计算机上可用磁盘空间的数量)的事件。
脚本代码
Const EVENT_FAILED = 2
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set objNetwork = Wscript.CreateObject("Wscript.Network")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colDiskDrives = objWMIService.ExecQuery _
("Select * from win32_perfformatteddata_perfdisk_logicaldisk")
For each objDisk in colDiskDrives
strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes _
& VbCrLf
Next
strEventDescription = "Payroll application could not be installed on " _
& objNetwork.UserDomain & "\" & objNetwork.ComputerName _
& " by user " & objNetwork.UserName & _
". Free space on each drive is: " & strDriveSpace
objShell.LogEvent EVENT_FAILED, strEventDescription
向事件日志条目添加一个支持 URL
描述
将一个事件写入包括支持 URL 的应用程序事件日志。需要 Windows XP 或 Windows Server 2003。
脚本代码
Const EVENT_FAILED = 1
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_FAILED, _
"Payroll application could not be installed." _
& "Additional information is available from http://www.fabrikam.com."
