$EventLog = Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
$Date = Get-Date -Format yyyyMMdd
$Path = "C:\Users\aamouss\Desktop\SecurityLogs"
$EventLog.BackupEventlog("$Path\$env:COMPUTERNAME`_Security_$Date.evt")
Clear-EventLog -LogName Security
我正在运行上面的脚本,但收到下面的错误。
您不能在空值表达式上调用方法。在第6行char:1+ $ EventLog.BackupEventlog(“ $ Path \ $ env:COMPUTERNAME` Security $ Date.evt ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~+ CategoryInfo:InvalidOperation:(:) [],RuntimeException+ FullyQualifiedErrorId:InvokeMethodOnNull
$EventLog
是唯一可能是$null
的东西。如果我尝试执行初始化$EventLog
的命令,则会发现它不返回任何内容...
PS> Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
PS>
如果我从该-Filter
命令中删除Get-WmiObject
,这是我作为标准用户在Windows 10系统上看到的日志...
PS> Get-WmiObject Win32_NTEventlogFile
FileSize LogfileName Name NumberOfRecords
-------- ----------- ---- ---------------
15798272 Application C:\WINDOWS\System32\Winevt\Logs\Application.evtx 27698
69632 HardwareEvents C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx 0
69632 Internet Explorer C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx 0
69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx 0
69632 Parameters C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx 0
69632 State C:\WINDOWS\System32\Winevt\Logs\State.evtx 0
14749696 System C:\WINDOWS\System32\Winevt\Logs\System.evtx 24168
15732736 Windows PowerShell C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx 10470
...以及高级用户...
PS> Get-WmiObject Win32_NTEventlogFile
FileSize LogfileName Name NumberOfRecords
-------- ----------- ---- ---------------
15798272 Application C:\WINDOWS\System32\Winevt\Logs\Application.evtx 27698
69632 HardwareEvents C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx 0
69632 Internet Explorer C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx 0
69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx 0
69632 Parameters C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx 0
20975616 Security C:\WINDOWS\System32\Winevt\Logs\Security.evtx 29714
69632 State C:\WINDOWS\System32\Winevt\Logs\State.evtx 0
14749696 System C:\WINDOWS\System32\Winevt\Logs\System.evtx 24170
15732736 Windows PowerShell C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx 10477
注意Security
日志仅在提升cmdlet运行时可用。因此,如果我以提升权限的用户身份运行原始命令,则可以访问Security
日志...
PS> Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
FileSize LogfileName Name NumberOfRecords
-------- ----------- ---- ---------------
20975616 Security C:\WINDOWS\System32\Winevt\Logs\Security.evtx 29723
来自Event Logging Security ...
Security
日志旨在供系统使用。但是,如果用户已被授予Security
特权(“管理审核和安全日志”用户权限),则可以读取并清除SE_SECURITY_NAME
日志。