使用 Windows 事件檢視器 (Event Viewer) 時,逐一尋找並點擊事件查看詳情往往讓人感到不便。若不想下載其他軟體來匯出日誌,可以考慮使用 PowerShell,以表格形式快速呈現事件數據,這樣的方式對於初步問題排查非常實用且高效。
使用PowerShell Get-WinEvent這個功能,從本機和遠端電腦上的事件記錄檔和事件追蹤記錄檔取得事件。
用管理者權限開啟PowerShell
PS C:\WINDOWS\system32> Get-WinEvent -ListLog * | Format-List -Property LogName
LogName : Windows PowerShell
LogName : System
LogName : Security
LogName : PowerBiosServerLog
LogName : OutLog
LogName : OneApp_IGCC
...
PS C:\WINDOWS\system32> Get-WinEvent -FilterXml '<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select></Query></QueryList>'
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
9/17/2024 8:00:25 PM 4624 Information An account was successfully logged on....
9/17/2024 8:00:25 PM 4624 Information An account was successfully logged on....
9/17/2024 7:52:31 PM 4624 Information An account was successfully logged on....
Get-WinEvent -FilterXml '
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(
EventID=4624
) and
(TimeCreated[timediff(@SystemTime) <= 3600000])]]
</Select>
</Query>
</QueryList>
' |
Select-Object Id, TimeCreated,
@{Name="LogonType"; Expression={$_.Properties[8].Value}},
@{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}
Output
PS C:\Windows\system32> Get-WinEvent -FilterXml '
>> <QueryList>
>> <Query Id="0" Path="Security">
>> <Select Path="Security">
>> *[System[(
>> EventID=4624
>> ) and
>> (TimeCreated[timediff(@SystemTime) <= 3600000])]]
>> </Select>
>> </Query>
>> </QueryList>
>> ' |
>> Select-Object Id, TimeCreated,
>> @{Name="LogonType"; Expression={$_.Properties[8].Value}},
>> @{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}
Id TimeCreated LogonType AdditionalInfo
-- ----------- --------- --------------
4624 9/20/2024 11:40:38 AM 10 Negotiate
4624 9/20/2024 11:40:33 AM 2 Negotiate
4624 9/20/2024 11:40:33 AM 2 Negotiate
4624 9/20/2024 11:40:31 AM 3 NTLM
4624 9/20/2024 11:40:31 AM 3 NTLM
4624 9/20/2024 11:38:07 AM 5 Negotiate
4624 9/20/2024 11:34:17 AM 3 Kerberos
4624 9/20/2024 11:29:36 AM 5 Negotiate
4624 9/20/2024 11:23:29 AM 3 NTLM
4624 9/20/2024 11:23:06 AM 5 Negotiate
4624 9/20/2024 11:22:30 AM 3 NTLM
4624 9/20/2024 11:08:06 AM 5 Negotiate
4624 9/20/2024 10:58:48 AM 5 Negotiate
4624 9/20/2024 10:53:05 AM 5 Negotiate
4624 9/20/2024 10:53:00 AM 3 NTLM
4624 9/20/2024 10:51:41 AM 3 NTLM
黑暗執行緒-實用小工具 - 查誰在偷連我的 Windows?
https://blog.darkthread.net/blog/ps-list-logon-events/
iThome鐵人賽
看影片追技術