重庆分公司,新征程启航
为企业提供网站建设、域名注册、服务器等服务
因工作需求开启文件系统审核,因Windows日志管理器并不方便筛选查阅,所以使用powershell方法进行筛选。
公司主营业务:网站建设、成都网站制作、移动网站开发等业务。帮助企业客户真正实现互联网宣传,提高企业的竞争能力。成都创新互联是一支青春激扬、勤奋敬业、活力青春激扬、勤奋敬业、活力澎湃、和谐高效的团队。公司秉承以“开放、自由、严谨、自律”为核心的企业文化,感谢他们对我们的高要求,感谢他们从不同领域给我们带来的挑战,让我们激情的团队有机会用头脑与智慧不断的给客户带来惊喜。成都创新互联推出江州免费做网站回馈大家。存在问题
主要目标
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 10:01:37 AM 4660 Information An object was deleted....
5/22/2018 9:03:11 AM 4660 Information An object was deleted....
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 10:01:37 AM 4663 Information An attempt was made to access an object....
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
若有语法不明之处,可参考日志管理器中筛选当前日志的XML方法。
Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object {
if(( (get-date) - $_.CreationTime).TotalDays -gt 60 ){
Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt
}
}
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/22/2018 9:03:11 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: IDX-ST-05
Description:
An attempt was made to access an object.
Subject:
Security ID: IDX-ST-05\lxy
Account Name: lxy
Account Domain: IDX-ST-05
Logon ID: 0x2ed3b8
Object:
Object Server: Security
Object Type: File
Object Name: C:\Data\net.txt
Handle ID: 0x444
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
Event Xml:
4663
0
0
12800
0
0x8020000000000000
1514
Security
IDX-ST-05
S-1-5-21-1815651738-4066643265-3072818021-1004
lxy
IDX-ST-05
0x2ed3b8
Security
File
C:\Data\net.txt
0x444
%%1537
0x10000
0x4
File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1
File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2
File Delete
Accesses: DELETE
AccessMask: 0x10000
File Rename
Accesses: DELETE
AccessMask: 0x10000
File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1
File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000
File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。