{"id":33139,"date":"2010-12-16T19:03:10","date_gmt":"2010-12-16T18:03:10","guid":{"rendered":"https:\/\/www.fuhaijun.com\/?p=33139"},"modified":"2024-11-06T11:21:15","modified_gmt":"2024-11-06T03:21:15","slug":"%e9%80%9a%e8%bf%87powershell%e6%93%8d%e4%bd%9c%e4%ba%8b%e4%bb%b6%e6%97%a5%e5%bf%97","status":"publish","type":"post","link":"https:\/\/www.fuhaijun.com\/?p=33139","title":{"rendered":"\u901a\u8fc7PowerShell\u64cd\u4f5c\u4e8b\u4ef6\u65e5\u5fd7"},"content":{"rendered":"

\u7ba1\u7406\u5458\u80fd\u591f\u83b7\u53d6\u4fe1\u606f\u7684\u4e3b\u8981\u6765\u6e90\u662f\u4e8b\u4ef6\u65e5\u5fd7\uff0cPowerShell\u4e2d\u6709\u4e13\u95e8\u7684Get-EventLog cmdlet\u5904\u7406\u4e8b\u4ef6\u65e5\u5fd7\u3002\u4e3a\u4e86\u83b7\u53d6\u5df2\u5b58\u5728\u7684\u4e8b\u4ef6\u65e5\u5fd7\uff0c\u9700\u8981\u4f7f\u7528-list\u53c2\u6570\u4ee5\u8fd4\u56deSystem.Diagnostics.EventLog\u7c7b\u578b\u7684\u5bf9\u8c61\u96c6\u5408\u3002\u83b7\u53d6\u8fd9\u4e9b\u5bf9\u8c61\u540e\u5373\u53ef\u5b9e\u73b0\u4efb\u4f55\u4e0e\u7cfb\u7edf\u65e5\u5fd7\u76f8\u5173\u8054\u7684\u64cd\u4f5c\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n

\"image\" <\/p>\n

\u4ece\u4e0b\u4f8b\u7684\u8f93\u51fa\u80fd\u591f\u770b\u5230\u5f53\u524d\u7cfb\u7edf\u4e2d\u5b58\u5728\u7684\u65e5\u5fd7\u6761\u6570\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> get-eventlog -list<\/p>\n

Max(K) Retain OverflowAction Entries Name<\/p>\n

—— —— ————– ——- —-<\/p>\n

512 7 OverwriteOlder 486 Application<\/p>\n

512 7 OverwriteOlder 0 Internet Explorer<\/p>\n

512 7 OverwriteOlder 1 Security<\/p>\n

512 7 OverwriteOlder 2,166 System<\/p>\n

15,360 0 OverwriteAsNeeded 2,148 Windows PowerShell<\/p>\n

\u4e00\u3001\u83b7\u53d6\u7279\u5b9a\u7684\u4e8b\u4ef6\u65e5\u5fd7<\/h1>\n

\u9996\u5148\u83b7\u53d6\u5173\u4e8ePowerShell\u7cfb\u7edf\u65e5\u5fd7\u7684\u65e5\u5fd7\u5bf9\u8c61\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log = get-eventlog -list |<\/p>\n

>> ? { $_.logdisplayname -like "*Pow*" }<\/p>\n

>> <\/p>\n

\u63a5\u4e0b\u6765\u68c0\u67e5\u83b7\u53d6\u7684\u65e5\u5fd7\u662f\u5426\u6b63\u5e38\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log.LogDisplayName<\/p>\n

Windows PowerShell<\/p>\n

\u968f\u540e\u67e5\u770b\u6700\u8fd1\u53d1\u751f\u76845\u6761\u7cfb\u7edf\u65e5\u5fd7\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> get-eventlog $log.LogDisplayName -newest 5<\/p>\n

Index Time EntryType Source InstanceID Message<\/p>\n

—– —- ——— —— ———- ——-<\/p>\n

2148 \u4e5d\u6708 20 10:06 Information PowerShell 400 Engine state is changed fro…<\/p>\n

2147 \u4e5d\u6708 20 10:06 Information PowerShell 600 Provider "Certificate" is S…<\/p>\n

2146 \u4e5d\u6708 20 10:06 Information PowerShell 600 Provider "Variable" is Star…<\/p>\n

2145 \u4e5d\u6708 20 10:06 Information PowerShell 600 Provider "Registry" is Star…<\/p>\n

2144 \u4e5d\u6708 20 10:06 Information PowerShell 600 Provider "Function" is Star…<\/p>\n

\u67e5\u770b\u7cfb\u7edf\u65e5\u5fd7\u6700\u5927\u7684\u5bb9\u91cf\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log.MaximumKilobytes<\/p>\n

15360<\/p>\n

\u4ece\u4e2d\u80fd\u591f\u770b\u5230\u662f15 MB\uff0c\u7136\u540e\u52a0\u500d\u7cfb\u7edf\u5141\u8bb8\u7684\u6700\u5927\u65e5\u5fd7\u5927\u5c0f\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log.MaximumKilobytes *= 2<\/p>\n

PS C:\\PowerShell\\AppendixB> $log.MaximumKilobytes<\/p>\n

30720<\/p>\n

\u4e8c\u3001\u5c06\u4e8b\u4ef6\u65e5\u5fd7\u4f5c\u4e3a\u5b9e\u65f6\u5bf9\u8c61<\/h1>\n

EventLog\u5bf9\u8c61\u7684\u4e3b\u8981\u7279\u70b9\u662f\u5176\u5b9e\u65f6\u6027\uff0c\u5373\u4e00\u65e6\u83b7\u53d6\u8fd9\u4e2a\u5bf9\u8c61\uff0c\u5219\u53ef\u4e0d\u65ad\u5730\u68c0\u67e5\u5b83\uff0c\u4ee5\u67e5\u770b\u662f\u5426\u53d1\u751f\u4e86\u65b0\u7684\u4e8b\u4ef6\u3002\u4f8b\u5982\uff0c\u53ef\u4ee5\u67e5\u770b\u4fdd\u5b58\u5728$log\u53d8\u91cf\u4e2d\u7684PowerShell\u65e5\u5fd7\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log<\/p>\n

Max(K) Retain OverflowAction Entries Name<\/p>\n

—— —— ————– ——- —-<\/p>\n

30,720 0 OverwriteAsNeeded 2,148 Windows PowerShell<\/p>\n

\u80fd\u591f\u770b\u5230\u5f53\u524d\u7684\u65e5\u5fd7\u6761\u6570\u662f2 148\u6761\u3002\u4e0b\u9762\u589e\u52a0\u542f\u52a8\u591a\u4e2aPowerShell\u5b9e\u4f8b\u589e\u52a0\u591a\u6761\u65e5\u5fd7\uff0c\u8fd9\u91cc\u5411PowerShell\u5b9e\u4f8b\u4f20\u9012\u4e86exit\u547d\u4ee4\uff0c\u6bcf\u4e2a\u65b0\u5b9e\u4f8b\u5728\u542f\u52a8\u4e4b\u540e\u7acb\u5373\u9000\u51fa\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> powershell exit<\/p>\n

PS C:\\PowerShell\\AppendixB> powershell exit<\/p>\n

PS C:\\PowerShell\\AppendixB> powershell exit<\/p>\n

\u4e0b\u9762\u518d\u6b21\u67e5\u770b$log\u7684\u5c5e\u6027\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log<\/p>\n

Max(K) Retain OverflowAction Entries Name<\/p>\n

—— —— ————– ——- —-<\/p>\n

30,720 0 OverwriteAsNeeded 2,187 Windows PowerShell<\/p>\n

\u53ef\u4ee5\u770b\u5230\u65e5\u5fd7\u4e2d\u5df2\u7ecf\u6dfb\u52a0\u4e86\u591a\u6761\u65b0\u7eaa\u5f55\u3002\u63a5\u4e0b\u6765\u6e05\u7406\u5df2\u7ecf\u6dfb\u52a0\u7684\u65e5\u5fd7\uff0c\u6267\u884c\u6b64\u64cd\u4f5c\u901a\u8fc7\u5355\u72ec\u542f\u52a8PowerShell\u5b9e\u4f8b\u6e05\u9664\u73b0\u6709PowerShell\u7684\u65e5\u5fd7\uff0c\u547d\u4ee4\u5982\u4e0b\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> powershell {<\/p>\n

>> (get-eventlog -list |<\/p>\n

>> ?{$_.LogDisplayName -like "*Pow*"}).Clear()<\/p>\n

>> }<\/p>\n

>> <\/p>\n

\u5176\u4e2d\u7684\u547d\u4ee4\u4f20\u9012\u811a\u672c\u5757\u7ed9\u4e00\u4e2a\u65b0\u7684PowerShell\u8fdb\u7a0b\uff0c\u8fd9\u4e2a\u811a\u672c\u5757\u83b7\u53d6PowerShell EventLog\u5bf9\u8c61\u5e76\u8c03\u7528Clear()\u65b9\u6cd5\u6e05\u9664\u5df2\u6709\u7684\u65e5\u5fd7\uff0c\u5728\u5b50\u8fdb\u7a0b\u7ed3\u675f\u4e4b\u540e\u67e5\u770b\u5f53\u524d\u7684\u65e5\u5fd7\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log<\/p>\n

Max(K) Retain OverflowAction Entries Name<\/p>\n

—— —— ————– ——- —-<\/p>\n

30,720 0 OverwriteAsNeeded 1 Windows PowerShell<\/p>\n

\u53ef\u4ee5\u770b\u5230PowerShell\u7684\u65e5\u5fd7\u5df2\u7ecf\u88ab\u6e05\u7a7a\u3002<\/p>\n

\u4e09\u3001\u4fdd\u5b58\u4e8b\u4ef6\u65e5\u5fd7<\/h1>\n

\u53ef\u4ee5\u901a\u8fc7PowerShell\u7684Export-Clixml cmdlet\u4fdd\u5b58\u4e8b\u4ef6\u65e5\u5fd7\u4ee5\u4fbf\u4e8e\u540e\u671f\u5904\u7406\uff0c\u5bfc\u51fa\u65e5\u5fd7\u7684\u547d\u4ee4\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log.Entries | Export-Clixml c:\\log.xml<\/p>\n

\u8fd9\u91cc\u901a\u8fc7\u547d\u4ee4\u5c06\u6570\u636e\u518d\u6b21\u8bfb\u51fa\u65e5\u5fd7\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $date = Import-Clixml C:\\log.xml<\/p>\n

\u4e3a\u4e86\u5bf9\u6bd4\u4ece\u5b9e\u65f6\u5bf9\u8c61\u8bfb\u53d6\u7684\u65e5\u5fd7\uff0c\u4ee5\u53ca\u4ece\u5916\u90e8\u8bfb\u5165\u7684\u65e5\u5fd7\u7684\u4e0d\u540c\uff0c\u4e0b\u9762\u8f93\u51fa\u5b9e\u65bd\u65e5\u5fd7\u7684\u4fe1\u606f\uff1a<\/p>\n

PS C:\\PowerShell\\AppendixB> $log.Entries[0..3] |<\/p>\n

>> ft -auto Index,Time,EventID,Message<\/p>\n

>> <\/p>\n

Index Time EventID Message<\/p>\n

—– —- ——- ——-<\/p>\n

1 403 Engine state is changed from Available to StoppeD- …<\/p>\n

2 600 Provider "WSMan" is StarteD- …<\/p>\n

3 600 Provider "Alias" is StarteD- …<\/p>\n

4 600 Provider "Environment" is StarteD- …<\/p>\n

\u4ece\u5916\u90e8\u518d\u6b21\u8bfb\u5165\u7684\u6570\u636e\u8bb0\u5f55\u5982\u4e0b\uff1a<\/p>\n

PS C:\\> $data[0..3] |<\/p>\n

>> ft -auto Index,Time,EventID,Message<\/p>\n

>> <\/p>\n

Index Time EventID Message<\/p>\n

—– —- ——- ——-<\/p>\n

1 403 Engine state is changed from Available to StoppeD- …<\/p>\n

2 600 Provider "WSMan" is StarteD- …<\/p>\n

3 600 Provider "Alias" is StarteD- …<\/p>\n

4 600 Provider "Environment" is StarteD- …<\/p>\n

\u4e24\u6b21\u8f93\u51fa\u7684\u5185\u5bb9\u6216\u591a\u6216\u5c11\u76f8\u540c\u3002\u5f53\u7136\u8bfb\u5165\u7684\u6570\u636e\u4e0e\u5b9e\u65f6\u5bf9\u8c61\u6709\u6240\u4e0d\u540c\uff0c\u5b83\u4e0d\u518d\u662f\u5b9e\u65f6\u5bf9\u8c61\u3002\u6ca1\u6709\u4efb\u4f55\u65b9\u6cd5\uff0c\u5bf9\u5176\u5c5e\u6027\u7684\u4fee\u6539\u4e5f\u4e0d\u4f1a\u53cd\u4f5c\u7528\u4e8e\u7cfb\u7edf\u3002<\/p>\n

Get-MachinesMissingHotfix.ps1\u811a\u672c\u7684\u4ee3\u7801\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n

get-process | foreach {$processes = @{}} {<\/p>\n

$processes[$_.processname] = $_}<\/p>\n

get-service |<\/p>\n

where {$_.Status -match "running" \u2013and<\/p>\n

$_.ServiceType -eq "Win32OwnProcess" } |<\/p>\n

foreach {<\/p>\n

new-object psobject |<\/p>\n

add-member -pass NoteProperty Name $_.Name |<\/p>\n

add-member -pass NoteProperty PID $processes[$_.Name].Id |<\/p>\n

add-member -pass NoteProperty WS $processes[$_.Name].WS |<\/p>\n

add-member -pass NoteProperty Description $_.DisplayName |<\/p>\n

add-member -pass NoteProperty FileName `<\/p>\n

$processes[$_.Name].MainModule.FileName<\/p>\n

} |<\/p>\n

export-csv -notype .\/service_datA.csv<\/p>\n

 <\/p>\n

\u4f5c\u8005: \u4ed8\u6d77\u519b
\u7248\u6743\uff1a\u672c\u6587\u7248\u6743\u5f52\u4f5c\u8005\u6240\u6709
\u8f6c\u8f7d\uff1a\u6b22\u8fce\u8f6c\u8f7d\uff0c\u4e3a\u4e86\u4fdd\u5b58\u4f5c\u8005\u7684\u521b\u4f5c\u70ed\u60c5\uff0c\u8bf7\u6309\u8981\u6c42\u3010\u8f6c\u8f7d\u3011\uff0c\u8c22\u8c22
\u8981\u6c42\uff1a\u672a\u7ecf\u4f5c\u8005\u540c\u610f\uff0c\u5fc5\u987b\u4fdd\u7559\u6b64\u6bb5\u58f0\u660e\uff1b\u5fc5\u987b\u5728\u6587\u7ae0\u4e2d\u7ed9\u51fa\u539f\u6587\u8fde\u63a5\uff1b\u5426\u5219\u5fc5\u7a76\u6cd5\u5f8b\u8d23\u4efb
\u4e2a\u4eba\u7f51\u7ad9: http:\/\/txj.shell.tor.hu\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u7ba1\u7406\u5458\u80fd\u591f\u83b7\u53d6\u4fe1\u606f\u7684\u4e3b\u8981\u6765\u6e90\u662f\u4e8b\u4ef6\u65e5\u5fd7\uff0cPowerShell\u4e2d\u6709\u4e13\u95e8\u7684Get-EventLog cmdlet\u5904 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[43],"tags":[],"class_list":["post-33139","post","type-post","status-publish","format-standard","hentry","category-powershell"],"_links":{"self":[{"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts\/33139"}],"collection":[{"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=33139"}],"version-history":[{"count":1,"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts\/33139\/revisions"}],"predecessor-version":[{"id":33780,"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=\/wp\/v2\/posts\/33139\/revisions\/33780"}],"wp:attachment":[{"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=33139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=33139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fuhaijun.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=33139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}