在家庭网络上,台式机已读取笔记本电脑的事件日志,截至 2020-06-30。此后我第一次运行脚本时,
get-eventlog:尝试执行未经授权的操作
在管理员模式下也会发生此行为。
台式机和笔记本电脑都更新了 KB4565503。该更新称其包含大量安全更新。好的,但我需要做什么才能运行脚本?
获取错误.ps1:
Param([parameter(Mandatory=$true)]
[string]$startDate
)
$after = Get-Date -Date $startDate
Write-Host "Getting power data"
$power = get-eventlog -computername geolaptop -log System -instanceid (1,42) -after $after | where-object {$_.Source -eq "Microsoft-Windows-Kernel-Power" -or $_.Source -eq "Microsoft-Windows-Power-Troubleshooter"}
Write-Host "Create power CSV file"
$power | select-object "eventid", "timegenerated" |export-csv power.csv
Write-Host "Getting error data"
$errors = get-eventlog -computername geolaptop -log System -instanceid (17) -after $after
Write-Host "Create errors CSV file"
$errors | select-object "timegenerated" |export-csv errors.csv
Write-Host "Populate MySQL tables"
.\sessions
答案1
继续我的评论:
这实际上不是 PowerShell 问题,而是根据您的错误而产生的环境问题。这可能是由于更新导致的,除非您遇到这种情况,否则我们无法帮助您进行故障排除。类似于从下面的搜索中看到的数据。
你为什么做这个?
$after = Get-Date -Date $startDate
这只是将 StartDate 分配给一个新变量,然后稍后使用该新变量,而不是仅使用原始变量,这使得其中一个或另一个变得多余。
# Refactored code using Get-WinEvent instead
$StartDate = (Get-Date)
'power','error' |
ForEach {
switch ($PSItem)
{
power
{
"Getting $PSItem data"
Get-WinEvent -FilterHashtable @{
LogName = 'System'
Id = 1, 42
StartTime = $StartDate
} |
Select-Object -Property LogName, TimeCreated, Id, Level |
Export-Csv -Path "D:\Temp\$($PSItem)Report.Csv"
}
error
{
"Getting $PSItem data"
Get-WinEvent -FilterHashtable @{
LogName = 'System'
Id = 17
StartTime = $StartDate
} |
Select-Object -Property LogName, TimeCreated, Id, Level |
Export-Csv -Path "D:\Temp\$($PSItem)Report.Csv"
}
default {Write-Warning -Message 'No records which meet the criteria provided.'}
}
}
# Results
<#
Getting power data
Getting error data
#>
'power','error' |
ForEach {
"`nShowing report for System log $PSItem data"
Import-Csv -Path "D:\Temp\$($PSItem)Report.Csv"
}
# Results
<#
Showing report for System log power data
LogName TimeCreated Id Level
------- ----------- -- -----
System 03-Aug-20 13:44:49 1 4
System 03-Aug-20 13:44:42 1 4
System 03-Aug-20 01:53:27 42 4
Showing report for System log error data
System 01-Aug-20 15:13:27 17 4
System 01-Aug-20 15:13:21 17 4
System 01-Aug-20 15:13:20 17 4
#>
这是在做什么?为什么它是你帖子的一部分?你发布的查询与哪个数据集没有关联。
'Populate MySQL tables'
.\sessions
答案2
此处答案之间的主要区别在于使用了Get-WinEvent,这不会导致失败。这要归功于@postanote。以下是我对 postanote 答案的改编。
# Include quoted greatest date (e.g., '2020-06-30') from db as command line parameter
Param([parameter(Mandatory=$true)]
[string]$startDate
)
$after = Get-Date -Date $startDate
# after is now an object
'power','error' |
ForEach {
switch ($PSItem)
{
power
{
"Getting $PSItem data"
# remote computer name is required
Get-WinEvent -ComputerName 'geolaptop' -FilterHashtable @{
LogName = 'System'
Id = 1, 42
StartTime = $after
} |
# restrict properties to only those required
Select-Object -Property Id, TimeCreated |
Export-Csv -Path "$($PSItem).Csv"
}
error
{
"Getting $PSItem data"
# remote computer name is required
Get-WinEvent -ComputerName 'geolaptop' -FilterHashtable @{
LogName = 'System'
Id = 17
StartTime = $after
} |
# restrict properties to only those required
Select-Object -Property TimeCreated |
Export-Csv -Path "$($PSItem).Csv"
}
default {Write-Warning -Message 'No records which meet the criteria provided.'}
}
}
"Populate MySQL tables"
.\sessions