如何确定最近禁用了哪些 Windows 服务？

Question

运行即可访问 Windows 事件日志，它eventvwr记录了与服务控制管理器的交互。在本例中，我们感兴趣的是日志System，来源是Service Control Manager，事件 ID 是7040。

导出为 XML 的示例事件如下：

Log Name:      System
Source:        Service Control Manager
Date:          17/08/2020 14:11:08
Event ID:      7040
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      asus
Description:
The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7040</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2020-08-17T13:11:08.7830390Z" />
    <EventRecordID>47575</EventRecordID>
    <Correlation />
    <Execution ProcessID="944" ThreadID="19856" />
    <Channel>System</Channel>
    <Computer>asus</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="param1">Background Intelligent Transfer Service</Data>
    <Data Name="param2">demand start</Data>
    <Data Name="param3">auto start</Data>
    <Data Name="param4">BITS</Data>
  </EventData>
</Event>

要仅导出此处感兴趣的值，即CreationTime和Message，可以使用以下 PowerShell 命令：

Get-WinEvent -FilterHashtable @{logname='system'; id=7040} | Where-Object {$_.message -like "*disabled*"} | select TimeCreated, Message | Out-GridView

如果要分解消息的参数，可以使用以下PowerShell：

$Report = @()
foreach ($e in (Get-WinEvent -FilterHashtable @{logname="system"; id=7040}))
{
   $obj = [PSCustomObject]@{
    Time = $e.TimeCreated
    ServiceDisplayName = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param1']")."#text"
    OldState = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param2']")."#text"
    NewState = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param3']")."#text"
    ServiceName = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param4']")."#text"
   }
   $Report += $obj
}
$Report | Out-GridView

Answer 1

运行即可访问 Windows 事件日志，它eventvwr记录了与服务控制管理器的交互。在本例中，我们感兴趣的是日志System，来源是Service Control Manager，事件 ID 是7040。

导出为 XML 的示例事件如下：

Log Name:      System
Source:        Service Control Manager
Date:          17/08/2020 14:11:08
Event ID:      7040
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      asus
Description:
The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7040</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2020-08-17T13:11:08.7830390Z" />
    <EventRecordID>47575</EventRecordID>
    <Correlation />
    <Execution ProcessID="944" ThreadID="19856" />
    <Channel>System</Channel>
    <Computer>asus</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="param1">Background Intelligent Transfer Service</Data>
    <Data Name="param2">demand start</Data>
    <Data Name="param3">auto start</Data>
    <Data Name="param4">BITS</Data>
  </EventData>
</Event>

要仅导出此处感兴趣的值，即CreationTime和Message，可以使用以下 PowerShell 命令：

Get-WinEvent -FilterHashtable @{logname='system'; id=7040} | Where-Object {$_.message -like "*disabled*"} | select TimeCreated, Message | Out-GridView

如果要分解消息的参数，可以使用以下PowerShell：

$Report = @()
foreach ($e in (Get-WinEvent -FilterHashtable @{logname="system"; id=7040}))
{
   $obj = [PSCustomObject]@{
    Time = $e.TimeCreated
    ServiceDisplayName = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param1']")."#text"
    OldState = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param2']")."#text"
    NewState = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param3']")."#text"
    ServiceName = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param4']")."#text"
   }
   $Report += $obj
}
$Report | Out-GridView

如何确定最近禁用了哪些 Windows 服务？

答案1

相关内容