用于监控登录、解锁、启动的 Windows 事件 ID

用于监控登录、解锁、启动的 Windows 事件 ID

我正在尝试查询 Windows 11 事件日志以了解计算机的任何使用情况。我从某人获得 Windows UI 访问权限开始,因此我尝试了在 ServerFault 上找到的这个查询,但它显示的最新事件是 2024-02-28,而我几分钟前才解锁了机器。

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=42)]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=107)]]</Select>
    <Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6006)]]</Select>
    <Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6005)]]</Select>
    <Select Path="System">*[System[Provider[@Name='User32'] and (EventID=1074)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4802)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4803)]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Power-Troubleshooter'] and (EventID=1)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4800)]]</Select>
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4801)]]</Select>    
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4767)]]</Select>
  </Query>
</QueryList>

关于更好的事件 ID 或我做错的事情有什么建议吗?

相关内容