我刚刚使用以下查询在 Windows 11 上创建了一个自定义视图,获得了这里,我刚刚解锁了我的计算机,但最近的解锁事件来自02-28T06:55。这是怎么回事?
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=42)]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=107)]]</Select>
<Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6006)]]</Select>
<Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6005)]]</Select>
<Select Path="System">*[System[Provider[@Name='User32'] and (EventID=1074)]]</Select>
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4802)]]</Select>
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4803)]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Power-Troubleshooter'] and (EventID=1)]]</Select>
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4800)]]</Select>
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4801)]]</Select>
</Query>
</QueryList>
答案1
检查日志大小以及日志满后的行为。您可以在事件日志的属性窗口中看到这些设置