{"id":2413,"date":"2025-02-19T12:03:38","date_gmt":"2025-02-19T04:03:38","guid":{"rendered":"https:\/\/airy.cn\/WordPress\/?p=2413"},"modified":"2025-02-20T10:59:09","modified_gmt":"2025-02-20T02:59:09","slug":"%e8%bf%9c%e7%a8%8b%e6%9f%a5%e8%af%a2%e6%9f%90%e4%b8%aa%e8%ae%a1%e7%ae%97%e6%9c%ba%e9%87%8d%e5%90%af-%e5%85%b3%e6%9c%ba%e7%ad%89%e5%8e%9f%e5%9b%a0","status":"publish","type":"post","link":"https:\/\/airy.cn\/WordPress\/?p=2413","title":{"rendered":"\u8fdc\u7a0b\u67e5\u8be2\u67d0\u4e2a\u8ba1\u7b97\u673a\u91cd\u542f\/\u5173\u673a\u7b49\u539f\u56e0"},"content":{"rendered":"\n

\u8fdc\u7a0b\u67e5\u8be2\u67d0\u4e2a\u8ba1\u7b97\u673a\u91cd\u542f\/\u5173\u673a\u7b49\u539f\u56e0\uff1a<\/p>\n\n\n\n


\u65b9\u6cd5\u4e00\uff1a 10\u5929\u5185 wevtutil \u7ba1\u7406\u5458\u8fd0\u884c\uff1a <\/p>\n\n\n\n

wevtutil \/r:SHA1906W0002 \/a:NTLM qe System \u201c\/q:*[System[(EventID=6005 or EventID=6006 or EventID=6008 or EventID=1074 or EventID=41 or EventID=4624 or EventID=4624) and TimeCreated[timediff(@SystemTime) <= 864000000]]]\u201d \/f:text<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
\u65b9\u6cd5\u4e8c\uff1a \u6700\u8fd110\u6761  Get-WinEvent \u7ba1\u7406\u5458\u8fd0\u884c<\/p>\n\n\n\n
Get-WinEvent -ComputerName \"SHA1906W0002\" -FilterHashtable @{LogName='System'; Id=6005, 6006, 6008, 1074, 41, 4624, 4625} -MaxEvents 10 | Format-Table -AutoSize -Wrap<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u65b9\u6cd5\u4e09\uff1a \u6700\u8fd110\u6761  Get-EventLog  \u7ba1\u7406\u5458\u8fd0\u884c<\/p>\n\n\n\n
#\u8fdc\u7a0b\u5230\u5bf9\u65b9\u7535\u8111 powershell\npsexec.exe \\\\SHALT5CG2310BZ2 -s powershell\n\u6216\u8005\npsexec -i -e -h -s -realtime \\\\SHA1906W0002 powershell\n\u6216\u8005\nEnter-PSSession -ComputerName SHA1906W0002<\/code><\/pre>\n\n\n\n
Get-EventLog -LogName System  | Where-Object { $_.EventID -in (6005, 6006, 6008, 1074, 41, 4624, 4625) } | Select-Object @{Name='EventID';Expression={$_.EventID}}, @{Name='Time';Expression={$_.TimeGenerated}}, @{Name='Message';Expression={$_.Message}} -First 10 | Format-Table -AutoSize -Wrap<\/code><\/pre>\n\n\n\n
Get-EventLog -LogName System | Where-Object { $_.EventID -in (6005, 6006, 6008, 1074, 41, 4624, 4625) } | Select-Object  -First 10 | Format-Table -AutoSize -Wrap<\/code><\/pre>\n\n\n\n
 <\/p>\n\n\n\n
\n\n\n\n
\u5728\u201c\u4e8b\u4ef6 ID\u201d\u5904\u53ef\u4ee5\u8f93\u5165\u7279\u5b9a ID \u6765\u67e5\u627e\u4e0d\u540c\u7c7b\u578b\u7684\u91cd\u542f\u539f\u56e0\uff1a
6005\uff1a\u8868\u793a\u7cfb\u7edf\u542f\u52a8\u3002
6006\uff1a\u8868\u793a\u7cfb\u7edf\u6b63\u5e38\u5173\u673a\u3002
6008\uff1a\u8868\u793a\u610f\u5916\u5173\u673a\u6216\u91cd\u542f\uff0c\u4f8b\u5982\u7cfb\u7edf\u5d29\u6e83\u6216\u505c\u7535\u540e\u6062\u590d\u3002<\/p>\n\n\n\n
\u4e8b\u4ef6 ID \u542b\u4e49\uff1a<\/p>\n\n\n\n
6005\uff1a\u6b63\u5e38\u8fd0\u884c\uff0c\u8868\u793a\u7cfb\u7edf\u5df2\u6b63\u5e38\u542f\u52a8
6006\uff1a\u6b63\u5e38\u5173\u673a\uff0c\u8868\u793a\u7cfb\u7edf\u5df2\u6b63\u786e\u5173\u95ed
6008\uff1a\u7cfb\u7edf\u610f\u5916\u5173\u673a\u3002\u5f02\u5e38\u5173\u673a\uff0c\u901a\u5e38\u662f\u7531\u4e8e\u7cfb\u7edf\u5d29\u6e83\u3001\u7535\u6e90\u4e2d\u65ad\u6216\u786c\u4ef6\u95ee\u9898\u5bfc\u81f4\u7684\u975e\u6b63\u5e38\u5173\u95ed\u3002
1074\uff1a\u7cfb\u7edf\u91cd\u542f\u6216\u5173\u673a\uff0c\u7531\u7528\u6237\u542f\u52a8\u3002\u6b63\u5e38\u5173\u673a\u6216\u91cd\u542f\uff0c\u7531\u7528\u6237\u6216\u7a0b\u5e8f\u8bf7\u6c42\u89e6\u53d1\u3002
41\uff1a\u975e\u6b63\u5e38\u5173\u673a\uff0c\u7cfb\u7edf\u56e0\u786c\u4ef6\u95ee\u9898\u5173\u95ed\u3002(Kernel-Power)
4624\uff1a\u6210\u529f\u767b\u5f55
4625\uff1a\u767b\u5f55\u5931\u8d25<\/p>\n\n\n\n
\u6269\u5c55\uff1a
\u7aef\u53e3\u8017\u5c3d\u3001tcpip\u76f8\u5173\u65e5\u5fd7
4227,4231,4266<\/p>\n\n\n\n
\u5f00\u5173\u673a\u76f8\u5173\u7684\u4e8b\u4ef6ID
12,13,6005,6006,6008,41,1074<\/p>\n\n\n\n
ProviderName:Microsoft-Windows-User Profiles Service
1530,1531,1532<\/p>\n\n\n\n
ProviderName:Windows Error Reporting
1001<\/p>\n\n\n\n
\u6fc0\u6d3b\u76f8\u5173\u7684\u4e8b\u4ef6ID
8197,8198,12288,12289<\/p>\n","protected":false},"excerpt":{"rendered":"
\u8fdc\u7a0b\u67e5\u8be2\u67d0\u4e2a\u8ba1\u7b97\u673a\u91cd\u542f\/\u5173\u673a\u7b49\u539f\u56e0\uff1a \u65b9\u6cd5\u4e00\uff1a 10\u5929\u5185 wevtutil \u7ba1\u7406\u5458\u8fd0\u884c\uff1a \u65b9\u6cd5\u4e8c\uff1a \u6700\u8fd110\u6761 … \u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kadence_starter_templates_imported_post":false,"footnotes":""},"categories":[2],"tags":[],"class_list":["post-2413","post","type-post","status-publish","format-standard","hentry","category-airy-tech"],"_links":{"self":[{"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=\/wp\/v2\/posts\/2413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2413"}],"version-history":[{"count":18,"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=\/wp\/v2\/posts\/2413\/revisions"}],"predecessor-version":[{"id":2436,"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=\/wp\/v2\/posts\/2413\/revisions\/2436"}],"wp:attachment":[{"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/airy.cn\/WordPress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}