Merge pull request 'Linn' (#8) from testL into main
commit
58eb17b849
@ -1,101 +1,107 @@
|
||||
try{
|
||||
New-Item -ItemType "directory" -Path "wineventlog"
|
||||
|
||||
# 尝试创建一个名为 "wineventlog" 的目录
|
||||
try {
|
||||
New-Item -ItemType "directory" -Path "wineventlog"
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "can't create a new directory"
|
||||
catch {
|
||||
# 如果创建目录失败,输出错误信息
|
||||
echo "can't create a new directory"
|
||||
}
|
||||
|
||||
try{
|
||||
get-eventlog -log Security | export-csv wineventlog/Security.csv
|
||||
# 尝试获取安全日志并导出为 CSV 文件
|
||||
try {
|
||||
get-eventlog -log Security | export-csv wineventlog/Security.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Security Logs"
|
||||
catch {
|
||||
# 如果获取安全日志失败,输出错误信息
|
||||
echo "Can't retrieve Security Logs"
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
Get-WinEvent -LogName System | export-csv wineventlog/System.csv
|
||||
# 尝试获取系统日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName System | export-csv wineventlog/System.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve System Logs"
|
||||
catch {
|
||||
# 如果获取系统日志失败,输出错误信息
|
||||
echo "Can't retrieve System Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName Application | export-csv wineventlog/Application.csv
|
||||
# 尝试获取应用程序日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName Application | export-csv wineventlog/Application.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Application Logs"
|
||||
catch {
|
||||
# 如果获取应用程序日志失败,输出错误信息
|
||||
echo "Can't retrieve Application Logs"
|
||||
}
|
||||
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName "Windows PowerShell" | export-csv wineventlog/Windows_PowerShell.csv
|
||||
# 尝试获取 Windows PowerShell 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName "Windows PowerShell" | export-csv wineventlog/Windows_PowerShell.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Windows PowerShell Logs"
|
||||
catch {
|
||||
# 如果获取 Windows PowerShell 日志失败,输出错误信息
|
||||
echo "Can't retrieve Windows PowerShell Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | export-csv wineventlog/LocalSessionManager.csv
|
||||
# 尝试获取 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | export-csv wineventlog/LocalSessionManager.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs"
|
||||
catch {
|
||||
# 如果获取 LocalSessionManager 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | export-csv wineventlog/Windows_Defender.csv
|
||||
# 尝试获取 Microsoft-Windows-Windows Defender/Operational 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | export-csv wineventlog/Windows_Defender.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs"
|
||||
catch {
|
||||
# 如果获取 Windows Defender 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | export-csv wineventlog/TaskScheduler.csv
|
||||
# 尝试获取 Microsoft-Windows-TaskScheduler/Operational 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | export-csv wineventlog/TaskScheduler.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs"
|
||||
catch {
|
||||
# 如果获取 TaskScheduler 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational | export-csv wineventlog/WinRM.csv
|
||||
# 尝试获取 Microsoft-Windows-WinRM/Operational 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational | export-csv wineventlog/WinRM.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs"
|
||||
catch {
|
||||
# 如果获取 WinRM 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | export-csv wineventlog/Sysmon.csv
|
||||
# 尝试获取 Microsoft-Windows-Sysmon/Operational 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | export-csv wineventlog/Sysmon.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs"
|
||||
catch {
|
||||
# 如果获取 Sysmon 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs"
|
||||
}
|
||||
|
||||
|
||||
try{
|
||||
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | export-csv wineventlog/Powershell_Operational.csv
|
||||
# 尝试获取 Microsoft-Windows-PowerShell/Operational 日志并导出为 CSV 文件
|
||||
try {
|
||||
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | export-csv wineventlog/Powershell_Operational.csv
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs"
|
||||
catch {
|
||||
# 如果获取 PowerShell Operational 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs"
|
||||
}
|
||||
|
||||
|
||||
try
|
||||
{
|
||||
Compress-Archive -Path wineventlog -DestinationPath ./logs.zip
|
||||
# 尝试压缩 "wineventlog" 目录为 logs.zip
|
||||
try {
|
||||
Compress-Archive -Path wineventlog -DestinationPath ./logs.zip
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "couldn't compress the the log folder "
|
||||
catch {
|
||||
# 如果压缩失败,输出错误信息
|
||||
echo "couldn't compress the log folder"
|
||||
}
|
||||
|
||||
@ -1,101 +1,107 @@
|
||||
try{
|
||||
New-Item -ItemType "directory" -Path "wineventlog"
|
||||
|
||||
# 尝试创建一个名为 "wineventlog" 的目录
|
||||
try {
|
||||
New-Item -ItemType "directory" -Path "wineventlog"
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "can't create a new directory"
|
||||
catch {
|
||||
# 如果创建目录失败,输出错误信息
|
||||
echo "can't create a new directory"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl Security wineventlog/Security.evtx
|
||||
# 尝试导出安全日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl Security wineventlog/Security.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Security Logs"
|
||||
catch {
|
||||
# 如果导出安全日志失败,输出错误信息
|
||||
echo "Can't retrieve Security Logs"
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
wevtutil epl System wineventlog/System.evtx
|
||||
# 尝试导出系统日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl System wineventlog/System.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve System Logs"
|
||||
catch {
|
||||
# 如果导出系统日志失败,输出错误信息
|
||||
echo "Can't retrieve System Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl Application wineventlog/Application.evtx
|
||||
# 尝试导出应用程序日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl Application wineventlog/Application.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Application Logs"
|
||||
catch {
|
||||
# 如果导出应用程序日志失败,输出错误信息
|
||||
echo "Can't retrieve Application Logs"
|
||||
}
|
||||
|
||||
|
||||
try{
|
||||
wevtutil epl "Windows PowerShell" wineventlog/Windows_PowerShell.evtx
|
||||
# 尝试导出 Windows PowerShell 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl "Windows PowerShell" wineventlog/Windows_PowerShell.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Windows PowerShell Logs"
|
||||
catch {
|
||||
# 如果导出 Windows PowerShell 日志失败,输出错误信息
|
||||
echo "Can't retrieve Windows PowerShell Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wineventlog/LocalSessionManager.evtx
|
||||
# 尝试导出 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wineventlog/LocalSessionManager.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs"
|
||||
catch {
|
||||
# 如果导出 LocalSessionManager 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl "Microsoft-Windows-Windows Defender/Operational" wineventlog/Windows_Defender.evtx
|
||||
# 尝试导出 Microsoft-Windows-Windows Defender/Operational 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl "Microsoft-Windows-Windows Defender/Operational" wineventlog/Windows_Defender.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs"
|
||||
catch {
|
||||
# 如果导出 Windows Defender 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl Microsoft-Windows-TaskScheduler/Operational wineventlog/TaskScheduler.evtx
|
||||
# 尝试导出 Microsoft-Windows-TaskScheduler/Operational 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl Microsoft-Windows-TaskScheduler/Operational wineventlog/TaskScheduler.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs"
|
||||
catch {
|
||||
# 如果导出 TaskScheduler 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl Microsoft-Windows-WinRM/Operational wineventlog/WinRM.evtx
|
||||
# 尝试导出 Microsoft-Windows-WinRM/Operational 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl Microsoft-Windows-WinRM/Operational wineventlog/WinRM.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs"
|
||||
catch {
|
||||
# 如果导出 WinRM 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs"
|
||||
}
|
||||
|
||||
try{
|
||||
wevtutil epl Microsoft-Windows-Sysmon/Operational wineventlog/Sysmon.evtx
|
||||
# 尝试导出 Microsoft-Windows-Sysmon/Operational 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl Microsoft-Windows-Sysmon/Operational wineventlog/Sysmon.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs"
|
||||
catch {
|
||||
# 如果导出 Sysmon 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs"
|
||||
}
|
||||
|
||||
|
||||
try{
|
||||
wevtutil epl Microsoft-Windows-PowerShell/Operational wineventlog/Powershell_Operational.evtx
|
||||
# 尝试导出 Microsoft-Windows-PowerShell/Operational 日志到指定的 EVTX 文件
|
||||
try {
|
||||
wevtutil epl Microsoft-Windows-PowerShell/Operational wineventlog/Powershell_Operational.evtx
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs"
|
||||
catch {
|
||||
# 如果导出 PowerShell Operational 日志失败,输出错误信息
|
||||
echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs"
|
||||
}
|
||||
|
||||
|
||||
try
|
||||
{
|
||||
Compress-Archive -Path wineventlog -DestinationPath ./logs.zip
|
||||
}
|
||||
catch
|
||||
{
|
||||
echo "couldn't compress the the log folder "
|
||||
}
|
||||
# 尝试压缩 "wineventlog" 目录为 logs.zip
|
||||
try {
|
||||
Compress-Archive -Path wineventlog -DestinationPath ./logs.zip
|
||||
}
|
||||
catch {
|
||||
# 如果压缩失败,输出错误信息
|
||||
echo "couldn't compress the log folder"
|
||||
}
|
||||
Loading…
Reference in new issue