个人中心
文章发布
退出
作者热门文章
- android - RelativeLayout 背景可绘制重叠内容
- android - 如何链接 cpufeatures lib 以获取 native android 库?
- java - OnItemClickListener 不起作用,但 OnLongItemClickListener 在自定义 ListView 中起作用
- java - Android 文件转字符串
24
4
我正在尝试获取一个旧的 PowerShell 脚本来显示以前连接的 USB 设备的时间。在阅读了一些取证之后blogs喜欢this , 我找到了 this script来自 this blog . (杰森·沃克的剧本。)
遗憾的是,它不显示任何时间戳 或有关设备的任何其他有用的详细信息。所以我希望 there should be a way to get that too .只有我看不出如何合并它。
Function Get-USBHistory {
[CmdletBinding()]
Param
(
[parameter(ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
[alias("CN","Computer")]
[String[]]$ComputerName=$Env:COMPUTERNAME,
[Switch]$Ping
)
Begin {
$TempErrorAction = $ErrorActionPreference
$ErrorActionPreference = "Stop"
$Hive = "LocalMachine"
$Key = "SYSTEM\CurrentControlSet\Enum\USBSTOR"
}
Process
{
$USBDevices = @()
$ComputerCounter = 0
ForEach($Computer in $ComputerName)
{
$USBSTORSubKeys1 = @()
$ChildSubkeys = @()
$ChildSubkeys1 = @()
$ComputerCounter++
$Computer = $Computer.Trim().ToUpper()
Write-Progress -Activity "Collecting USB history" -Status "Retrieving USB history from $Computer" -PercentComplete (($ComputerCounter/($ComputerName.Count)*100))
If($Ping)
{
If(-not (Test-Connection -ComputerName $Computer -Count 1 -Quiet))
{
Write-Warning "Ping failed on $Computer"
Continue
}
}#end if ping
Try
{
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($Hive,$Computer)
$USBSTORKey = $Reg.OpenSubKey($Key)
$USBSTORSubKeys1 = $USBSTORKey.GetSubKeyNames()
}#end try
Catch
{
Write-Warning "There was an error connecting to the registry on $Computer or USBSTOR key not found. Ensure the remote registry service is running on the remote machine."
}#end catch
ForEach($SubKey1 in $USBSTORSubKeys1)
{
$ErrorActionPreference = "Continue"
$Key2 = "SYSTEM\CurrentControlSet\Enum\USBSTOR\$SubKey1"
$RegSubKey2 = $Reg.OpenSubKey($Key2)
$SubkeyName2 = $RegSubKey2.GetSubKeyNames()
$ChildSubkeys += "$Key2\$SubKeyName2"
$RegSubKey2.Close()
}#end foreach SubKey1
ForEach($Child in $ChildSubkeys)
{
If($Child -match " ")
{
$BabySubkey = $null
$ChildSubkey1 = ($Child.split(" "))[0]
$SplitChildSubkey1 = $ChildSubkey1.split("\")
0..4 | Foreach{ [String]$BabySubkey += ($SplitChildSubkey1[$_]) + "\"}
$ChildSubkeys1 += $BabySubkey + ($Child.split(" ")[-1])
$ChildSubkeys1 += $ChildSubkey1
}
Else
{
$ChildSubkeys1 += $Child
}
$ChildSubKeys1.count
}#end foreach ChildSubkeys
ForEach($ChildSubkey1 in $ChildSubkeys1)
{
$USBKey = $Reg.OpenSubKey($ChildSubkey1)
$USBDevice = $USBKey.GetValue('FriendlyName')
If($USBDevice)
{
$USBDevices += New-Object -TypeName PSObject -Property @{
USBDevice = $USBDevice
Computer = $Computer
Serial = $ChildSubkey1.Split("\")[-1]
}
}
$USBKey.Close()
}#end foreach ChildSubKey2
$USBSTORKey.Close()
#Display results
$USBDevices | Select Computer,USBDevice,Serial
}#end foreach computer
}#end process
End
{
#Set error action preference back to original setting
$ErrorActionPreference = $TempErrorAction
}
}#end function
C# 代码:
using System;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using Microsoft.Win32;
using Microsoft.Win32.SafeHandles;
class Program
{
static void Main(string[] args)
{
string usbStor = @"SYSTEM\ControlSet001\Enum\USBSTOR";
using (var keyUsbStor = Registry.LocalMachine.OpenSubKey(usbStor))
{
var usbDevices = from className in keyUsbStor.GetSubKeyNames()
let keyUsbClass = keyUsbStor.OpenSubKey(className)
from instanceName in keyUsbClass.GetSubKeyNames()
let keyUsbInstance = new RegistryKeyEx(keyUsbClass.OpenSubKey(instanceName))
select new
{
UsbName = keyUsbInstance.Key.GetValue("FriendlyName"),
ConnectTime = keyUsbInstance.LastWriteTime
};
foreach (var usbDevice in usbDevices.OrderBy(x => x.ConnectTime))
{
Console.WriteLine("({0}) -- '{1}'", usbDevice.ConnectTime, usbDevice.UsbName);
}
}
}
}
/// <summary>
/// Wraps a RegistryKey object and corresponding last write time.
/// </summary>
/// <remarks>
/// .NET doesn't expose the last write time for a registry key
/// in the RegistryKey class, so P/Invoke is required.
/// </remarks>
public class RegistryKeyEx
{
#region P/Invoke Declarations
// This declaration is intended to be used for the last write time only. int is used
// instead of more convenient types so that dummy values of 0 reduce verbosity.
[DllImport("advapi32.dll", EntryPoint = "RegQueryInfoKey", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
extern private static int RegQueryInfoKey(
SafeRegistryHandle hkey,
int lpClass,
int lpcbClass,
int lpReserved,
int lpcSubKeys,
int lpcbMaxSubKeyLen,
int lpcbMaxClassLen,
int lpcValues,
int lpcbMaxValueNameLen,
int lpcbMaxValueLen,
int lpcbSecurityDescriptor,
IntPtr lpftLastWriteTime);
#endregion
#region Public Poperties
/// <summary>
/// Gets the registry key owned by the info object.
/// </summary>
public RegistryKey Key { get; private set; }
/// <summary>
/// Gets the last write time for the corresponding registry key.
/// </summary>
public DateTime LastWriteTime { get; private set; }
#endregion
/// <summary>
/// Creates and initializes a new RegistryKeyInfo object from the provided RegistryKey object.
/// </summary>
/// <param name="key">RegistryKey component providing a handle to the key.</param>
public RegistryKeyEx(RegistryKey key)
{
Key = key;
SetLastWriteTime();
}
/// <summary>
/// Creates and initializes a new RegistryKeyInfo object from a registry key path string.
/// </summary>
/// <param name="parent">Parent key for the key being loaded.</param>
/// <param name="keyName">Path to the registry key.</param>
public RegistryKeyEx(RegistryKey parent, string keyName)
: this(parent.OpenSubKey(keyName))
{ }
/// <summary>
/// Queries the currently set registry key through P/Invoke for the last write time.
/// </summary>
private void SetLastWriteTime()
{
Debug.Assert(Key != null, "RegistryKey component must be initialized");
GCHandle pin = new GCHandle();
long lastWriteTime = 0;
try
{
pin = GCHandle.Alloc(lastWriteTime, GCHandleType.Pinned);
if (RegQueryInfoKey(Key.Handle, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, pin.AddrOfPinnedObject()) == 0)
{
LastWriteTime = DateTime.FromFileTime((long)pin.Target);
}
else
{
LastWriteTime = DateTime.MinValue;
}
}
finally
{
if (pin.IsAllocated)
{
pin.Free();
}
}
}
}
(抱歉,我无法正确突出显示 PSH 代码。)
我如何使用它来改进脚本?
更新时间:2017-11-06
按照@iRon 的建议,我尝试直接访问注册表路径:HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\<drive>\Properties ,使用 RegEdit,但随后出现权限错误,这很奇怪,因为我的用户帐户是 Admin。 (这是在Win8.1上)
我发现的其他一些选项是:
...\Windows\inf\setupapi.dev.log获取第一个连接日期,但如何获取最后一个连接更不清楚。 (应该是通过对比\NTUSER\<username>\Software\Microsoft\Windows\Explorer\MountPoints2数据,但是我没找到。)一种可能有用的 PS 单行代码是:
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational | where {$_.Id -eq "2003" -or $_.Id -eq "2102"} | Format-Table –Property TimeCreated, Id, Message -AutoSize -Wrap
这给出了带有消息内容的事件(2003 年、2102 年)的时间戳,可以进一步解析。
TimeCreated Id Message
----------- -- -------
2017-11-09 13:37:04 2102 Forwarded a finished Pnp or Power operation (27, 2) to the lower driver for device
SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G2&REV_PMAP#YYYYY&0#{XXXXX} with status 0x0.
2017-11-09 13:37:04 2102 Forwarded a finished Pnp or Power operation (27, 23) to the lower driver for device
SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G2&REV_PMAP#YYYYY&0#{XXXXX} with status 0x0.
2017-11-09 13:34:38 2003 The UMDF Host Process ({XXXXX}) has been asked to load drivers for device
SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G2&REV_PMAP#YYYYY&0#{XXXXX}.
2017-11-06 15:18:41 2102 Forwarded a finished Pnp or Power operation (27, 2) to the lower driver for device SWD\WPDBUSENUM\{XXXXX}#0000000000007E00 with status 0x0.
2017-11-06 15:18:41 2102 Forwarded a finished Pnp or Power operation (27, 23) to the lower driver for device SWD\WPDBUSENUM\{XXXXX}#0000000000007E00 with status 0x0.
2017-11-06 15:18:13 2003 The UMDF Host Process ({XXXXX}) has been asked to load drivers for device SWD\WPDBUSENUM\{XXXXX}#0000000000007E00.
最佳答案
这还不完整,但应该让你开始吧?
$code = @"
using System;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using Microsoft.Win32;
using Microsoft.Win32.SafeHandles;
/// <summary>
/// Wraps a RegistryKey object and corresponding last write time.
/// </summary>
/// <remarks>
/// .NET doesn't expose the last write time for a registry key
/// in the RegistryKey class, so P/Invoke is required.
/// </remarks>
public class RegistryKeyEx
{
#region P/Invoke Declarations
// This declaration is intended to be used for the last write time only. int is used
// instead of more convenient types so that dummy values of 0 reduce verbosity.
[DllImport("advapi32.dll", EntryPoint = "RegQueryInfoKey", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
extern private static int RegQueryInfoKey(
SafeRegistryHandle hkey,
int lpClass,
int lpcbClass,
int lpReserved,
int lpcSubKeys,
int lpcbMaxSubKeyLen,
int lpcbMaxClassLen,
int lpcValues,
int lpcbMaxValueNameLen,
int lpcbMaxValueLen,
int lpcbSecurityDescriptor,
IntPtr lpftLastWriteTime);
#endregion
#region Public Poperties
/// <summary>
/// Gets the registry key owned by the info object.
/// </summary>
public RegistryKey Key { get; private set; }
/// <summary>
/// Gets the last write time for the corresponding registry key.
/// </summary>
public DateTime LastWriteTime { get; private set; }
#endregion
/// <summary>
/// Creates and initializes a new RegistryKeyInfo object from the provided RegistryKey object.
/// </summary>
/// <param name="key">RegistryKey component providing a handle to the key.</param>
public RegistryKeyEx(RegistryKey key)
{
Key = key;
SetLastWriteTime();
}
/// <summary>
/// Creates and initializes a new RegistryKeyInfo object from a registry key path string.
/// </summary>
/// <param name="parent">Parent key for the key being loaded.</param>
/// <param name="keyName">Path to the registry key.</param>
public RegistryKeyEx(RegistryKey parent, string keyName)
: this(parent.OpenSubKey(keyName))
{ }
/// <summary>
/// Queries the currently set registry key through P/Invoke for the last write time.
/// </summary>
private void SetLastWriteTime()
{
Debug.Assert(Key != null, "RegistryKey component must be initialized");
GCHandle pin = new GCHandle();
long lastWriteTime = 0;
try
{
pin = GCHandle.Alloc(lastWriteTime, GCHandleType.Pinned);
if (RegQueryInfoKey(Key.Handle, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, pin.AddrOfPinnedObject()) == 0)
{
LastWriteTime = DateTime.FromFileTime((long)pin.Target);
}
else
{
LastWriteTime = DateTime.MinValue;
}
}
finally
{
if (pin.IsAllocated)
{
pin.Free();
}
}
}
}
"@
$type = Add-Type -TypeDefinition $code -Language CSharp
$devices = Get-Item HKLM:\SYSTEM\ControlSet001\Enum\USBSTOR\*
$result = foreach($device in $devices) {
Write-Verbose -Verbose "New device: $($device.PSPath)"
Write-Verbose -Verbose "GetClass"
foreach($classname in $device.GetSubKeyNames()) {
$class = $device.OpenSubKey($class)
if($class -eq $null) {
Write-Verbose -Verbose "Class is null"
continue
}
Write-Verbose -Verbose "GetInstance"
foreach($instancename in $class.GetSubKeyNames()) {
$instance = $class.OpenSubKey($instancename)
if($instance -eq $null) {
Write-Verbose -Verbose "Instance is null"
continue
}
Write-Verbose -Verbose "RegistryKeyEx"
$keyEx = New-Object RegistryKeyEx $instance
[pscustomobject]@{
FriendlyName = $keyEx.key.GetValue('FriendlyName')
DevicePath = $device.PSPath
LastWriteTime = $keyEx.LastWriteTime
}
}
}
}
编辑:(通过 not2qubit)
此脚本是内联 C# sharp。当前版本提供以下输出:
VERBOSE: New device: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP
VERBOSE: GetClass
VERBOSE: GetInstance
VERBOSE: RegistryKeyEx
VERBOSE: New device: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_WD&Prod_My_Passport_0730&Rev_1015
VERBOSE: GetClass
VERBOSE: Class is null
VERBOSE: New device: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Other&Ven_WD&Prod_SES_Device&Rev_1015
VERBOSE: GetClass
VERBOSE: GetInstance
VERBOSE: RegistryKeyEx
因此缺少时间戳...
编辑:
除非您查看 $result 变量。
PS C:\> $result
FriendlyName DevicePath LastWriteTime
------------ ---------- -------------
Corsair Survivor 3.0 USB Device Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Corsair&Prod_Survivor_3.0&Rev_1.00 2017-11-05 21:08:25
PS C:\> get-date
November 11, 2017 17:02:09
这为您提供了此人在您的 C# 代码示例中所拥有的内容。我不能说这些信息是否足够准确以满足您的需求。
关于c# - 如何获取之前连接的 USB 设备的时间戳?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44251091/
24
4
0
iphone设备UDID、iphone设备ID和iphone设备Token之间有什么区别? 通常,当我们使用苹果推送通知服务时,会使用 iPhone 设备 token 。 但我的目标只是识别唯一的 i
我们使用 firebase 从服务器向 Android 和 IOS 设备发送通知,并且我们使用旧版 FCM 发送通知。但是当我们的应用程序在后台时,通知由系统本身处理,因此我们无法通过应用程序处理它。
在 Google 上搜索后,我发现人们说只能通过“MFi 程序”将 iOS 设备与非 iOS 设备连接起来。这是真的吗? 我的项目主要集中于直接通过蓝牙与Arduino设备发送和接收信息。 iOS和非
所以我有一个通用应用程序,我正在设置 UIScrollView 的内容大小。显然,iPhone 和 iPad 上的内容大小会有所不同。如何为 iPad 设置某种尺寸,为 iPhone 和 iPod t
问题:如何在 pod 中使用连接到主机的原始设备作为 block 设备。 我尝试使用类型为“BlockDevice”的“hostPath” volumes: - my-data: hostPath
Implemented GCKDeviceScannerListener Singleton Class on ViewController, however its delegate methods
我有一个 (PhoneGap) 应用程序,它将成功获得 Passbook 通行证,并且还将成功接收与 Passbook 分开的推送通知(当伪造设备 ID 时)。 我遇到的问题是发送给注册设备的设备 I
我正在尝试找到一种方法,通过我目前正在使用的 iOS 应用程序访问我的信标的电池电量。我正在使用 Kontakt 的 iBeacon 设备。我浏览了 Estimote iOS SDK,他们提供了一种实
我正在努力让 CUDA 应用程序也能监控 GPU 的核心温度。可通过 NVAPI 访问该信息。 问题是我想确保在运行代码时监控的是同一个 GPU。 但是,似乎有信息表明我从 NvAPI_EnumPhy
从沙箱模式到生产模式,设备 token 有何不同? 我认为我已将一些设备 token 锁定为生产模式,并且无法将它们从开发中插入。 关于如何检查有什么想法吗? 最佳答案 当您使用开发证书构建应用程序时
目录 /run/user/1000/gvfs 和 ~/.gvfs 分别是空的和不存在的。我的图形文件管理器 (Thunar) 能够检测和访问设备的内部和外部存储器。 命令 gvfs-mount -l
我有一个 Android 平板电脑,它有一个迷你 USB 端口和一个 USB 端口,我想编写一个与 USB key 通信的应用程序。我写了一个demo来找出U盘,但是没有任何反应。 令我不安的是,如果
我们将 PHP 版本从 5.4.25 更改为 5.4.45,并在服务器上安装了 MS SQL 驱动程序。在更改服务器之前,一切正常,但在更改服务器之后,我遇到了 Web 服务问题。我们的身份验证 So
我想知道是否有人使用此 API 在 Android 设备上同时从 2 个后置摄像头捕获图像或视频:https://source.android.com/docs/core/camera/concurr
我正在为客户构建一个物联网解决方案,网络管理员坚持要求设备仅通过访客网络进行连接,该网络有一个强制门户,其中的服务条款必须通过按下 UI 按钮来接受,然后才能获得外部互联网访问。到目前为止,我见过的大
我无法弄清楚这里的格式规则..在我的示例中,代码行太多,无法为每行添加 4 个空格,因此这里是我需要帮助的代码的链接 http://nitemsg.blogspot.com/2011/01/heres
如果我在我的设备上接受推送通知,并且不保存设备 token ,那么我如何在自定义 View 中查看设备 token 或恢复警报 View ? 我删除了应用程序并重新安装,但看不到设备 token 警报
我试图找出在尝试并行比较和复制设备 block 与 pthreads 时我做错了什么。看起来我正在脱离同步并且比较阶段无法正常工作。任何帮助将不胜感激 #ifndef __dbg_h__ #defin
我刚刚写完所有这些内容,但这个红色的小栏告诉我我不能发布图片或两个以上的链接。因此,如果您可以引用 this Imgur album , 那简直太好了。谢谢。 我在这里相对较新,甚至对 android
我需要启用 mysql 常规日志并将其通过 nsf 移动到我系统中的另一个驱动器/设备! 所以,我在 my.cnf 中启用了它: general_log = 1 general_log_fi
我是一名优秀的程序员,十分优秀!