powershell - 如何通过 WMI 读取应用程序和服务日志？

Question

我可以在 powershell 中通过 WMI 获取所有事件日志消息，例如

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"

枚举我使用的所有事件日志

Get-WmiObject win32_nteventlogfile
FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
26218496 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      75510
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 OAlerts                C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx                             39
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
12652544 Security               C:\WINDOWS\System32\Winevt\Logs\Security.evtx                         18840
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
 8458240 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           15108
   69632 Windows Azure          C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx                        0
 2166784 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx                1656

到目前为止，还没有找到一种方法来解析显示在应用程序和服务日志下的所有其他日志

使用 Powershell 我可以通过

获取日志文件

Get-WinEvent -ListLog *

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            15728640        1656 Windows PowerShell
Circular             1052672           0 Windows Azure
Circular            20971520       15123 System
Circular            20971520       19404 Security
Circular             1052672          39 OAlerts
Circular            20971520           0 Key Management Service
Circular             1052672           0 Internet Explorer
Circular            20971520           0 HardwareEvents
Circular            26214400       75525 Application
Circular             1052672           0 WitnessClientAdmin
Circular             1052672             Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular             1052672             Windows Networking Vpn Plugin Platform/Operational
Circular             1052672           0 SMSApi
Circular             1052672          66 Setup
Circular             1052672           0 OpenSSH/Operational
Circular             1052672           0 OpenSSH/Admin
Circular             1052672             Network Isolation Operational
Circular             1052672           0 Microsoft-WS-Licensing/Admin
Circular             1052672           0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular             1052672           0 Microsoft-Windows-WWAN-SVC-Events/Operational

但是当我尝试读取其他日志文件时，却一无所获。当我尝试阅读时Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant 文件我什么也没得到:

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"

日志文件有不​​同的名字

 Directory of C:\Windows\System32\winevt\Logs

12/26/2019  07:55 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

在事件查看器中名称显示为

我需要输入 WMI 查询以读取事件的正确日志文件名是什么？

Answer 1

我想迟到总比不到好。

在注册表中创建以下键值:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic

不需要值，只需键。然后您应该能够像这样运行查询

select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'