WMI查询以读取"Microsoft-Windows-AppLocker/EXE和DLL" C# [英] WMI query to Read 'Microsoft-Windows-AppLocker/EXE and DLL' C#
问题描述
我已经创建了一个代理来使用WMI读取Windows事件.我可能会使用过去3年的代理来收集事件.在SEIM产品中使用.查询看起来像
I have created an agent to read windows event using WMI. I ma using the agent from last 3 years to collect events. It is used in a SEIM product. The query looks like
SELECT * FROM Win32_NTLogEvent where LogFile = 'System' or logFile='Active Directory Web Services'
我能够正确获取事件.但是,现在我想阅读apploacker事件"Microsoft-Windows-AppLocker/EXE和DLL"(应用程序和安全日志-> Microsoft-> Windows-> AppLocker-> Exe和DLL).
I am able to get the events properly. But Now I want to read apploacker events 'Microsoft-Windows-AppLocker/EXE and DLL' (Application and Security Logs -> Microsoft -> Windows -> AppLocker -> Exe And DLL).
我尝试了以下查询,但尽管其中有40多个记录,但它返回零记录.我可以在事件查看器中看到记录.
I tried the below query but it returns zero record though I have 40+ records in it. I can see the record in event viewer.
SELECT * FROM Win32_NTLogEvent where LogFile = 'Microsoft-Windows-AppLocker/EXE and DLL'
我尝试使用"wbemtest",但没有记录,没有错误.
I have tried with "wbemtest" but no record with no error.
我不确定是否可以使用WMI通过其他任何方式来实现.我知道Powershell有一个cmdlet,通过它我可以读取'Microsoft-Windows-AppLocker/EXE和DLL'事件.但是我想使用WMI来阅读它.
I am not sure if this can be achieved by any other way using WMI. I know Powershell has a cmdlet and through which I am able to read 'Microsoft-Windows-AppLocker/EXE and DLL' events. But I want to read it using WMI.
任何指针都将受到高度赞赏.
Any pointers will be highly appreciated.
感谢所有观众.
推荐答案
似乎WMI查询会解析注册表位置HKLM\SYSTEM\CurrentControlSet\Services\EventLog以获得可用的事件日志(请参阅
It seems that the WMI Query parses the registry location HKLM\SYSTEM\CurrentControlSet\Services\EventLog for available event logs (see MSDN Forum post).
Check the list you find there with the result of the query Select * FROM Win32_NTEventLogFile.
要为WMI操作添加日志文件,请在上述注册表位置下添加一个带有日志名称的新键(在本例中为"Microsoft-Windows-AppLocker/EXE和DLL").现在,它将与您的WMI查询一起返回该日志.
To add a logfile for WMI operations, add a new key under the above registry location with the name of the log ('Microsoft-Windows-AppLocker/EXE and DLL' in your case). Now it should return that log with your WMI query.
这篇关于WMI查询以读取"Microsoft-Windows-AppLocker/EXE和DLL" C#的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
