获取Windows事件提供程序信息 [英] Get Windows event provider information

问题描述

我想使用Windows PowerShell检索有关事件提供程序的信息吗?我正在使用PowerShell版本4.0运行Windows 8.1，并且我注意到

I would like to retrieve information about event providers using Windows PowerShell? I'm running Windows 8.1 with PowerShell version 4.0, and I noticed that there are some .NET classes in the System.Diagnostics.Eventing namespace that offer some functionality around Windows eventing.

我可以通过调用EventProvider实例的默认构造函数来创建它，但是这不允许我获取有关系统上安装的事件提供程序的任何信息.

I can create an EventProvider instance by calling its default constructor, however this does not allow me to get any information about the event providers installed on the system.

$EventProvider = New-Object -TypeName System.Diagnostics.Eventing.EventProvider -ArgumentList ([System.Guid]'{00000000-0000-0000-0000-000000000000}');

如何获取有关安装在系统上并使用Windows PowerShell与Windows事件日志进行交互的Windows事件跟踪(ETW)提供程序的更多信息?

How can I get more information about Event Tracing for Windows (ETW) providers that are installed on a system, and interact with Windows event logs, using Windows PowerShell?

我已经知道我可以使用命令logman.exe query providers，如此处所述，检索ETW提供程序列表，并查询Windows事件日志，但这对PowerShell不太友好.

I am already aware that I can use the command logman.exe query providers, as described here, to retrieve the ETW provider list, and query the Windows event logs, but this is not very PowerShell friendly.

推荐答案

还有一个名为System.Diagnostics.Eventing.Reader的.NET命名空间，其中包含更多的.NET类，使您可以检索有关Windows事件跟踪(ETW)的信息. Windows操作系统注册的提供程序和事件日志.这些类型中的大多数都在.NET

There is another .NET namespace called System.Diagnostics.Eventing.Reader, which contains a lot more .NET classes that allow you to retrieve information about Event Tracing for Windows (ETW) providers and event logs that are registered with a Windows operating system. Most of these types are defined in the System.Core.dll .NET Assembly in the .NET Global Assembly Cache (GAC).

例如，您可以执行以下操作(以及更多操作):

For example, you can perform the following actions (and more):

• 找出安装在计算机上的ETW提供程序的名称
• 发现计算机上存在的ETW日志名称的完整列表
• 枚举与ETW提供者有关的元数据
• 导出事件日志数据

ETW的核心功能之一是获取在给定系统上安装的ETW提供程序的列表.您可以使用System.Diagnostics.Eventing.Reader命名空间中的.NET Framework类型轻松检索此信息.恰好有一个名为EventLogSession的.NET类，并且在该类上是名为GlobalSession的静态属性，该属性自动检索与本地计算机上的事件日志服务的会话/连接.如有必要，您可以使用EventLogSession类上的构造函数之一来连接到远程计算机.

One of the core functions with ETW is getting a list of ETW providers are that are installed on a given system. You can easily retrieve this information with the .NET Framework types in the System.Diagnostics.Eventing.Reader namespace. There just so happens to be a .NET class named EventLogSession, and on this class is a static property named GlobalSession, which automatically retrieves a session/connection to the Event Log service on the local computer. If necessary, you can alternatively connect to a remote computer by using one of the constructors on the EventLogSession class.

一旦检索到EventLogSession类的实例，就可以调用GetProviderNames()方法来检索String对象的集合，这些对象代表计算机上已安装的ETW提供程序的名称.

Once you have retrieved an instance of the EventLogSession class, you can call the GetProviderNames() method to retrieve a collection of String objects that represent the names of the installed ETW providers on the computer.

以下是从本地计算机检索提供者名称的示例:

Here is an example of retrieving the provider names from the local computer:

$EventSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession;
$EventProviderNames = $EventSession.GetProviderNames();
$EventProviderNames;

这里是一个使用您可以使用EventLogSession类的其他构造函数为远程计算机指定备用凭据. 备用构造函数 >类需要以下参数:

You can use a different constructor of the EventLogSession class to specify alternate credentials to the remote computer. The alternate constructor for the EventLogSession class requires the following parameters:

• 计算机名称
• 域名
• 用户名
• 密码(作为SecureString)
• System.Diagnostics.Eventing.Reader.SessionAuthentication类型

• Computer name
• Domain name
• User name
• Password (as a SecureString)
• System.Diagnostics.Eventing.Reader.SessionAuthentication type

以下是实现该目标的示例:

Here is an example of how to achieve that:

$ComputerName = 'server01.contoso.com';
$Credential   = Get-Credential;
$ArgumentList = $ComputerName, $Credential.UserName.Split('\')[0], $Credential.UserName.Split('\')[1], $Credential.Password, [System.Diagnostics.Eventing.Reader.SessionAuthentication]::Default;
$EventSession = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogSession -ArgumentList $ArgumentList;

ETW日志名称

一旦发现计算机上安装了所有ETW提供程序，您可能还希望浏览计算机上可用的ETW日志的完整列表. EventLogSession类还具有称为GetLogNames()的方法，该方法返回String对象的集合，这些对象表示目标系统上可用的ETW日志.与GetProviderNames()方法类似，您可以在本地或远程计算机上调用GetLogNames().

ETW Log Names

Once you have discovered all of the ETW providers installed on a computer, you may also wish to explore a complete list of the ETW logs that available on a computer. The EventLogSession class also has a method called GetLogNames(), which returns a collection of String objects that represent the ETW logs available on a target system. Similar to the GetProviderNames() method, you can call GetLogNames() on a local or remote computer.

以下是从本地计算机检索ETW日志名称的示例:

Here is an example of retrieving the ETW log names from the local computer:

$EventSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession;
$EventLogNames = $EventSession.GetLogNames();
$EventLogNames;

以下是从远程计算机检索ETW日志名称的示例:

Here is an example of retrieving the ETW log names from a remote computer:

$EventSession = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogSession -ArgumentList server01.contoso.com;
$EventLogNames = $EventSession.GetLogNames();
$EventLogNames;

ETW提供者元数据

除了获取ETW提供程序名称之外，您可能还希望获取有关它们的更详细的信息.您可以使用System.Diagnostics.Eventing.Reader .NET类中的ProviderMetadata类来执行此操作. ProviderMetadata类提供的信息包括:

ETW Provider Metadata

In addition to retrieving ETW provider names, you might also wish to retrieve more detailed information about them. You can do this using the ProviderMetadata class in the System.Diagnostics.Eventing.Reader .NET class. Information provided by the ProviderMetadata class includes:

• 提供者的显示名称
• 帮助链接(URL)
• 提供者的关键字
• ETW提供者ID(GUID)
• 邮件文件路径
• 资源文件路径
• 参数文件路径
• 提供商提供的任务
• 提供者声明的每个事件的事件元数据

类似于ETW提供程序和ETW日志名称，您可以从本地或远程系统检索提供程序元数据.在后一种情况下，必须先建立一个EventLogSession实例，然后再尝试实例化ProviderMetadata类.

Similar to the ETW provider and ETW log names, you can retrieve provider metadata from the local or remote system. In the latter case, you must establish an EventLogSession instance before you attempt to instantiate the ProviderMetadata class.

以下是从本地系统检索ETW提供程序元数据的示例:

Here is an example of retrieving ETW provider metadata from the local system:

# Get the EventLogSession object
$EventSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession;
# Get the ETW provider names
$EventProviderNames = $EventSession.GetProviderNames();

# Create an empty array to hold the ProviderMetadata instances
$ProviderMetadataList = @();
# For each ETW provider name ...
foreach ($EventProvider in $EventProviderNames) {
    # Add each ProviderMetadata instance to the array
    $ProviderMetadataList += New-Object -TypeName System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $EventProvider;
}

# Explore the 16th item from the ProviderMetadata array
$ProviderMetadataList[15];

要从远程系统检索ETW提供程序元数据，请在实例化ProviderMetadata类之前构建EventLogSession对象，并在实例化ProviderMetadata时确保将以下参数传递给构造函数:

To retrieve ETW provider metadata from a remote system, build your EventLogSession object before instantiating the ProviderMetadata class, and when you do instantiate ProviderMetadata, make sure you pass in the following parameters to the constructor:

• ETW提供者名称
• EventLogSession实例
• 一个CultureInfo对象

• ETW provider name
• EventLogSession instance
• A CultureInfo object

...

$ComputerName = 'server01.contoso.com';
$Credential   = Get-Credential;
$SessionArgumentList = $ComputerName, $Credential.UserName.Split('\')[0], $Credential.UserName.Split('\')[1], $Credential.Password, [System.Diagnostics.Eventing.Reader.SessionAuthentication]::Kerberos;
$EventSession = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogSession -ArgumentList $SessionArgumentList;
$EventProviderNames = $EventSession.GetProviderNames();

# Create an empty array to hold the ProviderMetadata instances
$ProviderMetadataList = @();
foreach ($EventProvider in $EventProviderNames) {
    # Build the Arguments for the ProviderMetadata constructor
    $ProviderMetadataArgumentList = $EventProvider, $EventSession, [CultureInfo]::CurrentCulture;
    # Add each ProviderMetadata instance to the array
    $ProviderMetadataList += New-Object -TypeName System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ProviderMetadataArgumentList;
}

# Explore the 111th item from the array
$ProviderMetadataList[110];

注意:通过身份验证的连接实例化ProviderMetadata对象时，您可能会遇到一些例外情况:

Note: You might get some exceptions when you instantiate ProviderMetadata objects through authenticated connections:

新对象:使用"3"参数调用".ctor"的异常:试图 执行未经授权的操作."

New-Object : Exception calling ".ctor" with "3" argument(s): "Attempted to perform an unauthorized operation."

读取ETW事件日志

由于您提到您还想从ETW事件日志中读取事件，因此System.Diagnostics.Eventing.Reader .NET命名空间中的类型也很容易做到. EventLogReader类包含一个名为ReadEvent()的方法，该方法从实例化EventLogReader时指定的事件日志中连续读取下一个事件.

Reading ETW Event Logs

Since you mentioned that you wanted to read events from ETW event logs also, this is easy to do with the types in the System.Diagnostics.Eventing.Reader .NET namespace as well. The EventLogReader class contains a method called ReadEvent() which continually reads the next events from the event log specified when the EventLogReader was instantiated.

这是从系统事件日志中读取事件的简单示例:

Here is a simple example of reading events from the System event log:

# Instantiate the EventLogReader .NET class
$EventLogReader = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogReader -ArgumentList 'System';
# Read the first 5 events from the event log
1..5 | % { $EventLogReader.ReadEvent(); };

ETW事件日志配置

类似于之前检索的提供者元数据，您可以检索有关特定ETW事件日志的配置的信息.为此，请实例化 EventLogConfiguration类，传入ETW事件日志的名称.将返回有关事件日志的各种信息，包括:

ETW Event Log Configuration

Similar to the provider metadata retrieved earlier, you can retrieve information about the configuration of a particular ETW event log. To do this, you instantiate the EventLogConfiguration class, passing in the name of an ETW event log. A variety of information about the event log will be returned, including:

• 登录名
• 最大大小(以字节为单位)
• 提供商名称
• 日志类型
• 安全描述符
• 缓冲区大小
• 是否已启用日志?

以下是如何检索此信息的示例:

Here is an example of how to retrieve this information:

$EventSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession;
$EventLogNames = $EventSession.GetLogNames();

$EventLogConfigurationList = @();
foreach ($EventLogName in $EventLogNames) {
    $EventLogConfigurationList += New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList $EventLogName;
}
$EventLogConfigurationList[5];

这篇关于获取Windows事件提供程序信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！