I want to know if it is possible to get the IP of machine, logged on user, hostname from event id 4624 using vbscript?
I want a vbscript which takes out this information:
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
It's possible. You need to query events with the ID 4624 from the eventlog and then parse name, IP address and port out of the message string, e.g. with a regular expression:
Set wmi = GetObject("winmgmts://./root/cimv2")
Set re = New RegExp
re.Pattern = "Network Information:\s+" & _
"Workstation Name:\s*(.*?)\s+" & _
"Source Network Address:\s*(.*?)\s+" & _
"Source Port:\s*(\d+)"
qry = "SELECT * FROM Win32_NTLogEvent WHERE EventCode=4624"
For Each evt In wmi.ExecQuery(qry)
For Each m In re.Execute(evt.Message)
hostname = m.SubMatches(0)
address = m.SubMatches(1)
port = m.SubMatches(2)
Next
WScript.Echo hostname & " [" & address & ":" & port & "]"
Next
回答2:
Basically it sounds like you're looking for this article. In it, the author outlines a very thorough approach but the key bit is:
Function ProcessScript
Dim hostName, logName, startDateTime, endDateTime
Dim events, eventNumbers, i
hostName = wshNetwork.ComputerName
logName = "Security"
eventNumbers = Array("672") ' This is a comma-delimited list of events. You would include 4212 here
startDateTime = DateAdd("n", -120, Now)
'-------------------------------------------------------------------------------------------------------------------------
'Query the event log for the eventID's within the specified event log name and date range.
'-------------------------------------------------------------------------------------------------------------------------
If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
Exit Function
End If
End Function
This function calls into QueryEventLog, which does the heavy lifting:
Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
Dim wmiDateTime, wmi, query, eventItems, eventItem
Dim timeWritten, eventDate, eventTime, description
Dim eventsDict, eventInfo, errorCount, i
QueryEventLog = False
errorCount = 0
If Not IsArray(eventNumbers) Then
eventNumbers = Array(eventNumbers)
End If
'-------------------------------------------------------------------------------------------------------------------------
'Construct part of the WMI Query to account for searching multiple eventID's
'-------------------------------------------------------------------------------------------------------------------------
query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
For i = 0 To UBound(eventNumbers)
query = query & SQ(eventNumbers(i)) & " Or EventCode = "
Next
On Error Resume Next
Set eventsDict = NewDictionary
If Err.Number <> 0 Then
LogError "Creating Dictionary Object"
Exit Function
End If
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
If Err.Number <> 0 Then
LogError "Creating WMI Object to connect to " & DQ(hostName)
Exit Function
End If
'----------------------------------------------------------------------------------------------------------------------
'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
'----------------------------------------------------------------------------------------------------------------------
Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number <> 0 Then
LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
Exit Function
End If
'----------------------------------------------------------------------------------------------------------------------
'Build the WQL query and execute it.
'----------------------------------------------------------------------------------------------------------------------
wmiDateTime.SetVarDate startDateTime, True
query = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
Set eventItems = wmi.ExecQuery(query)
If Err.Number <> 0 Then
LogError "Executing WMI Query " & DQ(query)
Exit Function
End If
'----------------------------------------------------------------------------------------------------------------------
'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
'----------------------------------------------------------------------------------------------------------------------
For Each eventItem In eventItems
Do
timeWritten = ""
eventDate = ""
eventTime = ""
eventInfo = ""
timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
eventDate = FormatDateTime(timeWritten, vbShortDate)
eventTime = FormatDateTime(timeWritten, vbLongTime)
eventInfo = eventDate & ","
eventInfo = eventInfo & eventTime & ","
eventInfo = eventInfo & eventItem.SourceName & ","
eventInfo = eventInfo & eventItem.Type & ","
eventInfo = eventInfo & eventItem.Category & ","
eventInfo = eventInfo & eventItem.EventCode & ","
eventInfo = eventInfo & eventItem.User & ","
eventInfo = eventInfo & eventItem.ComputerName & ","
description = eventItem.Message
'------------------------------------------------------------------------------------------------------------------------
'Ensure the event description is not blank.
'------------------------------------------------------------------------------------------------------------------------
If IsNull(description) Then
description = "The event description cannot be found."
End If
description = Replace(description, vbCrLf, " ")
eventInfo = eventInfo & description
'------------------------------------------------------------------------------------------------------------------------
'Check if any errors occurred enumerating the event Information
'------------------------------------------------------------------------------------------------------------------------
If Err.Number <> 0 Then
LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
errorCount = errorCount + 1
Err.Clear
Exit Do
End If
'------------------------------------------------------------------------------------------------------------------------
'Remove all Tabs and spaces.
'------------------------------------------------------------------------------------------------------------------------
eventInfo = Trim(Replace(eventInfo, vbTab, " "))
Do While InStr(1, eventInfo, " ", vbTextCompare) <> 0
eventInfo = Replace(eventInfo, " ", " ")
Loop
'------------------------------------------------------------------------------------------------------------------------
'Add the Event Information to the Dictionary object if it doesn't exist.
'------------------------------------------------------------------------------------------------------------------------
If Not eventsDict.Exists(eventInfo) Then
eventsDict(eventsDict.Count) = eventInfo
End If
Loop Until True
Next
On Error Goto 0
If errorCount <> 0 Then
Exit Function
End If
results = eventsDict.Items
QueryEventLog = True
End Function
The rest is detailed in that article, but basically just concerns itself with writing the results to a file and adding some nice user interactions around the execution.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/yT976.jpg', '推荐 放荡不羁爱自由 的文章《VBscript to get the properties of event from event》','https://www.manongdao.com/article-1276141.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}