【问题标题】:query on Win32_NTLogEvent WHERE Logfile = 'Security' works only on remote machine查询 Win32_NTLogEvent WHERE Logfile = 'Security' 仅适用于远程计算机
【发布时间】:2010-12-12 21:26:38
【问题描述】:

我在使用以下代码从本地计算机的安全日志事件中检索数据时遇到问题。我在多台电脑上测试过:本机是windows xp sp3。查询没有错误,但返回 0 条记录。对于远程机器,它可以完美运行 任何人都可以给我一个解决方案? 这是代码:

using System;
using System.Management;
using System.Windows.Forms;

namespace WMISample
{
    public class MyWMIQuery
    {
        public static void Main()
        {
            try
            {
                string[] arrComputers = {".","clientN"};
                foreach (string strComputer in arrComputers)
                {
                    Console.WriteLine("==========================================");
                    Console.WriteLine("Computer: " + strComputer);
                    Console.WriteLine("==========================================");

                    ManagementObjectSearcher searcher = 
                        new ManagementObjectSearcher(
                        "\\\\" + strComputer + "\\root\\CIMV2", 
                        "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"); 

                    foreach (ManagementObject queryObj in searcher.Get())
                    {
                        Console.WriteLine("-----------------------------------");
                        Console.WriteLine("Win32_NTLogEvent instance");
                        Console.WriteLine("-----------------------------------");
                        Console.WriteLine("RecordNumber: {0}", queryObj["RecordNumber"]);
                        Console.WriteLine("SourceName: {0}", queryObj["SourceName"]);
                        Console.WriteLine("TimeGenerated: {0}", queryObj["TimeGenerated"]);
                    }
                }
            }
            catch(ManagementException err)
            {
                MessageBox.Show("An error occurred while querying for WMI data: " + err.Message);
            }
        }
    }
}

我知道在 vbs 中使用模拟级别的 wmi 查询是有效的。

    Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security'" )

所以我必须用c#翻译。

【问题讨论】:

    标签: c# wmi wql


    【解决方案1】:

    好的,所以我使用我的代码关闭此问题。 代码是:

         using System; 
            using System.Management; 
            namespace WMISample 
            {  
                public class MyWMIQuery 
                { 
                    public static void Main() 
                    { 
                        try 
                        { 
                            ConnectionOptions oConn = new ConnectionOptions();
                            oConn.Impersonation = ImpersonationLevel.Impersonate;
                            oConn.EnablePrivileges = true;
    
                            string[] arrComputers = {".","clientN"}; 
                            foreach (string strComputer in arrComputers) 
                            { 
                                Console.WriteLine("=========================================="); 
                                Console.WriteLine("Computer: " + strComputer); 
                                Console.WriteLine("=========================================="); 
                                ManagementObjectSearcher searcher = new ManagementObjectSearcher
                                (
                                   new ManagementScope("\\\\" + strComputer + "\\root\\CIMV2",  oConn),
                                   new ObjectQuery( @"SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'")
                                );
    
    
                                foreach (ManagementObject queryObj in searcher.Get()) 
                                { 
                                    Console.WriteLine("-----------------------------------"); 
                                    Console.WriteLine("Win32_NTLogEvent instance"); 
                                    Console.WriteLine("-----------------------------------"); 
                                    Console.WriteLine("RecordNumber: {0}", queryObj["RecordNumber"]); 
                                    Console.WriteLine("SourceName: {0}", queryObj["SourceName"]); 
                                    Console.WriteLine("TimeGenerated: {0}", queryObj["TimeGenerated"]); 
                                } 
                            } 
                        } 
                        catch(ManagementException err) 
                        { 
                            MessageBox.Show("An error occurred while querying for WMI data: " + err.Message); 
                        } 
                    } 
                } 
            } 
    

    【讨论】:

      【解决方案2】:

      尝试使用本地计算机名而不是“.”。所以,而不是

      string[] arrComputers = {".","clientN"};
      

      你会的

      string[] arrComputers = { Environment.GetEnvironmentVariable("computername"), "clientN"};

      【讨论】:

      • 很遗憾,这和写计算机名一样,不起作用。
      • 我也想知道反对票,所以我给了它一个积极的......这是一个不错的问题。我试图弄清楚为什么你不能在本地机器上查询 WMI,如果我有运气,我会更新我的答案:-)
      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2012-04-14
      • 2016-12-30
      • 2011-03-27
      • 1970-01-01
      • 2022-09-28
      • 2011-06-10
      相关资源
      最近更新 更多