jinterop获取windows事件 -

lishumingwm163.com

浏览: 337926 次
性别:
来自: 济南

最近访客更多访客>>

u013219073

vip_for_Csdn

wang_eye

wangchh8134

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

jinterop获取windows事件

博客分类：

java

Java代码

package com.mytest;
import java.io.IOException;
import java.util.logging.Level;
import org.jinterop.dcom.common.JIException;
import org.jinterop.dcom.common.JISystem;
import org.jinterop.dcom.core.JIComServer;
import org.jinterop.dcom.core.JIProgId;
import org.jinterop.dcom.core.JISession;
import org.jinterop.dcom.core.JIString;
import org.jinterop.dcom.core.JIVariant;
import org.jinterop.dcom.impls.JIObjectFactory;
import org.jinterop.dcom.impls.automation.IJIDispatch;
public class EventLogListener {
private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2";
private static JISession configAndConnectDCom(String domain, String user,
String pass) throws Exception {
JISystem.getLogger().setLevel(Level.OFF);
try {
JISystem.setInBuiltLogHandler(false);
} catch (IOException ignored) {
;
}
JISystem.setAutoRegisteration(true);
JISession dcomSession = JISession.createSession(domain, user, pass);
dcomSession.useSessionSecurity(true);
return dcomSession;
}
private static IJIDispatch getWmiLocator(String host, JISession dcomSession)
throws Exception {
JIComServer wbemLocatorComObj = new JIComServer(JIProgId
.valueOf("WbemScripting.SWbemLocator"), host, dcomSession);
return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj
.createInstance().queryInterface(IJIDispatch.IID));
}
private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant)
throws JIException {
return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant
.getObjectAsComObject());
}
public static void main(String[] args) {
//if (args.length != 4) {
//System.out.println("Usage: "
//+ EventLogListener.class.getSimpleName()
//+ " domain host username password");
//return;
//}
String domain = "";
String host = "192.168.1.101";
String user = "administrator";
String pass ="1234";
JISession dcomSession = null;
try {
// Connect to DCOM on the remote system, and create an instance of
// the WbemScripting.SWbemLocator object to talk to WMI.
dcomSession = configAndConnectDCom(domain, user, pass);
IJIDispatch wbemLocator = getWmiLocator(host, dcomSession);
// Invoke the "ConnectServer" method on the SWbemLocator object via
// it's IDispatch COM pointer. We will connect to
// the default ROOT\CIMV2 namespace. This will result in us having a
// reference to a "SWbemServices" object.
JIVariant results[] = wbemLocator.callMethodA("ConnectServer",
new Object[] { new JIString(host),
new JIString(WMI_DEFAULT_NAMESPACE),
JIVariant.OPTIONAL_PARAM(),
JIVariant.OPTIONAL_PARAM(),
JIVariant.OPTIONAL_PARAM(),
JIVariant.OPTIONAL_PARAM(), new Integer(0),
JIVariant.OPTIONAL_PARAM() });
IJIDispatch wbemServices = toIDispatch(results[0]);
// Now that we have a SWbemServices DCOM object reference, we
// prepare a WMI Query Language (WQL) request to be informed
// whenever a
// new instance of the "Win32_NTLogEvent" WMI class is created on
// the remote host. This is submitted to the remote host via the
// "ExecNotificationQuery" method on SWbemServices. This gives us
// all events as they come in. Refer to WQL documentation to
// learn how to restrict the query if you want a narrower focus.
final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'";
//final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'";
//Application
//Security
//System
// and TargetInstance.LogFile = 'System'
final int RETURN_IMMEDIATE = 16;
final int FORWARD_ONLY = 32;
JIVariant[] eventSourceSet = wbemServices.callMethodA(
"ExecNotificationQuery", new Object[] {
new JIString(QUERY_FOR_ALL_LOG_EVENTS),
new JIString("WQL"),
new JIVariant(new Integer(RETURN_IMMEDIATE
+ FORWARD_ONLY)) });
IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory
.narrowObject((eventSourceSet[0]).getObjectAsComObject());
// The result of the query is a SWbemEventSource object. This object
// exposes a method that we can call in a loop to retrieve the
// next Windows Event Log entry whenever it is created. This
// "NextEvent" operation will block until we are given an event.
// Note that you can specify timeouts, see the Microsoft
// documentation for more details.
boolean flag = true;
int i=0;
while (flag) {
// this blocks until an event log entry appears.
JIVariant eventAsVariant = (JIVariant) (wbemEventSource
.callMethodA("NextEvent", new Object[] { JIVariant
.OPTIONAL_PARAM() }))[0];
IJIDispatch wbemEvent = toIDispatch(eventAsVariant);
// WMI gives us events as SWbemObject instances (a base class of
// any WMI object). We know in our case we asked for a specific
// object
// type, so we will go ahead and invoke methods supported by
// that Win32_NTLogEvent class via the wbemEvent IDispatch
// pointer.
// In this case, we simply call the "GetObjectText_" method that
// returns us the entire object as a CIM formatted string. We
// could,
// however, ask the object for its property values via
// wbemEvent.get("PropertyName"). See the j-interop
// documentation and examples
// for how to query COM properties.
JIVariant objTextAsVariant = (JIVariant) (wbemEvent
.callMethodA("GetObjectText_",
new Object[] { new Integer(1) }))[0];
String asText = objTextAsVariant.getObjectAsString()
.getString();
System.out.println("******************************************=="+i++ +"==****************************");
System.out.println(asText);
//flag = false;
// System.out.println("-----start------");
// System.out.println(asText);
// String[] texts = asText.split("\t");
// for(int i = 0; i < texts.length; i++)
// {
// System.out.println( "texts["+ i +"]= "+texts[i]);
// }
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (null != dcomSession) {
try {
JISession.destroySession(dcomSession);
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
}
}

输出结果：
******************************************==0==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {49, 0, 46, 0, 49, 0, 0, 0, 48, 0, 0, 0, 77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 32, 0, 50, 0, 48, 0, 48, 0, 51, 0, 0, 0, 53, 0, 46, 0, 50, 0, 46, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 66, 0, 117, 0, 105, 0, 108, 0, 100, 0, 32, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 105, 0, 99, 0, 101, 0, 32, 0, 80, 0, 97, 0, 99, 0, 107, 0, 32, 0, 50, 0, 0, 0, 85, 0, 110, 0, 105, 0, 112, 0, 114, 0, 111, 0, 99, 0, 101, 0, 115, 0, 115, 0, 111, 0, 114, 0, 32, 0, 70, 0, 114, 0, 101, 0, 101, 0, 0, 0, 51, 0, 55, 0, 57, 0, 48, 0, 46, 0, 115, 0, 114, 0, 118, 0, 48, 0, 51, 0, 95, 0, 115, 0, 112, 0, 50, 0, 95, 0, 114, 0, 116, 0, 109, 0, 46, 0, 48, 0, 55, 0, 48, 0, 50, 0, 49, 0, 54, 0, 45, 0, 49, 0, 55, 0, 49, 0, 48, 0, 0, 0, 52, 0, 101, 0, 99, 0, 98, 0, 49, 0, 56, 0, 52, 0, 52, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 48, 0, 0, 0, 49, 0, 0, 0, 51, 0, 56, 0, 52, 0, 0, 0, 56, 0, 48, 0, 52, 0, 0, 0, 117, 0, 102, 0, 99, 0, 45, 0, 54, 0, 97, 0, 48, 0, 97, 0, 48, 0, 98, 0, 49, 0, 102, 0, 55, 0, 54, 0, 99, 0, 0, 0, 0, 0};
EventCode = 6005;
EventIdentifier = 2147489653;
EventType = 3;
InsertionStrings = {"", "", "", "", "13", "60", "-480 中国标准时间"};
Logfile = "System";
Message = "事件日志服务已启动。
\n";
RecordNumber = 650;
SourceName = "EventLog";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564746875000";
};

******************************************==1==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 10026;
EventIdentifier = 1075849002;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\Ole\\EventLog"};
Logfile = "System";
Message = "COM 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\Ole\\EventLog。
\n";
RecordNumber = 651;
SourceName = "DCOM";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031250";
};

******************************************==2==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 3;
EventIdentifier = 1113194499;
EventType = 3;
Logfile = "System";
Message = "应用程序体验查找服务已成功地启动。
\n";
RecordNumber = 652;
SourceName = "AeLookupSvc";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031251";
};

******************************************==3==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "15"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 15 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 653;
SourceName = "W32Time";
TimeGenerated = "20111125085930.000000+480";
TimeWritten = "20111125085930.000000+480";
Type = "错误";
};
TIME_CREATED = "129666564747031252";
};

******************************************==4==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 199, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4295;
EventIdentifier = 1073746119;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序以 Bypass 模式启动。在此计算机启动时没有 IPSec
\n安全性会被应用到此计算机。如果配置了IPSec 策略，它们将在
\nIPSec 服务启动后被应用到此计算机。
\n";
RecordNumber = 654;
SourceName = "IPSec";
TimeGenerated = "20111125085914.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031253";
};

******************************************==5==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 198, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4294;
EventIdentifier = 1073746118;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序进入 Secure 状态。如果配置了 IPSec 策略，
\n将在现在被应用到此计算机。
\n";
RecordNumber = 655;
SourceName = "IPSec";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031254";
};

******************************************==6==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "开始"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务成功发送一个开始控件。
\n";
RecordNumber = 656;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031255";
};

******************************************==7==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "正在运行"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务处于正在运行状态。
\n";
RecordNumber = 657;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031256";
};

******************************************==8==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Terminal Services", "开始"};
Logfile = "System";
Message = "Terminal Services 服务成功发送一个开始控件。
\n";
RecordNumber = 658;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031257";
};

******************************************==9==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Terminal Services", "正在运行"};
Logfile = "System";
Message = "Terminal Services 服务处于正在运行状态。
\n";
RecordNumber = 659;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031258";
};

******************************************==10==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "开始"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务成功发送一个开始控件。
\n";
RecordNumber = 660;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031259";
};

******************************************==11==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "正在运行"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务处于正在运行状态。
\n";
RecordNumber = 661;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031260";
};

******************************************==12==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "TM";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4193;
EventIdentifier = 1073746017;
EventType = 3;
InsertionStrings = {"0", "0", "0", "0", "0", "0", "1"};
Logfile = "Application";
Message = "MS DTC 已启动，设置如下(OFF = 0，ON = 1):

\n
\n安全配置:

\n     事务的网络管理 = 0,

\n     网络客户端 = 0,

\n     使用本机 MSDTC 协议的入站分布式事务 = 0,

\n     使用本机 MSDTC 协议的出站分布式事务 = 0,

\n     事务 Internet 协议(TIP) = 0,

\n     XA 事务 = 0

\n
\n筛选的重复事件 = 1";
RecordNumber = 152;
SourceName = "MSDTC";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187500";
};

******************************************==13==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4625;
EventIdentifier = 1073746449;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\EventSystem\\EventLog"};
Logfile = "Application";
Message = "EventSystem 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\EventSystem\\EventLog。
\n";
RecordNumber = 153;
SourceName = "EventSystem";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187501";
};

******************************************==14==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 100;
ComputerName = "UFC-6A0A0B1F76C";
Data = {65, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 32, 70, 97, 105, 108, 117, 114, 101, 32, 32, 115, 118, 99, 104, 111, 115, 116, 46, 101, 120, 101, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 105, 110, 32, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 97, 116, 32, 111, 102, 102, 115, 101, 116, 32, 48, 48, 48, 54, 98, 101, 98, 56};
EventCode = 1004;
EventIdentifier = 1004;
EventType = 3;
InsertionStrings = {"svchost.exe", "5.2.3790.3959", "kernel32.dll", "5.2.3790.3959", "0006beb8"};
Logfile = "Application";
Message = "报告队列中的错误: 错误应用程序 svchost.exe，版本 5.2.3790.3959，错误模块 kernel32.dll，版本 5.2.3790.3959，错误地址 0x0006beb8。
\n";
RecordNumber = 154;
SourceName = "Application Error";
TimeGenerated = "20111125085942.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187502";
};

******************************************==15==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"SYSTEM", "NT AUTHORITY", "(0x0,0x3E7)", "0", "-", "-", "-", "-", "-", "-", "-", "4", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tSYSTEM
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E7)
\n
\n\t登录类型: \t0
\n
\n\t登录进程: \t-
\n
\n\t身份验证数据包: \t-
\n
\n\t工作站名:\t-
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: 4
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3980;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748281250";
};

******************************************==16==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "5", "Advapi ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tNETWORK SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E4)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3981;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281251";
};

******************************************==17==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tNETWORK SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E4)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3982;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281252";
};

******************************************==18==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "5", "Advapi ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tLOCAL SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E5)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3983;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281253";
};

******************************************==19==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tLOCAL SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E5)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3984;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281254";
};

******************************************==20==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"", "", "(0x0,0xC2DE)", "3", "NtLmSsp ", "NTLM", "", "-", "-", "-", "-", "-", "-", "-", "-"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\t
\n
\n\t域:\t\t
\n
\n\t登录 ID:\t\t(0x0,0xC2DE)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3985;
SourceName = "Security";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\ANONYMOUS LOGON";
};
TIME_CREATED = "129666564748437500";
};

******************************************==21==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "Administrator", "UFC-6A0A0B1F76C", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tAdministrator
\n
\n源工作站: \tUFC-6A0A0B1F76C
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3986;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593750";
};

******************************************==22==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 552;
EventIdentifier = 552;
EventType = 4;
InsertionStrings = {"UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "-", "Administrator", "UFC-6A0A0B1F76C", "-", "localhost", "localhost", "332", "127.0.0.1", "0"};
Logfile = "Security";
Message = "使用明确凭据的登录尝试:
\n
\n登录的用户:
\n
\n\t用户名:\tUFC-6A0A0B1F76C$
\n
\n\t域:\t\tWORKGROUP
\n
\n\t登录 ID:\t\t(0x0,0x3E7)
\n
\n\t登录 GUID:\t-
\n
\n凭据被使用的用户:
\n
\n\t目标用户名:\tAdministrator
\n
\n\t目标域:\tUFC-6A0A0B1F76C
\n
\n\t目标登录 GUID: -
\n
\n
\n目标服务器名称:\tlocalhost
\n
\n目标服务器信息:\tlocalhost
\n
\n调用方进程 ID:\t332
\n
\n源网络地址:\t127.0.0.1
\n
\n源端口:\t0
\n
\n";
RecordNumber = 3987;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748593751";
};

******************************************==23==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "2", "User32 ", "Negotiate", "UFC-6A0A0B1F76C", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "332", "-", "127.0.0.1", "0"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tAdministrator
\n
\n\t域: \t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID: \t\t(0x0,0x10AB2)
\n
\n\t登录类型: \t2
\n
\n\t登录进程: \tUser32
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\tUFC-6A0A0B1F76C
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 332
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t127.0.0.1
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3988;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593752";
};

******************************************==24==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x10AB2)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3989;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750000";
};

******************************************==25==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "\\\\192.168.4.254", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \t\\\\192.168.4.254
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3990;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750001";
};

******************************************==26==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3991;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750002";
};

******************************************==27==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3", "NtLmSsp ", "NTLM", "\\\\192.168.4.254", "-", "-", "-", "-", "-", "-", "192.168.4.254", "0"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t\\\\192.168.4.254
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3992;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750003";
};

******************************************==28==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3993;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750004";
};

******************************************==29==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3994;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750005";
};

******************************************==30==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1863"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1863
\n
\n";
RecordNumber = 3995;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750006";
};

******************************************==31==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3996;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750007";
};

******************************************==32==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3997;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750008";
};

******************************************==33==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1864"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1864
\n
\n";
RecordNumber = 3998;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750009";
};

******************************************==34==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3999;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750010";
};

******************************************==35==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4000;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750011";
};

******************************************==36==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1865"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1865
\n
\n";
RecordNumber = 4001;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750012";
};

******************************************==37==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 538;
EventIdentifier = 538;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3"};
Logfile = "Security";
Message = "用户注销:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n";
RecordNumber = 4002;
SourceName = "Security";
TimeGenerated = "20111125090148.000000+480";
TimeWritten = "20111125090148.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666565081875000";
};

******************************************==38==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {94, 9, 0, 0, 95, 9, 0, 0, 84, 5, 0, 0};
EventCode = 1001;
EventIdentifier = 1073742825;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功删除 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有系统上一个计数器和上一个“帮助”注册表项的新数值。
\n";
RecordNumber = 155;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566116718750";
};

******************************************==39==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {96, 9, 0, 0, 108, 9, 0, 0, 97, 9, 0, 0, 109, 9, 0, 0};
EventCode = 1000;
EventIdentifier = 1073742824;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功加载 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有分配给这个服务的新索引数值。
\n";
RecordNumber = 156;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566169062500";
};

******************************************==40==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 4003;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656250";
};

******************************************==41==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4004;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656251";
};

******************************************==42==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1900"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1900
\n
\n";
RecordNumber = 4005;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656252";
};

******************************************==43==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "30"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 30 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 662;
SourceName = "W32Time";
TimeGenerated = "20111125091430.000000+480";
TimeWritten = "20111125091430.000000+480";
Type = "错误";
};
TIME_CREATED = "129666572702812500";
};

Java代码

package com.mytest;
import java.io.IOException;
import java.util.logging.Level;
import org.jinterop.dcom.common.JIException;
import org.jinterop.dcom.common.JISystem;
import org.jinterop.dcom.core.JIComServer;
import org.jinterop.dcom.core.JIProgId;
import org.jinterop.dcom.core.JISession;
import org.jinterop.dcom.core.JIString;
import org.jinterop.dcom.core.JIVariant;
import org.jinterop.dcom.impls.JIObjectFactory;
import org.jinterop.dcom.impls.automation.IJIDispatch;
public class EventLogListener {
private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2";
private static JISession configAndConnectDCom(String domain, String user,
String pass) throws Exception {
JISystem.getLogger().setLevel(Level.OFF);
try {
JISystem.setInBuiltLogHandler(false);
} catch (IOException ignored) {
;
}
JISystem.setAutoRegisteration(true);
JISession dcomSession = JISession.createSession(domain, user, pass);
dcomSession.useSessionSecurity(true);
return dcomSession;
}
private static IJIDispatch getWmiLocator(String host, JISession dcomSession)
throws Exception {
JIComServer wbemLocatorComObj = new JIComServer(JIProgId
.valueOf("WbemScripting.SWbemLocator"), host, dcomSession);
return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj
.createInstance().queryInterface(IJIDispatch.IID));
}
private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant)
throws JIException {
return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant
.getObjectAsComObject());
}
public static void main(String[] args) {
//if (args.length != 4) {
//System.out.println("Usage: "
//+ EventLogListener.class.getSimpleName()
//+ " domain host username password");
//return;
//}
String domain = "";
String host = "192.168.4.253";
String user = "administrator";
String pass ="123456";
JISession dcomSession = null;
try {
// Connect to DCOM on the remote system, and create an instance of
// the WbemScripting.SWbemLocator object to talk to WMI.
dcomSession = configAndConnectDCom(domain, user, pass);
IJIDispatch wbemLocator = getWmiLocator(host, dcomSession);
// Invoke the "ConnectServer" method on the SWbemLocator object via
// it's IDispatch COM pointer. We will connect to
// the default ROOT\CIMV2 namespace. This will result in us having a
// reference to a "SWbemServices" object.
JIVariant results[] = wbemLocator.callMethodA("ConnectServer",
new Object[] { new JIString(host),
new JIString(WMI_DEFAULT_NAMESPACE),
JIVariant.OPTIONAL_PARAM(),
JIVariant.OPTIONAL_PARAM(),
JIVariant.OPTIONAL_PARAM(),
JIVariant.OPTIONAL_PARAM(), new Integer(0),
JIVariant.OPTIONAL_PARAM() });
IJIDispatch wbemServices = toIDispatch(results[0]);
// Now that we have a SWbemServices DCOM object reference, we
// prepare a WMI Query Language (WQL) request to be informed
// whenever a
// new instance of the "Win32_NTLogEvent" WMI class is created on
// the remote host. This is submitted to the remote host via the
// "ExecNotificationQuery" method on SWbemServices. This gives us
// all events as they come in. Refer to WQL documentation to
// learn how to restrict the query if you want a narrower focus.
final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'";
//final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'";
//Application
//Security
//System
// and TargetInstance.LogFile = 'System'
final int RETURN_IMMEDIATE = 16;
final int FORWARD_ONLY = 32;
JIVariant[] eventSourceSet = wbemServices.callMethodA(
"ExecNotificationQuery", new Object[] {
new JIString(QUERY_FOR_ALL_LOG_EVENTS),
new JIString("WQL"),
new JIVariant(new Integer(RETURN_IMMEDIATE
+ FORWARD_ONLY)) });
IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory
.narrowObject((eventSourceSet[0]).getObjectAsComObject());
// The result of the query is a SWbemEventSource object. This object
// exposes a method that we can call in a loop to retrieve the
// next Windows Event Log entry whenever it is created. This
// "NextEvent" operation will block until we are given an event.
// Note that you can specify timeouts, see the Microsoft
// documentation for more details.
boolean flag = true;
int i=0;
while (flag) {
// this blocks until an event log entry appears.
JIVariant eventAsVariant = (JIVariant) (wbemEventSource
.callMethodA("NextEvent", new Object[] { JIVariant
.OPTIONAL_PARAM() }))[0];
IJIDispatch wbemEvent = toIDispatch(eventAsVariant);
// WMI gives us events as SWbemObject instances (a base class of
// any WMI object). We know in our case we asked for a specific
// object
// type, so we will go ahead and invoke methods supported by
// that Win32_NTLogEvent class via the wbemEvent IDispatch
// pointer.
// In this case, we simply call the "GetObjectText_" method that
// returns us the entire object as a CIM formatted string. We
// could,
// however, ask the object for its property values via
// wbemEvent.get("PropertyName"). See the j-interop
// documentation and examples
// for how to query COM properties.
JIVariant objTextAsVariant = (JIVariant) (wbemEvent
.callMethodA("GetObjectText_",
new Object[] { new Integer(1) }))[0];
String asText = objTextAsVariant.getObjectAsString()
.getString();
System.out.println("******************************************=="+i++ +"==****************************");
System.out.println(asText);
//flag = false;
// System.out.println("-----start------");
// System.out.println(asText);
// String[] texts = asText.split("\t");
// for(int i = 0; i
// {
// System.out.println( "texts["+ i +"]= "+texts[i]);
// }
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (null != dcomSession) {
try {
JISession.destroySession(dcomSession);
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
}
}

分享到：

CSS实现兼容性的渐变背景(gradient)效果 | jcifs windows主机之间进行网络文件共享

2013-05-27 13:42
浏览 1874
评论(0)
分类:编程语言
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

jinterop获取windows事件

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

jinterop获取windows事件

评论

发表评论

相关推荐

http断点续传

修改Tomcat的运行内存 & JSP中查看当前的内存使用状况

Eclipse编码格式修改

标题叠加在图片上面的几种显示方式

java druid淘宝数据库连接池数据库监听

memcached- tomcat配置详解

Oracle中将小数转换成字符丢零.截取小数.除数为零解决法

java 垃圾回收配置

nginx配置详解

oracle 列转行

osgi 注册servlet 和资源

正则表达式 匹配url

ZooKeeper 集群配置

jdk logger 配置实用宝典

CSS实现兼容性的渐变背景(gradient)效果

jcifs windows主机之间进行网络文件共享

java调用windows的wmi

java调用windows的wmi

tomcat 域名

java 四种方法四舍五入

最近访客更多访客>>

正则表达式匹配url