`
lishumingwm163.com
  • 浏览: 337741 次
  • 性别: Icon_minigender_1
  • 来自: 济南
社区版块
存档分类
最新评论

jinterop获取windows事件

    博客分类:
  • java
 
阅读更多
Java代码  收藏代码
  1. package com.mytest;  
  2.   
  3. import java.io.IOException;  
  4. import java.util.logging.Level;  
  5. import org.jinterop.dcom.common.JIException;  
  6. import org.jinterop.dcom.common.JISystem;  
  7. import org.jinterop.dcom.core.JIComServer;  
  8. import org.jinterop.dcom.core.JIProgId;  
  9. import org.jinterop.dcom.core.JISession;  
  10. import org.jinterop.dcom.core.JIString;  
  11. import org.jinterop.dcom.core.JIVariant;   
  12. import org.jinterop.dcom.impls.JIObjectFactory;  
  13. import org.jinterop.dcom.impls.automation.IJIDispatch;  
  14.   
  15. public class EventLogListener {  
  16.     private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2";  
  17.   
  18.     private static JISession configAndConnectDCom(String domain, String user,  
  19.             String pass) throws Exception {  
  20.         JISystem.getLogger().setLevel(Level.OFF);  
  21.         try {  
  22.             JISystem.setInBuiltLogHandler(false);  
  23.         } catch (IOException ignored) {  
  24.             ;  
  25.         }  
  26.         JISystem.setAutoRegisteration(true);  
  27.         JISession dcomSession = JISession.createSession(domain, user, pass);  
  28.         dcomSession.useSessionSecurity(true);  
  29.         return dcomSession;  
  30.     }  
  31.   
  32.     private static IJIDispatch getWmiLocator(String host, JISession dcomSession)  
  33.             throws Exception {  
  34.         JIComServer wbemLocatorComObj = new JIComServer(JIProgId  
  35.                 .valueOf("WbemScripting.SWbemLocator"), host, dcomSession);  
  36.         return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj  
  37.                 .createInstance().queryInterface(IJIDispatch.IID));  
  38.     }  
  39.   
  40.     private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant)  
  41.             throws JIException {  
  42.         return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant  
  43.                 .getObjectAsComObject());  
  44.     }  
  45.   
  46.     public static void main(String[] args) {  
  47.         //if (args.length != 4) {  
  48.             //System.out.println("Usage: "  
  49.                     //+ EventLogListener.class.getSimpleName()  
  50.                     //+ " domain host username password");  
  51.             //return;  
  52.         //}  
  53.         String domain = "";  
  54.         String host = "192.168.1.101";  
  55.         String user = "administrator";  
  56.         String pass ="1234";  
  57.         JISession dcomSession = null;  
  58.         try {  
  59.             // Connect to DCOM on the remote system, and create an instance of  
  60.             // the WbemScripting.SWbemLocator object to talk to WMI.  
  61.             dcomSession = configAndConnectDCom(domain, user, pass);  
  62.             IJIDispatch wbemLocator = getWmiLocator(host, dcomSession);  
  63.             // Invoke the "ConnectServer" method on the SWbemLocator object via  
  64.             // it's IDispatch COM pointer. We will connect to  
  65.             // the default ROOT\CIMV2 namespace. This will result in us having a  
  66.             // reference to a "SWbemServices" object.  
  67.             JIVariant results[] = wbemLocator.callMethodA("ConnectServer",  
  68.                     new Object[] { new JIString(host),  
  69.                             new JIString(WMI_DEFAULT_NAMESPACE),  
  70.                             JIVariant.OPTIONAL_PARAM(),  
  71.                             JIVariant.OPTIONAL_PARAM(),  
  72.                             JIVariant.OPTIONAL_PARAM(),  
  73.                             JIVariant.OPTIONAL_PARAM(), new Integer(0),  
  74.                             JIVariant.OPTIONAL_PARAM() });  
  75.             IJIDispatch wbemServices = toIDispatch(results[0]);  
  76.             // Now that we have a SWbemServices DCOM object reference, we  
  77.             // prepare a WMI Query Language (WQL) request to be informed  
  78.             // whenever a  
  79.             // new instance of the "Win32_NTLogEvent" WMI class is created on  
  80.             // the remote host. This is submitted to the remote host via the  
  81.             // "ExecNotificationQuery" method on SWbemServices. This gives us  
  82.             // all events as they come in. Refer to WQL documentation to  
  83.             // learn how to restrict the query if you want a narrower focus.  
  84.             final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'";  
  85.             //final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'";  
  86.             //Application  
  87.             //Security  
  88.             //System  
  89.             // and TargetInstance.LogFile = 'System'  
  90.             final int RETURN_IMMEDIATE = 16;  
  91.             final int FORWARD_ONLY = 32;  
  92.             JIVariant[] eventSourceSet = wbemServices.callMethodA(  
  93.                     "ExecNotificationQuery"new Object[] {  
  94.                             new JIString(QUERY_FOR_ALL_LOG_EVENTS),  
  95.                             new JIString("WQL"),  
  96.                             new JIVariant(new Integer(RETURN_IMMEDIATE  
  97.                                     + FORWARD_ONLY)) });  
  98.             IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory  
  99.                     .narrowObject((eventSourceSet[0]).getObjectAsComObject());  
  100.             // The result of the query is a SWbemEventSource object. This object  
  101.             // exposes a method that we can call in a loop to retrieve the  
  102.             // next Windows Event Log entry whenever it is created. This  
  103.             // "NextEvent" operation will block until we are given an event.  
  104.             // Note that you can specify timeouts, see the Microsoft  
  105.             // documentation for more details.  
  106.             boolean flag = true;  
  107.             int i=0;  
  108.             while (flag) {  
  109.                 // this blocks until an event log entry appears.  
  110.                 JIVariant eventAsVariant = (JIVariant) (wbemEventSource  
  111.                         .callMethodA("NextEvent"new Object[] { JIVariant  
  112.                                 .OPTIONAL_PARAM() }))[0];  
  113.                 IJIDispatch wbemEvent = toIDispatch(eventAsVariant);  
  114.                 // WMI gives us events as SWbemObject instances (a base class of  
  115.                 // any WMI object). We know in our case we asked for a specific  
  116.                 // object  
  117.                 // type, so we will go ahead and invoke methods supported by  
  118.                 // that Win32_NTLogEvent class via the wbemEvent IDispatch  
  119.                 // pointer.  
  120.                 // In this case, we simply call the "GetObjectText_" method that  
  121.                 // returns us the entire object as a CIM formatted string. We  
  122.                 // could,  
  123.                 // however, ask the object for its property values via  
  124.                 // wbemEvent.get("PropertyName"). See the j-interop  
  125.                 // documentation and examples  
  126.                 // for how to query COM properties.  
  127.                 JIVariant objTextAsVariant = (JIVariant) (wbemEvent  
  128.                         .callMethodA("GetObjectText_",  
  129.                                 new Object[] { new Integer(1) }))[0];  
  130.                 String asText = objTextAsVariant.getObjectAsString()  
  131.                         .getString();  
  132.                 System.out.println("******************************************=="+i++ +"==****************************");  
  133.   
  134.                 System.out.println(asText);  
  135.                   
  136.                 //flag = false;  
  137.                   
  138. //              System.out.println("-----start------");  
  139. //              System.out.println(asText);  
  140. //              String[] texts = asText.split("\t");  
  141. //              for(int i = 0; i < texts.length; i++)  
  142. //              {   
  143. //                  System.out.println( "texts["+ i +"]= "+texts[i]);   
  144. //              }   
  145.   
  146.             }  
  147.         } catch (Exception e) {  
  148.             e.printStackTrace();  
  149.         } finally {  
  150.             if (null != dcomSession) {  
  151.                 try {  
  152.                     JISession.destroySession(dcomSession);  
  153.                 } catch (Exception ex) {  
  154.                     ex.printStackTrace();  
  155.                 }  
  156.             }  
  157.         }  
  158.     }  
  159. }  



输出结果:
******************************************==0==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {49, 0, 46, 0, 49, 0, 0, 0, 48, 0, 0, 0, 77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 32, 0, 50, 0, 48, 0, 48, 0, 51, 0, 0, 0, 53, 0, 46, 0, 50, 0, 46, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 66, 0, 117, 0, 105, 0, 108, 0, 100, 0, 32, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 105, 0, 99, 0, 101, 0, 32, 0, 80, 0, 97, 0, 99, 0, 107, 0, 32, 0, 50, 0, 0, 0, 85, 0, 110, 0, 105, 0, 112, 0, 114, 0, 111, 0, 99, 0, 101, 0, 115, 0, 115, 0, 111, 0, 114, 0, 32, 0, 70, 0, 114, 0, 101, 0, 101, 0, 0, 0, 51, 0, 55, 0, 57, 0, 48, 0, 46, 0, 115, 0, 114, 0, 118, 0, 48, 0, 51, 0, 95, 0, 115, 0, 112, 0, 50, 0, 95, 0, 114, 0, 116, 0, 109, 0, 46, 0, 48, 0, 55, 0, 48, 0, 50, 0, 49, 0, 54, 0, 45, 0, 49, 0, 55, 0, 49, 0, 48, 0, 0, 0, 52, 0, 101, 0, 99, 0, 98, 0, 49, 0, 56, 0, 52, 0, 52, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 48, 0, 0, 0, 49, 0, 0, 0, 51, 0, 56, 0, 52, 0, 0, 0, 56, 0, 48, 0, 52, 0, 0, 0, 117, 0, 102, 0, 99, 0, 45, 0, 54, 0, 97, 0, 48, 0, 97, 0, 48, 0, 98, 0, 49, 0, 102, 0, 55, 0, 54, 0, 99, 0, 0, 0, 0, 0};
EventCode = 6005;
EventIdentifier = 2147489653;
EventType = 3;
InsertionStrings = {"", "", "", "", "13", "60", "-480 中国标准时间"};
Logfile = "System";
Message = "事件日志服务已启动。
\n";
RecordNumber = 650;
SourceName = "EventLog";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564746875000";
};

******************************************==1==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 10026;
EventIdentifier = 1075849002;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\Ole\\EventLog"};
Logfile = "System";
Message = "COM 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\Ole\\EventLog。
\n";
RecordNumber = 651;
SourceName = "DCOM";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031250";
};

******************************************==2==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 3;
EventIdentifier = 1113194499;
EventType = 3;
Logfile = "System";
Message = "应用程序体验查找服务已成功地启动。
\n";
RecordNumber = 652;
SourceName = "AeLookupSvc";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031251";
};

******************************************==3==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "15"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 15 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 653;
SourceName = "W32Time";
TimeGenerated = "20111125085930.000000+480";
TimeWritten = "20111125085930.000000+480";
Type = "错误";
};
TIME_CREATED = "129666564747031252";
};

******************************************==4==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 199, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4295;
EventIdentifier = 1073746119;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序以 Bypass 模式启动。在此计算机启动时没有 IPSec
\n安全性会被应用到此计算机。如果配置了IPSec 策略,它们将在
\nIPSec 服务启动后被应用到此计算机。
\n";
RecordNumber = 654;
SourceName = "IPSec";
TimeGenerated = "20111125085914.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031253";
};

******************************************==5==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 198, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4294;
EventIdentifier = 1073746118;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序进入 Secure 状态。如果配置了 IPSec 策略,
\n将在现在被应用到此计算机。
\n";
RecordNumber = 655;
SourceName = "IPSec";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031254";
};

******************************************==6==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "开始"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务成功发送一个 开始 控件。
\n";
RecordNumber = 656;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031255";
};

******************************************==7==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "正在运行"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务处于 正在运行 状态。
\n";
RecordNumber = 657;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031256";
};

******************************************==8==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Terminal Services", "开始"};
Logfile = "System";
Message = "Terminal Services 服务成功发送一个 开始 控件。
\n";
RecordNumber = 658;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031257";
};

******************************************==9==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Terminal Services", "正在运行"};
Logfile = "System";
Message = "Terminal Services 服务处于 正在运行 状态。
\n";
RecordNumber = 659;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031258";
};

******************************************==10==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "开始"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务成功发送一个 开始 控件。
\n";
RecordNumber = 660;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031259";
};

******************************************==11==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "正在运行"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务处于 正在运行 状态。
\n";
RecordNumber = 661;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031260";
};

******************************************==12==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "TM";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4193;
EventIdentifier = 1073746017;
EventType = 3;
InsertionStrings = {"0", "0", "0", "0", "0", "0", "1"};
Logfile = "Application";
Message = "MS DTC 已启动,设置如下(OFF = 0,ON = 1):


\n
\n安全配置:

\n     事务的网络管理 = 0,

\n     网络客户端 = 0,

\n     使用本机 MSDTC 协议的入站分布式事务 = 0,

\n     使用本机 MSDTC 协议的出站分布式事务 = 0,

\n     事务 Internet 协议(TIP) = 0,

\n     XA 事务 = 0

\n
\n筛选的重复事件 = 1";
RecordNumber = 152;
SourceName = "MSDTC";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187500";
};

******************************************==13==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4625;
EventIdentifier = 1073746449;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\EventSystem\\EventLog"};
Logfile = "Application";
Message = "EventSystem 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\EventSystem\\EventLog。
\n";
RecordNumber = 153;
SourceName = "EventSystem";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187501";
};

******************************************==14==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 100;
ComputerName = "UFC-6A0A0B1F76C";
Data = {65, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 32, 70, 97, 105, 108, 117, 114, 101, 32, 32, 115, 118, 99, 104, 111, 115, 116, 46, 101, 120, 101, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 105, 110, 32, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 97, 116, 32, 111, 102, 102, 115, 101, 116, 32, 48, 48, 48, 54, 98, 101, 98, 56};
EventCode = 1004;
EventIdentifier = 1004;
EventType = 3;
InsertionStrings = {"svchost.exe", "5.2.3790.3959", "kernel32.dll", "5.2.3790.3959", "0006beb8"};
Logfile = "Application";
Message = "报告队列中的错误: 错误应用程序 svchost.exe,版本 5.2.3790.3959,错误模块 kernel32.dll,版本 5.2.3790.3959,错误地址 0x0006beb8。
\n";
RecordNumber = 154;
SourceName = "Application Error";
TimeGenerated = "20111125085942.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187502";
};

******************************************==15==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"SYSTEM", "NT AUTHORITY", "(0x0,0x3E7)", "0", "-", "-", "-", "-", "-", "-", "-", "4", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tSYSTEM
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E7)
\n
\n\t登录类型: \t0
\n
\n\t登录进程: \t-
\n
\n\t身份验证数据包: \t-
\n
\n\t工作站名:\t-
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: 4
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3980;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748281250";
};

******************************************==16==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "5", "Advapi  ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tNETWORK SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E4)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3981;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281251";
};

******************************************==17==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tNETWORK SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E4)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3982;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281252";
};

******************************************==18==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "5", "Advapi  ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tLOCAL SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E5)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3983;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281253";
};

******************************************==19==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tLOCAL SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E5)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3984;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281254";
};

******************************************==20==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"", "", "(0x0,0xC2DE)", "3", "NtLmSsp ", "NTLM", "", "-", "-", "-", "-", "-", "-", "-", "-"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\t
\n
\n\t域:\t\t
\n
\n\t登录 ID:\t\t(0x0,0xC2DE)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3985;
SourceName = "Security";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\ANONYMOUS LOGON";
};
TIME_CREATED = "129666564748437500";
};

******************************************==21==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "Administrator", "UFC-6A0A0B1F76C", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tAdministrator
\n
\n源工作站: \tUFC-6A0A0B1F76C
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3986;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593750";
};

******************************************==22==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 552;
EventIdentifier = 552;
EventType = 4;
InsertionStrings = {"UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "-", "Administrator", "UFC-6A0A0B1F76C", "-", "localhost", "localhost", "332", "127.0.0.1", "0"};
Logfile = "Security";
Message = "使用明确凭据的登录尝试:
\n
\n登录的用户:
\n
\n\t用户名:\tUFC-6A0A0B1F76C$
\n
\n\t域:\t\tWORKGROUP
\n
\n\t登录 ID:\t\t(0x0,0x3E7)
\n
\n\t登录 GUID:\t-
\n
\n凭据被使用的用户:
\n
\n\t目标用户名:\tAdministrator
\n
\n\t目标域:\tUFC-6A0A0B1F76C
\n
\n\t目标登录 GUID: -
\n
\n
\n目标服务器名称:\tlocalhost
\n
\n目标服务器信息:\tlocalhost
\n
\n调用方进程 ID:\t332
\n
\n源网络地址:\t127.0.0.1
\n
\n源端口:\t0
\n
\n";
RecordNumber = 3987;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748593751";
};

******************************************==23==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "2", "User32  ", "Negotiate", "UFC-6A0A0B1F76C", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "332", "-", "127.0.0.1", "0"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tAdministrator
\n
\n\t域: \t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID: \t\t(0x0,0x10AB2)
\n
\n\t登录类型: \t2
\n
\n\t登录进程: \tUser32 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\tUFC-6A0A0B1F76C
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 332
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t127.0.0.1
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3988;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593752";
};

******************************************==24==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x10AB2)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3989;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750000";
};

******************************************==25==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "\\\\192.168.4.254", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \t\\\\192.168.4.254
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3990;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750001";
};

******************************************==26==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3991;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750002";
};

******************************************==27==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3", "NtLmSsp ", "NTLM", "\\\\192.168.4.254", "-", "-", "-", "-", "-", "-", "192.168.4.254", "0"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t\\\\192.168.4.254
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3992;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750003";
};

******************************************==28==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3993;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750004";
};

******************************************==29==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3994;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750005";
};

******************************************==30==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1863"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1863
\n
\n";
RecordNumber = 3995;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750006";
};

******************************************==31==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3996;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750007";
};

******************************************==32==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3997;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750008";
};

******************************************==33==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1864"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1864
\n
\n";
RecordNumber = 3998;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750009";
};

******************************************==34==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3999;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750010";
};

******************************************==35==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4000;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750011";
};

******************************************==36==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1865"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1865
\n
\n";
RecordNumber = 4001;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750012";
};

******************************************==37==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 538;
EventIdentifier = 538;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3"};
Logfile = "Security";
Message = "用户注销:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n";
RecordNumber = 4002;
SourceName = "Security";
TimeGenerated = "20111125090148.000000+480";
TimeWritten = "20111125090148.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666565081875000";
};

******************************************==38==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {94, 9, 0, 0, 95, 9, 0, 0, 84, 5, 0, 0};
EventCode = 1001;
EventIdentifier = 1073742825;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功删除 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有系统上一个计数器和上一个“帮助”注册表项的新数值。
\n";
RecordNumber = 155;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566116718750";
};

******************************************==39==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {96, 9, 0, 0, 108, 9, 0, 0, 97, 9, 0, 0, 109, 9, 0, 0};
EventCode = 1000;
EventIdentifier = 1073742824;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功加载 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有分配给这个服务的新索引数值。
\n";
RecordNumber = 156;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566169062500";
};

******************************************==40==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 4003;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656250";
};

******************************************==41==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4004;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656251";
};

******************************************==42==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1900"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1900
\n
\n";
RecordNumber = 4005;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656252";
};

******************************************==43==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "30"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 30 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 662;
SourceName = "W32Time";
TimeGenerated = "20111125091430.000000+480";
TimeWritten = "20111125091430.000000+480";
Type = "错误";
};
TIME_CREATED = "129666572702812500";
};



Java代码 

  • package com.mytest; 
  •  
  • import java.io.IOException; 
  • import java.util.logging.Level; 
  • import org.jinterop.dcom.common.JIException; 
  • import org.jinterop.dcom.common.JISystem; 
  • import org.jinterop.dcom.core.JIComServer; 
  • import org.jinterop.dcom.core.JIProgId; 
  • import org.jinterop.dcom.core.JISession; 
  • import org.jinterop.dcom.core.JIString; 
  • import org.jinterop.dcom.core.JIVariant;  
  • import org.jinterop.dcom.impls.JIObjectFactory; 
  • import org.jinterop.dcom.impls.automation.IJIDispatch; 
  •  
  • public class EventLogListener { 
  •     private static final String WMI_DEFAULT_NAMESPACE = &quot;ROOT\\CIMV2&quot;; 
  •  
  •     private static JISession configAndConnectDCom(String domain, String user, 
  •             String pass) throws Exception { 
  •         JISystem.getLogger().setLevel(Level.OFF); 
  •         try { 
  •             JISystem.setInBuiltLogHandler(false); 
  •         } catch (IOException ignored) { 
  •             ; 
  •         } 
  •         JISystem.setAutoRegisteration(true); 
  •         JISession dcomSession = JISession.createSession(domain, user, pass); 
  •         dcomSession.useSessionSecurity(true); 
  •         return dcomSession; 
  •     } 
  •  
  •     private static IJIDispatch getWmiLocator(String host, JISession dcomSession) 
  •             throws Exception { 
  •         JIComServer wbemLocatorComObj = new JIComServer(JIProgId 
  •                 .valueOf(&quot;WbemScripting.SWbemLocator&quot;), host, dcomSession); 
  •         return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj 
  •                 .createInstance().queryInterface(IJIDispatch.IID)); 
  •     } 
  •  
  •     private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant) 
  •             throws JIException { 
  •         return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant 
  •                 .getObjectAsComObject()); 
  •     } 
  •  
  •     public static void main(String[] args) { 
  •         //if (args.length != 4) { 
  •             //System.out.println(&quot;Usage: &quot; 
  •                     //+ EventLogListener.class.getSimpleName() 
  •                     //+ &quot; domain host username password&quot;); 
  •             //return; 
  •         //} 
  •         String domain = &quot;&quot;; 
  •         String host = &quot;192.168.4.253&quot;; 
  •         String user = &quot;administrator&quot;; 
  •         String pass =&quot;123456&quot;; 
  •         JISession dcomSession = null; 
  •         try { 
  •             // Connect to DCOM on the remote system, and create an instance of 
  •             // the WbemScripting.SWbemLocator object to talk to WMI. 
  •             dcomSession = configAndConnectDCom(domain, user, pass); 
  •             IJIDispatch wbemLocator = getWmiLocator(host, dcomSession); 
  •             // Invoke the &quot;ConnectServer&quot; method on the SWbemLocator object via 
  •             // it's IDispatch COM pointer. We will connect to 
  •             // the default ROOT\CIMV2 namespace. This will result in us having a 
  •             // reference to a &quot;SWbemServices&quot; object. 
  •             JIVariant results[] = wbemLocator.callMethodA(&quot;ConnectServer&quot;, 
  •                     new Object[] { new JIString(host), 
  •                             new JIString(WMI_DEFAULT_NAMESPACE), 
  •                             JIVariant.OPTIONAL_PARAM(), 
  •                             JIVariant.OPTIONAL_PARAM(), 
  •                             JIVariant.OPTIONAL_PARAM(), 
  •                             JIVariant.OPTIONAL_PARAM(), new Integer(0), 
  •                             JIVariant.OPTIONAL_PARAM() }); 
  •             IJIDispatch wbemServices = toIDispatch(results[0]); 
  •             // Now that we have a SWbemServices DCOM object reference, we 
  •             // prepare a WMI Query Language (WQL) request to be informed 
  •             // whenever a 
  •             // new instance of the &quot;Win32_NTLogEvent&quot; WMI class is created on 
  •             // the remote host. This is submitted to the remote host via the 
  •             // &quot;ExecNotificationQuery&quot; method on SWbemServices. This gives us 
  •             // all events as they come in. Refer to WQL documentation to 
  •             // learn how to restrict the query if you want a narrower focus. 
  •             final String QUERY_FOR_ALL_LOG_EVENTS = &quot;SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'&quot;; 
  •             //final String QUERY_FOR_ALL_LOG_EVENTS = &quot;SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'&quot;; 
  •             //Application 
  •             //Security 
  •             //System 
  •             // and TargetInstance.LogFile = 'System' 
  •             final int RETURN_IMMEDIATE = 16; 
  •             final int FORWARD_ONLY = 32; 
  •             JIVariant[] eventSourceSet = wbemServices.callMethodA( 
  •                     &quot;ExecNotificationQuery&quot;, new Object[] { 
  •                             new JIString(QUERY_FOR_ALL_LOG_EVENTS), 
  •                             new JIString(&quot;WQL&quot;), 
  •                             new JIVariant(new Integer(RETURN_IMMEDIATE 
  •                                     + FORWARD_ONLY)) }); 
  •             IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory 
  •                     .narrowObject((eventSourceSet[0]).getObjectAsComObject()); 
  •             // The result of the query is a SWbemEventSource object. This object 
  •             // exposes a method that we can call in a loop to retrieve the 
  •             // next Windows Event Log entry whenever it is created. This 
  •             // &quot;NextEvent&quot; operation will block until we are given an event. 
  •             // Note that you can specify timeouts, see the Microsoft 
  •             // documentation for more details. 
  •             boolean flag = true; 
  •             int i=0; 
  •             while (flag) { 
  •                 // this blocks until an event log entry appears. 
  •                 JIVariant eventAsVariant = (JIVariant) (wbemEventSource 
  •                         .callMethodA(&quot;NextEvent&quot;, new Object[] { JIVariant 
  •                                 .OPTIONAL_PARAM() }))[0]; 
  •                 IJIDispatch wbemEvent = toIDispatch(eventAsVariant); 
  •                 // WMI gives us events as SWbemObject instances (a base class of 
  •                 // any WMI object). We know in our case we asked for a specific 
  •                 // object 
  •                 // type, so we will go ahead and invoke methods supported by 
  •                 // that Win32_NTLogEvent class via the wbemEvent IDispatch 
  •                 // pointer. 
  •                 // In this case, we simply call the &quot;GetObjectText_&quot; method that 
  •                 // returns us the entire object as a CIM formatted string. We 
  •                 // could, 
  •                 // however, ask the object for its property values via 
  •                 // wbemEvent.get(&quot;PropertyName&quot;). See the j-interop 
  •                 // documentation and examples 
  •                 // for how to query COM properties. 
  •                 JIVariant objTextAsVariant = (JIVariant) (wbemEvent 
  •                         .callMethodA(&quot;GetObjectText_&quot;, 
  •                                 new Object[] { new Integer(1) }))[0]; 
  •                 String asText = objTextAsVariant.getObjectAsString() 
  •                         .getString(); 
  •                 System.out.println(&quot;******************************************==&quot;+i++ +&quot;==****************************&quot;); 
  •  
  •                 System.out.println(asText); 
  •                  
  •                 //flag = false; 
  •                  
  • //              System.out.println(&quot;-----start------&quot;); 
  • //              System.out.println(asText); 
  • //              String[] texts = asText.split(&quot;\t&quot;); 
  • //              for(int i = 0; i  
  • //              {  
  • //                  System.out.println( &quot;texts[&quot;+ i +&quot;]= &quot;+texts[i]);  
  • //              }  
  •  
  •             } 
  •         } catch (Exception e) { 
  •             e.printStackTrace(); 
  •         } finally { 
  •             if (null != dcomSession) { 
  •                 try { 
  •                     JISession.destroySession(dcomSession); 
  •                 } catch (Exception ex) { 
  •                     ex.printStackTrace(); 
  •                 } 
  •             } 
  •         } 
  •     } 





输出结果:
******************************************==0==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
Data = {49, 0, 46, 0, 49, 0, 0, 0, 48, 0, 0, 0, 77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 32, 0, 50, 0, 48, 0, 48, 0, 51, 0, 0, 0, 53, 0, 46, 0, 50, 0, 46, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 66, 0, 117, 0, 105, 0, 108, 0, 100, 0, 32, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 105, 0, 99, 0, 101, 0, 32, 0, 80, 0, 97, 0, 99, 0, 107, 0, 32, 0, 50, 0, 0, 0, 85, 0, 110, 0, 105, 0, 112, 0, 114, 0, 111, 0, 99, 0, 101, 0, 115, 0, 115, 0, 111, 0, 114, 0, 32, 0, 70, 0, 114, 0, 101, 0, 101, 0, 0, 0, 51, 0, 55, 0, 57, 0, 48, 0, 46, 0, 115, 0, 114, 0, 118, 0, 48, 0, 51, 0, 95, 0, 115, 0, 112, 0, 50, 0, 95, 0, 114, 0, 116, 0, 109, 0, 46, 0, 48, 0, 55, 0, 48, 0, 50, 0, 49, 0, 54, 0, 45, 0, 49, 0, 55, 0, 49, 0, 48, 0, 0, 0, 52, 0, 101, 0, 99, 0, 98, 0, 49, 0, 56, 0, 52, 0, 52, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 48, 0, 0, 0, 49, 0, 0, 0, 51, 0, 56, 0, 52, 0, 0, 0, 56, 0, 48, 0, 52, 0, 0, 0, 117, 0, 102, 0, 99, 0, 45, 0, 54, 0, 97, 0, 48, 0, 97, 0, 48, 0, 98, 0, 49, 0, 102, 0, 55, 0, 54, 0, 99, 0, 0, 0, 0, 0};
EventCode = 6005;
EventIdentifier = 2147489653;
EventType = 3;
InsertionStrings = {&quot;&quot;, &quot;&quot;, &quot;&quot;, &quot;&quot;, &quot;13&quot;, &quot;60&quot;, &quot;-480 中国标准时间&quot;};
Logfile = &quot;System&quot;;
Message = &quot;事件日志服务已启动。
\n&quot;;
RecordNumber = 650;
SourceName = &quot;EventLog&quot;;
TimeGenerated = &quot;20111125085922.000000+480&quot;;
TimeWritten = &quot;20111125085922.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564746875000&quot;;
};

******************************************==1==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 10026;
EventIdentifier = 1075849002;
EventType = 3;
InsertionStrings = {&quot;86400&quot;, &quot;SuppressDuplicateDuration&quot;, &quot;Software\\Microsoft\\Ole\\EventLog&quot;};
Logfile = &quot;System&quot;;
Message = &quot;COM 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\Ole\\EventLog。
\n&quot;;
RecordNumber = 651;
SourceName = &quot;DCOM&quot;;
TimeGenerated = &quot;20111125085922.000000+480&quot;;
TimeWritten = &quot;20111125085922.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031250&quot;;
};

******************************************==2==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 3;
EventIdentifier = 1113194499;
EventType = 3;
Logfile = &quot;System&quot;;
Message = &quot;应用程序体验查找服务已成功地启动。
\n&quot;;
RecordNumber = 652;
SourceName = &quot;AeLookupSvc&quot;;
TimeGenerated = &quot;20111125085929.000000+480&quot;;
TimeWritten = &quot;20111125085929.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031251&quot;;
};

******************************************==3==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {&quot;time.windows.com,0x1&quot;, &quot;套接字操作尝试一个无法连接的主机。 (0x80072751)&quot;, &quot;15&quot;};
Logfile = &quot;System&quot;;
Message = &quot;时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 15 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n&quot;;
RecordNumber = 653;
SourceName = &quot;W32Time&quot;;
TimeGenerated = &quot;20111125085930.000000+480&quot;;
TimeWritten = &quot;20111125085930.000000+480&quot;;
Type = &quot;错误&quot;;
};
TIME_CREATED = &quot;129666564747031252&quot;;
};

******************************************==4==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 199, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4295;
EventIdentifier = 1073746119;
EventType = 3;
InsertionStrings = {&quot;&quot;};
Logfile = &quot;System&quot;;
Message = &quot;IPSec 驱动程序以 Bypass 模式启动。在此计算机启动时没有 IPSec
\n安全性会被应用到此计算机。如果配置了IPSec 策略,它们将在
\nIPSec 服务启动后被应用到此计算机。
\n&quot;;
RecordNumber = 654;
SourceName = &quot;IPSec&quot;;
TimeGenerated = &quot;20111125085914.000000+480&quot;;
TimeWritten = &quot;20111125085944.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031253&quot;;
};

******************************************==5==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 198, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4294;
EventIdentifier = 1073746118;
EventType = 3;
InsertionStrings = {&quot;&quot;};
Logfile = &quot;System&quot;;
Message = &quot;IPSec 驱动程序进入 Secure 状态。如果配置了 IPSec 策略,
\n将在现在被应用到此计算机。
\n&quot;;
RecordNumber = 655;
SourceName = &quot;IPSec&quot;;
TimeGenerated = &quot;20111125085929.000000+480&quot;;
TimeWritten = &quot;20111125085944.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031254&quot;;
};

******************************************==6==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {&quot;Network Location Awareness (NLA)&quot;, &quot;开始&quot;};
Logfile = &quot;System&quot;;
Message = &quot;Network Location Awareness (NLA) 服务成功发送一个 开始 控件。
\n&quot;;
RecordNumber = 656;
SourceName = &quot;Service Control Manager&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;信息&quot;;
User = &quot;NT AUTHORITY\\SYSTEM&quot;;
};
TIME_CREATED = &quot;129666564747031255&quot;;
};

******************************************==7==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {&quot;Network Location Awareness (NLA)&quot;, &quot;正在运行&quot;};
Logfile = &quot;System&quot;;
Message = &quot;Network Location Awareness (NLA) 服务处于 正在运行 状态。
\n&quot;;
RecordNumber = 657;
SourceName = &quot;Service Control Manager&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031256&quot;;
};

******************************************==8==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {&quot;Terminal Services&quot;, &quot;开始&quot;};
Logfile = &quot;System&quot;;
Message = &quot;Terminal Services 服务成功发送一个 开始 控件。
\n&quot;;
RecordNumber = 658;
SourceName = &quot;Service Control Manager&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;信息&quot;;
User = &quot;NT AUTHORITY\\SYSTEM&quot;;
};
TIME_CREATED = &quot;129666564747031257&quot;;
};

******************************************==9==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {&quot;Terminal Services&quot;, &quot;正在运行&quot;};
Logfile = &quot;System&quot;;
Message = &quot;Terminal Services 服务处于 正在运行 状态。
\n&quot;;
RecordNumber = 659;
SourceName = &quot;Service Control Manager&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031258&quot;;
};

******************************************==10==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {&quot;Application Layer Gateway Service&quot;, &quot;开始&quot;};
Logfile = &quot;System&quot;;
Message = &quot;Application Layer Gateway Service 服务成功发送一个 开始 控件。
\n&quot;;
RecordNumber = 660;
SourceName = &quot;Service Control Manager&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;信息&quot;;
User = &quot;NT AUTHORITY\\SYSTEM&quot;;
};
TIME_CREATED = &quot;129666564747031259&quot;;
};

******************************************==11==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {&quot;Application Layer Gateway Service&quot;, &quot;正在运行&quot;};
Logfile = &quot;System&quot;;
Message = &quot;Application Layer Gateway Service 服务处于 正在运行 状态。
\n&quot;;
RecordNumber = 661;
SourceName = &quot;Service Control Manager&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747031260&quot;;
};

******************************************==12==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;TM&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 4193;
EventIdentifier = 1073746017;
EventType = 3;
InsertionStrings = {&quot;0&quot;, &quot;0&quot;, &quot;0&quot;, &quot;0&quot;, &quot;0&quot;, &quot;0&quot;, &quot;1&quot;};
Logfile = &quot;Application&quot;;
Message = &quot;MS DTC 已启动,设置如下(OFF = 0,ON = 1):


\n
\n安全配置:

\n     事务的网络管理 = 0,

\n     网络客户端 = 0,

\n     使用本机 MSDTC 协议的入站分布式事务 = 0,

\n     使用本机 MSDTC 协议的出站分布式事务 = 0,

\n     事务 Internet 协议(TIP) = 0,

\n     XA 事务 = 0

\n
\n筛选的重复事件 = 1&quot;;
RecordNumber = 152;
SourceName = &quot;MSDTC&quot;;
TimeGenerated = &quot;20111125085929.000000+480&quot;;
TimeWritten = &quot;20111125085929.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747187500&quot;;
};

******************************************==13==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 4625;
EventIdentifier = 1073746449;
EventType = 3;
InsertionStrings = {&quot;86400&quot;, &quot;SuppressDuplicateDuration&quot;, &quot;Software\\Microsoft\\EventSystem\\EventLog&quot;};
Logfile = &quot;Application&quot;;
Message = &quot;EventSystem 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\EventSystem\\EventLog。
\n&quot;;
RecordNumber = 153;
SourceName = &quot;EventSystem&quot;;
TimeGenerated = &quot;20111125085929.000000+480&quot;;
TimeWritten = &quot;20111125085929.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747187501&quot;;
};

******************************************==14==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 100;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
Data = {65, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 32, 70, 97, 105, 108, 117, 114, 101, 32, 32, 115, 118, 99, 104, 111, 115, 116, 46, 101, 120, 101, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 105, 110, 32, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 97, 116, 32, 111, 102, 102, 115, 101, 116, 32, 48, 48, 48, 54, 98, 101, 98, 56};
EventCode = 1004;
EventIdentifier = 1004;
EventType = 3;
InsertionStrings = {&quot;svchost.exe&quot;, &quot;5.2.3790.3959&quot;, &quot;kernel32.dll&quot;, &quot;5.2.3790.3959&quot;, &quot;0006beb8&quot;};
Logfile = &quot;Application&quot;;
Message = &quot;报告队列中的错误: 错误应用程序 svchost.exe,版本 5.2.3790.3959,错误模块 kernel32.dll,版本 5.2.3790.3959,错误地址 0x0006beb8。
\n&quot;;
RecordNumber = 154;
SourceName = &quot;Application Error&quot;;
TimeGenerated = &quot;20111125085942.000000+480&quot;;
TimeWritten = &quot;20111125085942.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666564747187502&quot;;
};

******************************************==15==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {&quot;SYSTEM&quot;, &quot;NT AUTHORITY&quot;, &quot;(0x0,0x3E7)&quot;, &quot;0&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;4&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;登录成功:
\n
\n\t用户名: \tSYSTEM
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E7)
\n
\n\t登录类型: \t0
\n
\n\t登录进程: \t-
\n
\n\t身份验证数据包: \t-
\n
\n\t工作站名:\t-
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: 4
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n&quot;;
RecordNumber = 3980;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085926.000000+480&quot;;
TimeWritten = &quot;20111125085926.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\SYSTEM&quot;;
};
TIME_CREATED = &quot;129666564748281250&quot;;
};

******************************************==16==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {&quot;NETWORK SERVICE&quot;, &quot;NT AUTHORITY&quot;, &quot;(0x0,0x3E4)&quot;, &quot;5&quot;, &quot;Advapi  &quot;, &quot;Negotiate&quot;, &quot;&quot;, &quot;-&quot;, &quot;UFC-6A0A0B1F76C$&quot;, &quot;WORKGROUP&quot;, &quot;(0x0,0x3E7)&quot;, &quot;380&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;登录成功:
\n
\n\t用户名: \tNETWORK SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E4)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n&quot;;
RecordNumber = 3981;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085926.000000+480&quot;;
TimeWritten = &quot;20111125085926.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\NETWORK SERVICE&quot;;
};
TIME_CREATED = &quot;129666564748281251&quot;;
};

******************************************==17==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;NETWORK SERVICE&quot;, &quot;NT AUTHORITY&quot;, &quot;(0x0,0x3E4)&quot;, &quot;SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tNETWORK SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E4)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 3982;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085926.000000+480&quot;;
TimeWritten = &quot;20111125085926.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\NETWORK SERVICE&quot;;
};
TIME_CREATED = &quot;129666564748281252&quot;;
};

******************************************==18==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {&quot;LOCAL SERVICE&quot;, &quot;NT AUTHORITY&quot;, &quot;(0x0,0x3E5)&quot;, &quot;5&quot;, &quot;Advapi  &quot;, &quot;Negotiate&quot;, &quot;&quot;, &quot;-&quot;, &quot;UFC-6A0A0B1F76C$&quot;, &quot;WORKGROUP&quot;, &quot;(0x0,0x3E7)&quot;, &quot;380&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;登录成功:
\n
\n\t用户名: \tLOCAL SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E5)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n&quot;;
RecordNumber = 3983;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085926.000000+480&quot;;
TimeWritten = &quot;20111125085926.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\LOCAL SERVICE&quot;;
};
TIME_CREATED = &quot;129666564748281253&quot;;
};

******************************************==19==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;LOCAL SERVICE&quot;, &quot;NT AUTHORITY&quot;, &quot;(0x0,0x3E5)&quot;, &quot;SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tLOCAL SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E5)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 3984;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085926.000000+480&quot;;
TimeWritten = &quot;20111125085926.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\LOCAL SERVICE&quot;;
};
TIME_CREATED = &quot;129666564748281254&quot;;
};

******************************************==20==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {&quot;&quot;, &quot;&quot;, &quot;(0x0,0xC2DE)&quot;, &quot;3&quot;, &quot;NtLmSsp &quot;, &quot;NTLM&quot;, &quot;&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;成功的网络登录:
\n
\n\t用户名:\t
\n
\n\t域:\t\t
\n
\n\t登录 ID:\t\t(0x0,0xC2DE)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n&quot;;
RecordNumber = 3985;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085929.000000+480&quot;;
TimeWritten = &quot;20111125085929.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\ANONYMOUS LOGON&quot;;
};
TIME_CREATED = &quot;129666564748437500&quot;;
};

******************************************==21==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = &quot;帐户登录&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {&quot;MICROSOFT_AUTHENTICATION_PACKAGE_V1_0&quot;, &quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;0x0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tAdministrator
\n
\n源工作站: \tUFC-6A0A0B1F76C
\n
\n错误代码: \t0x0
\n
\n&quot;;
RecordNumber = 3986;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085941.000000+480&quot;;
TimeWritten = &quot;20111125085942.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748593750&quot;;
};

******************************************==22==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 552;
EventIdentifier = 552;
EventType = 4;
InsertionStrings = {&quot;UFC-6A0A0B1F76C$&quot;, &quot;WORKGROUP&quot;, &quot;(0x0,0x3E7)&quot;, &quot;-&quot;, &quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;-&quot;, &quot;localhost&quot;, &quot;localhost&quot;, &quot;332&quot;, &quot;127.0.0.1&quot;, &quot;0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;使用明确凭据的登录尝试:
\n
\n登录的用户:
\n
\n\t用户名:\tUFC-6A0A0B1F76C$
\n
\n\t域:\t\tWORKGROUP
\n
\n\t登录 ID:\t\t(0x0,0x3E7)
\n
\n\t登录 GUID:\t-
\n
\n凭据被使用的用户:
\n
\n\t目标用户名:\tAdministrator
\n
\n\t目标域:\tUFC-6A0A0B1F76C
\n
\n\t目标登录 GUID: -
\n
\n
\n目标服务器名称:\tlocalhost
\n
\n目标服务器信息:\tlocalhost
\n
\n调用方进程 ID:\t332
\n
\n源网络地址:\t127.0.0.1
\n
\n源端口:\t0
\n
\n&quot;;
RecordNumber = 3987;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085941.000000+480&quot;;
TimeWritten = &quot;20111125085942.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;NT AUTHORITY\\SYSTEM&quot;;
};
TIME_CREATED = &quot;129666564748593751&quot;;
};

******************************************==23==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x10AB2)&quot;, &quot;2&quot;, &quot;User32  &quot;, &quot;Negotiate&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;-&quot;, &quot;UFC-6A0A0B1F76C$&quot;, &quot;WORKGROUP&quot;, &quot;(0x0,0x3E7)&quot;, &quot;332&quot;, &quot;-&quot;, &quot;127.0.0.1&quot;, &quot;0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;登录成功:
\n
\n\t用户名: \tAdministrator
\n
\n\t域: \t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID: \t\t(0x0,0x10AB2)
\n
\n\t登录类型: \t2
\n
\n\t登录进程: \tUser32 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\tUFC-6A0A0B1F76C
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 332
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t127.0.0.1
\n
\n\t源端口:\t0
\n
\n&quot;;
RecordNumber = 3988;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085941.000000+480&quot;;
TimeWritten = &quot;20111125085942.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748593752&quot;;
};

******************************************==24==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x10AB2)&quot;, &quot;SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x10AB2)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 3989;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125085941.000000+480&quot;;
TimeWritten = &quot;20111125085942.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750000&quot;;
};

******************************************==25==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = &quot;帐户登录&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {&quot;MICROSOFT_AUTHENTICATION_PACKAGE_V1_0&quot;, &quot;administrator&quot;, &quot;\\\\192.168.4.254&quot;, &quot;0x0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \t\\\\192.168.4.254
\n
\n错误代码: \t0x0
\n
\n&quot;;
RecordNumber = 3990;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090112.000000+480&quot;;
TimeWritten = &quot;20111125090112.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750001&quot;;
};

******************************************==26==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1A9BF)&quot;, &quot;SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 3991;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090112.000000+480&quot;;
TimeWritten = &quot;20111125090112.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750002&quot;;
};

******************************************==27==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1A9BF)&quot;, &quot;3&quot;, &quot;NtLmSsp &quot;, &quot;NTLM&quot;, &quot;\\\\192.168.4.254&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;192.168.4.254&quot;, &quot;0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t\\\\192.168.4.254
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t0
\n
\n&quot;;
RecordNumber = 3992;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090112.000000+480&quot;;
TimeWritten = &quot;20111125090112.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750003&quot;;
};

******************************************==28==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = &quot;帐户登录&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {&quot;MICROSOFT_AUTHENTICATION_PACKAGE_V1_0&quot;, &quot;administrator&quot;, &quot;JCIFS8_186_16&quot;, &quot;0x0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n&quot;;
RecordNumber = 3993;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750004&quot;;
};

******************************************==29==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1C919)&quot;, &quot;SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 3994;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750005&quot;;
};

******************************************==30==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1C919)&quot;, &quot;3&quot;, &quot;NtLmSsp &quot;, &quot;NTLM&quot;, &quot;JCIFS8_186_16&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;192.168.4.254&quot;, &quot;1863&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1863
\n
\n&quot;;
RecordNumber = 3995;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090113.000000+480&quot;;
TimeWritten = &quot;20111125090113.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750006&quot;;
};

******************************************==31==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = &quot;帐户登录&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {&quot;MICROSOFT_AUTHENTICATION_PACKAGE_V1_0&quot;, &quot;administrator&quot;, &quot;JCIFS8_186_16&quot;, &quot;0x0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n&quot;;
RecordNumber = 3996;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090114.000000+480&quot;;
TimeWritten = &quot;20111125090114.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750007&quot;;
};

******************************************==32==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1CE72)&quot;, &quot;SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 3997;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090114.000000+480&quot;;
TimeWritten = &quot;20111125090114.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750008&quot;;
};

******************************************==33==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1CE72)&quot;, &quot;3&quot;, &quot;NtLmSsp &quot;, &quot;NTLM&quot;, &quot;JCIFS8_186_16&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;192.168.4.254&quot;, &quot;1864&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1864
\n
\n&quot;;
RecordNumber = 3998;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090114.000000+480&quot;;
TimeWritten = &quot;20111125090114.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750009&quot;;
};

******************************************==34==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = &quot;帐户登录&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {&quot;MICROSOFT_AUTHENTICATION_PACKAGE_V1_0&quot;, &quot;administrator&quot;, &quot;JCIFS8_186_16&quot;, &quot;0x0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n&quot;;
RecordNumber = 3999;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090114.000000+480&quot;;
TimeWritten = &quot;20111125090114.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750010&quot;;
};

******************************************==35==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1CE8B)&quot;, &quot;SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 4000;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090114.000000+480&quot;;
TimeWritten = &quot;20111125090114.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750011&quot;;
};

******************************************==36==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1CE8B)&quot;, &quot;3&quot;, &quot;NtLmSsp &quot;, &quot;NTLM&quot;, &quot;JCIFS8_186_16&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;192.168.4.254&quot;, &quot;1865&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1865
\n
\n&quot;;
RecordNumber = 4001;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090114.000000+480&quot;;
TimeWritten = &quot;20111125090114.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666564748750012&quot;;
};

******************************************==37==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 538;
EventIdentifier = 538;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1A9BF)&quot;, &quot;3&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;用户注销:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n&quot;;
RecordNumber = 4002;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090148.000000+480&quot;;
TimeWritten = &quot;20111125090148.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666565081875000&quot;;
};

******************************************==38==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
Data = {94, 9, 0, 0, 95, 9, 0, 0, 84, 5, 0, 0};
EventCode = 1001;
EventIdentifier = 1073742825;
EventType = 3;
InsertionStrings = {&quot;WmiApRpl&quot;, &quot;WmiApRpl&quot;};
Logfile = &quot;Application&quot;;
Message = &quot;已成功删除 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有系统上一个计数器和上一个“帮助”注册表项的新数值。
\n&quot;;
RecordNumber = 155;
SourceName = &quot;LoadPerf&quot;;
TimeGenerated = &quot;20111125090331.000000+480&quot;;
TimeWritten = &quot;20111125090331.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666566116718750&quot;;
};

******************************************==39==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
Data = {96, 9, 0, 0, 108, 9, 0, 0, 97, 9, 0, 0, 109, 9, 0, 0};
EventCode = 1000;
EventIdentifier = 1073742824;
EventType = 3;
InsertionStrings = {&quot;WmiApRpl&quot;, &quot;WmiApRpl&quot;};
Logfile = &quot;Application&quot;;
Message = &quot;已成功加载 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有分配给这个服务的新索引数值。
\n&quot;;
RecordNumber = 156;
SourceName = &quot;LoadPerf&quot;;
TimeGenerated = &quot;20111125090331.000000+480&quot;;
TimeWritten = &quot;20111125090331.000000+480&quot;;
Type = &quot;信息&quot;;
};
TIME_CREATED = &quot;129666566169062500&quot;;
};

******************************************==40==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = &quot;帐户登录&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {&quot;MICROSOFT_AUTHENTICATION_PACKAGE_V1_0&quot;, &quot;administrator&quot;, &quot;JCIFS8_186_16&quot;, &quot;0x0&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n&quot;;
RecordNumber = 4003;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090510.000000+480&quot;;
TimeWritten = &quot;20111125090510.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666567102656250&quot;;
};

******************************************==41==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1F28E)&quot;, &quot;SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n&quot;;
RecordNumber = 4004;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090510.000000+480&quot;;
TimeWritten = &quot;20111125090510.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666567102656251&quot;;
};

******************************************==42==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = &quot;登录/注销&quot;;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {&quot;Administrator&quot;, &quot;UFC-6A0A0B1F76C&quot;, &quot;(0x0,0x1F28E)&quot;, &quot;3&quot;, &quot;NtLmSsp &quot;, &quot;NTLM&quot;, &quot;JCIFS8_186_16&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;-&quot;, &quot;192.168.4.254&quot;, &quot;1900&quot;};
Logfile = &quot;Security&quot;;
Message = &quot;成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1900
\n
\n&quot;;
RecordNumber = 4005;
SourceName = &quot;Security&quot;;
TimeGenerated = &quot;20111125090510.000000+480&quot;;
TimeWritten = &quot;20111125090510.000000+480&quot;;
Type = &quot;审核成功&quot;;
User = &quot;UFC-6A0A0B1F76C\\Administrator&quot;;
};
TIME_CREATED = &quot;129666567102656252&quot;;
};

******************************************==43==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = &quot;UFC-6A0A0B1F76C&quot;;
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {&quot;time.windows.com,0x1&quot;, &quot;套接字操作尝试一个无法连接的主机。 (0x80072751)&quot;, &quot;30&quot;};
Logfile = &quot;System&quot;;
Message = &quot;时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 30 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n&quot;;
RecordNumber = 662;
SourceName = &quot;W32Time&quot;;
TimeGenerated = &quot;20111125091430.000000+480&quot;;
TimeWritten = &quot;20111125091430.000000+480&quot;;
Type = &quot;错误&quot;;
};
TIME_CREATED = &quot;129666572702812500&quot;;
};

 

分享到:
评论

相关推荐

    jinterop获取windows事件三类日志(Security、Application、System)

    三、如何使用JInterop获取Windows事件日志 在Java中,我们可以利用JInterop来调用.NET Framework的`System.Diagnostics.EventLog`类,从而读取或写入Windows事件日志。以下是一个简单的示例,演示如何使用JInterop...

    使用j-Interop实现java连接wmi获取windows系统信息的例子

    而Java开发者有时需要在Java程序中获取Windows系统的详细信息,这时就可以借助于j-Interop库来实现与WMI的交互。本文将深入探讨如何使用j-Interop来连接WMI并获取Windows系统信息。 首先,j-Interop是一个开源项目...

    jsp获取电脑信息控件

    其次,Windows Management Instrumentation (WMI) 是微软提供的一种管理系统和硬件资源的接口,它允许应用程序获取和操作系统的各种信息。在Java中,我们可以使用J-Interop库来与WMI进行交互。J-Interop是一个Java到...

    wmi4j 远程执行cmd命令获取命令执行的结果

    该代码实现了在远程windows主机上 获取进程列表 及进程对应的端口;使用wmi4j 连接远程主机获取进程列表,创建文件夹、共享文件夹、执行netstat -ano输出到aa.txt文件,读取文件、撤销文件夹共享、删除文件夹及aa....

    wmi纯java调用所需jar包.zip

    WMI(Windows Management Instrumentation)是微软Windows操作系统提供的一种管理和操作环境,允许应用程序通过标准接口访问和控制操作系统、硬件设备和服务等系统资源的信息。在Java环境中,若要进行WMI调用,通常...

    wmi.zip_java wmi_wmi

    Windows Management Instrumentation(WMI)是Microsoft提供的一种管理系统和应用程序的方法,它允许程序访问和管理Windows操作系统级别的信息。在Java编程中,利用WMI技术可以获取关于系统硬件、软件、网络等多方面...

    java开发opc客户端jar包

    随着技术的发展,OPC UA(OPC统一架构)出现,它不仅支持Windows平台,还支持跨平台操作,提供更安全、更高效的数据交换机制。 - OPC客户端是通过OPC协议连接到OPC服务器,获取或设置工业设备的数据。它需要实现OPC...

    java_use_dll.rar_JAVA 调用DLL_java_use_dll.rar_系统日志

    在Windows系统中,可以使用WMI(Windows Management Instrumentation)来查询系统事件日志。在Java中,可以使用Jacob或者其他提供WMI访问的库,比如Jinterop。以下是一个基本的WMI查询示例: ```java import ...

    操作其它程序中的超级列表框.e.rar

    在Windows系统中,常见的IPC方式有管道、共享内存、消息队列、套接字、命名管道、事件、信号量等。在本例中,可能需要使用一种或多种IPC技术来实现对其他程序中超级列表框的控制。 2. **自动化技术**: 为了操作...

    java 用swt调用com组建之ie组建加强版

    SWT通过使用本地窗口系统(如Windows的Win32 API、Mac OS的Cocoa或Unix的X Window System)来实现其功能,而不是像AWT和Swing那样使用Java虚拟机。这种设计使得SWT的应用程序运行速度更快,图形性能更佳。 在Java中...

    kuaijiafangshi.zip_界面编程_Java_

    此外,还可以使用一些第三方库,如JNA(Java Native Access)或JInterop(用于Windows),它们允许Java程序直接调用操作系统API,包括创建快捷方式的功能。这些库提供了更丰富的功能,同时也增加了代码的跨平台性。 ...

Global site tag (gtag.js) - Google Analytics