- package com.mytest;
- import java.io.IOException;
- import java.util.logging.Level;
- import org.jinterop.dcom.common.JIException;
- import org.jinterop.dcom.common.JISystem;
- import org.jinterop.dcom.core.JIComServer;
- import org.jinterop.dcom.core.JIProgId;
- import org.jinterop.dcom.core.JISession;
- import org.jinterop.dcom.core.JIString;
- import org.jinterop.dcom.core.JIVariant;
- import org.jinterop.dcom.impls.JIObjectFactory;
- import org.jinterop.dcom.impls.automation.IJIDispatch;
- public class EventLogListener {
- private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2";
- private static JISession configAndConnectDCom(String domain, String user,
- String pass) throws Exception {
- JISystem.getLogger().setLevel(Level.OFF);
- try {
- JISystem.setInBuiltLogHandler(false);
- } catch (IOException ignored) {
- ;
- }
- JISystem.setAutoRegisteration(true);
- JISession dcomSession = JISession.createSession(domain, user, pass);
- dcomSession.useSessionSecurity(true);
- return dcomSession;
- }
- private static IJIDispatch getWmiLocator(String host, JISession dcomSession)
- throws Exception {
- JIComServer wbemLocatorComObj = new JIComServer(JIProgId
- .valueOf("WbemScripting.SWbemLocator"), host, dcomSession);
- return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj
- .createInstance().queryInterface(IJIDispatch.IID));
- }
- private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant)
- throws JIException {
- return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant
- .getObjectAsComObject());
- }
- public static void main(String[] args) {
- //if (args.length != 4) {
- //System.out.println("Usage: "
- //+ EventLogListener.class.getSimpleName()
- //+ " domain host username password");
- //return;
- //}
- String domain = "";
- String host = "192.168.1.101";
- String user = "administrator";
- String pass ="1234";
- JISession dcomSession = null;
- try {
- // Connect to DCOM on the remote system, and create an instance of
- // the WbemScripting.SWbemLocator object to talk to WMI.
- dcomSession = configAndConnectDCom(domain, user, pass);
- IJIDispatch wbemLocator = getWmiLocator(host, dcomSession);
- // Invoke the "ConnectServer" method on the SWbemLocator object via
- // it's IDispatch COM pointer. We will connect to
- // the default ROOT\CIMV2 namespace. This will result in us having a
- // reference to a "SWbemServices" object.
- JIVariant results[] = wbemLocator.callMethodA("ConnectServer",
- new Object[] { new JIString(host),
- new JIString(WMI_DEFAULT_NAMESPACE),
- JIVariant.OPTIONAL_PARAM(),
- JIVariant.OPTIONAL_PARAM(),
- JIVariant.OPTIONAL_PARAM(),
- JIVariant.OPTIONAL_PARAM(), new Integer(0),
- JIVariant.OPTIONAL_PARAM() });
- IJIDispatch wbemServices = toIDispatch(results[0]);
- // Now that we have a SWbemServices DCOM object reference, we
- // prepare a WMI Query Language (WQL) request to be informed
- // whenever a
- // new instance of the "Win32_NTLogEvent" WMI class is created on
- // the remote host. This is submitted to the remote host via the
- // "ExecNotificationQuery" method on SWbemServices. This gives us
- // all events as they come in. Refer to WQL documentation to
- // learn how to restrict the query if you want a narrower focus.
- final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'";
- //final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'";
- //Application
- //Security
- //System
- // and TargetInstance.LogFile = 'System'
- final int RETURN_IMMEDIATE = 16;
- final int FORWARD_ONLY = 32;
- JIVariant[] eventSourceSet = wbemServices.callMethodA(
- "ExecNotificationQuery", new Object[] {
- new JIString(QUERY_FOR_ALL_LOG_EVENTS),
- new JIString("WQL"),
- new JIVariant(new Integer(RETURN_IMMEDIATE
- + FORWARD_ONLY)) });
- IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory
- .narrowObject((eventSourceSet[0]).getObjectAsComObject());
- // The result of the query is a SWbemEventSource object. This object
- // exposes a method that we can call in a loop to retrieve the
- // next Windows Event Log entry whenever it is created. This
- // "NextEvent" operation will block until we are given an event.
- // Note that you can specify timeouts, see the Microsoft
- // documentation for more details.
- boolean flag = true;
- int i=0;
- while (flag) {
- // this blocks until an event log entry appears.
- JIVariant eventAsVariant = (JIVariant) (wbemEventSource
- .callMethodA("NextEvent", new Object[] { JIVariant
- .OPTIONAL_PARAM() }))[0];
- IJIDispatch wbemEvent = toIDispatch(eventAsVariant);
- // WMI gives us events as SWbemObject instances (a base class of
- // any WMI object). We know in our case we asked for a specific
- // object
- // type, so we will go ahead and invoke methods supported by
- // that Win32_NTLogEvent class via the wbemEvent IDispatch
- // pointer.
- // In this case, we simply call the "GetObjectText_" method that
- // returns us the entire object as a CIM formatted string. We
- // could,
- // however, ask the object for its property values via
- // wbemEvent.get("PropertyName"). See the j-interop
- // documentation and examples
- // for how to query COM properties.
- JIVariant objTextAsVariant = (JIVariant) (wbemEvent
- .callMethodA("GetObjectText_",
- new Object[] { new Integer(1) }))[0];
- String asText = objTextAsVariant.getObjectAsString()
- .getString();
- System.out.println("******************************************=="+i++ +"==****************************");
- System.out.println(asText);
- //flag = false;
- // System.out.println("-----start------");
- // System.out.println(asText);
- // String[] texts = asText.split("\t");
- // for(int i = 0; i < texts.length; i++)
- // {
- // System.out.println( "texts["+ i +"]= "+texts[i]);
- // }
- }
- } catch (Exception e) {
- e.printStackTrace();
- } finally {
- if (null != dcomSession) {
- try {
- JISession.destroySession(dcomSession);
- } catch (Exception ex) {
- ex.printStackTrace();
- }
- }
- }
- }
- }
输出结果:
******************************************==0==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {49, 0, 46, 0, 49, 0, 0, 0, 48, 0, 0, 0, 77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 32, 0, 50, 0, 48, 0, 48, 0, 51, 0, 0, 0, 53, 0, 46, 0, 50, 0, 46, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 66, 0, 117, 0, 105, 0, 108, 0, 100, 0, 32, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 105, 0, 99, 0, 101, 0, 32, 0, 80, 0, 97, 0, 99, 0, 107, 0, 32, 0, 50, 0, 0, 0, 85, 0, 110, 0, 105, 0, 112, 0, 114, 0, 111, 0, 99, 0, 101, 0, 115, 0, 115, 0, 111, 0, 114, 0, 32, 0, 70, 0, 114, 0, 101, 0, 101, 0, 0, 0, 51, 0, 55, 0, 57, 0, 48, 0, 46, 0, 115, 0, 114, 0, 118, 0, 48, 0, 51, 0, 95, 0, 115, 0, 112, 0, 50, 0, 95, 0, 114, 0, 116, 0, 109, 0, 46, 0, 48, 0, 55, 0, 48, 0, 50, 0, 49, 0, 54, 0, 45, 0, 49, 0, 55, 0, 49, 0, 48, 0, 0, 0, 52, 0, 101, 0, 99, 0, 98, 0, 49, 0, 56, 0, 52, 0, 52, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 48, 0, 0, 0, 49, 0, 0, 0, 51, 0, 56, 0, 52, 0, 0, 0, 56, 0, 48, 0, 52, 0, 0, 0, 117, 0, 102, 0, 99, 0, 45, 0, 54, 0, 97, 0, 48, 0, 97, 0, 48, 0, 98, 0, 49, 0, 102, 0, 55, 0, 54, 0, 99, 0, 0, 0, 0, 0};
EventCode = 6005;
EventIdentifier = 2147489653;
EventType = 3;
InsertionStrings = {"", "", "", "", "13", "60", "-480 中国标准时间"};
Logfile = "System";
Message = "事件日志服务已启动。
\n";
RecordNumber = 650;
SourceName = "EventLog";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564746875000";
};
******************************************==1==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 10026;
EventIdentifier = 1075849002;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\Ole\\EventLog"};
Logfile = "System";
Message = "COM 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\Ole\\EventLog。
\n";
RecordNumber = 651;
SourceName = "DCOM";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031250";
};
******************************************==2==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 3;
EventIdentifier = 1113194499;
EventType = 3;
Logfile = "System";
Message = "应用程序体验查找服务已成功地启动。
\n";
RecordNumber = 652;
SourceName = "AeLookupSvc";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031251";
};
******************************************==3==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "15"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 15 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 653;
SourceName = "W32Time";
TimeGenerated = "20111125085930.000000+480";
TimeWritten = "20111125085930.000000+480";
Type = "错误";
};
TIME_CREATED = "129666564747031252";
};
******************************************==4==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 199, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4295;
EventIdentifier = 1073746119;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序以 Bypass 模式启动。在此计算机启动时没有 IPSec
\n安全性会被应用到此计算机。如果配置了IPSec 策略,它们将在
\nIPSec 服务启动后被应用到此计算机。
\n";
RecordNumber = 654;
SourceName = "IPSec";
TimeGenerated = "20111125085914.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031253";
};
******************************************==5==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 198, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4294;
EventIdentifier = 1073746118;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序进入 Secure 状态。如果配置了 IPSec 策略,
\n将在现在被应用到此计算机。
\n";
RecordNumber = 655;
SourceName = "IPSec";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031254";
};
******************************************==6==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "开始"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务成功发送一个 开始 控件。
\n";
RecordNumber = 656;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031255";
};
******************************************==7==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "正在运行"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务处于 正在运行 状态。
\n";
RecordNumber = 657;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031256";
};
******************************************==8==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Terminal Services", "开始"};
Logfile = "System";
Message = "Terminal Services 服务成功发送一个 开始 控件。
\n";
RecordNumber = 658;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031257";
};
******************************************==9==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Terminal Services", "正在运行"};
Logfile = "System";
Message = "Terminal Services 服务处于 正在运行 状态。
\n";
RecordNumber = 659;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031258";
};
******************************************==10==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "开始"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务成功发送一个 开始 控件。
\n";
RecordNumber = 660;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031259";
};
******************************************==11==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "正在运行"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务处于 正在运行 状态。
\n";
RecordNumber = 661;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031260";
};
******************************************==12==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "TM";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4193;
EventIdentifier = 1073746017;
EventType = 3;
InsertionStrings = {"0", "0", "0", "0", "0", "0", "1"};
Logfile = "Application";
Message = "MS DTC 已启动,设置如下(OFF = 0,ON = 1):
\n
\n安全配置:
\n 事务的网络管理 = 0,
\n 网络客户端 = 0,
\n 使用本机 MSDTC 协议的入站分布式事务 = 0,
\n 使用本机 MSDTC 协议的出站分布式事务 = 0,
\n 事务 Internet 协议(TIP) = 0,
\n XA 事务 = 0
\n
\n筛选的重复事件 = 1";
RecordNumber = 152;
SourceName = "MSDTC";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187500";
};
******************************************==13==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4625;
EventIdentifier = 1073746449;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\EventSystem\\EventLog"};
Logfile = "Application";
Message = "EventSystem 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\EventSystem\\EventLog。
\n";
RecordNumber = 153;
SourceName = "EventSystem";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187501";
};
******************************************==14==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 100;
ComputerName = "UFC-6A0A0B1F76C";
Data = {65, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 32, 70, 97, 105, 108, 117, 114, 101, 32, 32, 115, 118, 99, 104, 111, 115, 116, 46, 101, 120, 101, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 105, 110, 32, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 97, 116, 32, 111, 102, 102, 115, 101, 116, 32, 48, 48, 48, 54, 98, 101, 98, 56};
EventCode = 1004;
EventIdentifier = 1004;
EventType = 3;
InsertionStrings = {"svchost.exe", "5.2.3790.3959", "kernel32.dll", "5.2.3790.3959", "0006beb8"};
Logfile = "Application";
Message = "报告队列中的错误: 错误应用程序 svchost.exe,版本 5.2.3790.3959,错误模块 kernel32.dll,版本 5.2.3790.3959,错误地址 0x0006beb8。
\n";
RecordNumber = 154;
SourceName = "Application Error";
TimeGenerated = "20111125085942.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187502";
};
******************************************==15==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"SYSTEM", "NT AUTHORITY", "(0x0,0x3E7)", "0", "-", "-", "-", "-", "-", "-", "-", "4", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tSYSTEM
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E7)
\n
\n\t登录类型: \t0
\n
\n\t登录进程: \t-
\n
\n\t身份验证数据包: \t-
\n
\n\t工作站名:\t-
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: 4
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3980;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748281250";
};
******************************************==16==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "5", "Advapi ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tNETWORK SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E4)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3981;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281251";
};
******************************************==17==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tNETWORK SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E4)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3982;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281252";
};
******************************************==18==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "5", "Advapi ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tLOCAL SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E5)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3983;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281253";
};
******************************************==19==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tLOCAL SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E5)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3984;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281254";
};
******************************************==20==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"", "", "(0x0,0xC2DE)", "3", "NtLmSsp ", "NTLM", "", "-", "-", "-", "-", "-", "-", "-", "-"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\t
\n
\n\t域:\t\t
\n
\n\t登录 ID:\t\t(0x0,0xC2DE)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3985;
SourceName = "Security";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\ANONYMOUS LOGON";
};
TIME_CREATED = "129666564748437500";
};
******************************************==21==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "Administrator", "UFC-6A0A0B1F76C", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tAdministrator
\n
\n源工作站: \tUFC-6A0A0B1F76C
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3986;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593750";
};
******************************************==22==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 552;
EventIdentifier = 552;
EventType = 4;
InsertionStrings = {"UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "-", "Administrator", "UFC-6A0A0B1F76C", "-", "localhost", "localhost", "332", "127.0.0.1", "0"};
Logfile = "Security";
Message = "使用明确凭据的登录尝试:
\n
\n登录的用户:
\n
\n\t用户名:\tUFC-6A0A0B1F76C$
\n
\n\t域:\t\tWORKGROUP
\n
\n\t登录 ID:\t\t(0x0,0x3E7)
\n
\n\t登录 GUID:\t-
\n
\n凭据被使用的用户:
\n
\n\t目标用户名:\tAdministrator
\n
\n\t目标域:\tUFC-6A0A0B1F76C
\n
\n\t目标登录 GUID: -
\n
\n
\n目标服务器名称:\tlocalhost
\n
\n目标服务器信息:\tlocalhost
\n
\n调用方进程 ID:\t332
\n
\n源网络地址:\t127.0.0.1
\n
\n源端口:\t0
\n
\n";
RecordNumber = 3987;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748593751";
};
******************************************==23==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "2", "User32 ", "Negotiate", "UFC-6A0A0B1F76C", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "332", "-", "127.0.0.1", "0"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tAdministrator
\n
\n\t域: \t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID: \t\t(0x0,0x10AB2)
\n
\n\t登录类型: \t2
\n
\n\t登录进程: \tUser32
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\tUFC-6A0A0B1F76C
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 332
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t127.0.0.1
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3988;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593752";
};
******************************************==24==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x10AB2)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3989;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750000";
};
******************************************==25==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "\\\\192.168.4.254", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \t\\\\192.168.4.254
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3990;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750001";
};
******************************************==26==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3991;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750002";
};
******************************************==27==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3", "NtLmSsp ", "NTLM", "\\\\192.168.4.254", "-", "-", "-", "-", "-", "-", "192.168.4.254", "0"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t\\\\192.168.4.254
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3992;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750003";
};
******************************************==28==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3993;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750004";
};
******************************************==29==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3994;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750005";
};
******************************************==30==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1863"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1863
\n
\n";
RecordNumber = 3995;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750006";
};
******************************************==31==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3996;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750007";
};
******************************************==32==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3997;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750008";
};
******************************************==33==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1864"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1864
\n
\n";
RecordNumber = 3998;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750009";
};
******************************************==34==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3999;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750010";
};
******************************************==35==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4000;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750011";
};
******************************************==36==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1865"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1865
\n
\n";
RecordNumber = 4001;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750012";
};
******************************************==37==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 538;
EventIdentifier = 538;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3"};
Logfile = "Security";
Message = "用户注销:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n";
RecordNumber = 4002;
SourceName = "Security";
TimeGenerated = "20111125090148.000000+480";
TimeWritten = "20111125090148.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666565081875000";
};
******************************************==38==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {94, 9, 0, 0, 95, 9, 0, 0, 84, 5, 0, 0};
EventCode = 1001;
EventIdentifier = 1073742825;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功删除 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有系统上一个计数器和上一个“帮助”注册表项的新数值。
\n";
RecordNumber = 155;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566116718750";
};
******************************************==39==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {96, 9, 0, 0, 108, 9, 0, 0, 97, 9, 0, 0, 109, 9, 0, 0};
EventCode = 1000;
EventIdentifier = 1073742824;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功加载 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有分配给这个服务的新索引数值。
\n";
RecordNumber = 156;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566169062500";
};
******************************************==40==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 4003;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656250";
};
******************************************==41==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4004;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656251";
};
******************************************==42==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1900"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1900
\n
\n";
RecordNumber = 4005;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656252";
};
******************************************==43==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "30"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 30 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 662;
SourceName = "W32Time";
TimeGenerated = "20111125091430.000000+480";
TimeWritten = "20111125091430.000000+480";
Type = "错误";
};
TIME_CREATED = "129666572702812500";
};
Java代码
- package com.mytest;
- import java.io.IOException;
- import java.util.logging.Level;
- import org.jinterop.dcom.common.JIException;
- import org.jinterop.dcom.common.JISystem;
- import org.jinterop.dcom.core.JIComServer;
- import org.jinterop.dcom.core.JIProgId;
- import org.jinterop.dcom.core.JISession;
- import org.jinterop.dcom.core.JIString;
- import org.jinterop.dcom.core.JIVariant;
- import org.jinterop.dcom.impls.JIObjectFactory;
- import org.jinterop.dcom.impls.automation.IJIDispatch;
- public class EventLogListener {
- private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2";
- private static JISession configAndConnectDCom(String domain, String user,
- String pass) throws Exception {
- JISystem.getLogger().setLevel(Level.OFF);
- try {
- JISystem.setInBuiltLogHandler(false);
- } catch (IOException ignored) {
- ;
- }
- JISystem.setAutoRegisteration(true);
- JISession dcomSession = JISession.createSession(domain, user, pass);
- dcomSession.useSessionSecurity(true);
- return dcomSession;
- }
- private static IJIDispatch getWmiLocator(String host, JISession dcomSession)
- throws Exception {
- JIComServer wbemLocatorComObj = new JIComServer(JIProgId
- .valueOf("WbemScripting.SWbemLocator"), host, dcomSession);
- return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj
- .createInstance().queryInterface(IJIDispatch.IID));
- }
- private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant)
- throws JIException {
- return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant
- .getObjectAsComObject());
- }
- public static void main(String[] args) {
- //if (args.length != 4) {
- //System.out.println("Usage: "
- //+ EventLogListener.class.getSimpleName()
- //+ " domain host username password");
- //return;
- //}
- String domain = "";
- String host = "192.168.4.253";
- String user = "administrator";
- String pass ="123456";
- JISession dcomSession = null;
- try {
- // Connect to DCOM on the remote system, and create an instance of
- // the WbemScripting.SWbemLocator object to talk to WMI.
- dcomSession = configAndConnectDCom(domain, user, pass);
- IJIDispatch wbemLocator = getWmiLocator(host, dcomSession);
- // Invoke the "ConnectServer" method on the SWbemLocator object via
- // it's IDispatch COM pointer. We will connect to
- // the default ROOT\CIMV2 namespace. This will result in us having a
- // reference to a "SWbemServices" object.
- JIVariant results[] = wbemLocator.callMethodA("ConnectServer",
- new Object[] { new JIString(host),
- new JIString(WMI_DEFAULT_NAMESPACE),
- JIVariant.OPTIONAL_PARAM(),
- JIVariant.OPTIONAL_PARAM(),
- JIVariant.OPTIONAL_PARAM(),
- JIVariant.OPTIONAL_PARAM(), new Integer(0),
- JIVariant.OPTIONAL_PARAM() });
- IJIDispatch wbemServices = toIDispatch(results[0]);
- // Now that we have a SWbemServices DCOM object reference, we
- // prepare a WMI Query Language (WQL) request to be informed
- // whenever a
- // new instance of the "Win32_NTLogEvent" WMI class is created on
- // the remote host. This is submitted to the remote host via the
- // "ExecNotificationQuery" method on SWbemServices. This gives us
- // all events as they come in. Refer to WQL documentation to
- // learn how to restrict the query if you want a narrower focus.
- final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'";
- //final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'";
- //Application
- //Security
- //System
- // and TargetInstance.LogFile = 'System'
- final int RETURN_IMMEDIATE = 16;
- final int FORWARD_ONLY = 32;
- JIVariant[] eventSourceSet = wbemServices.callMethodA(
- "ExecNotificationQuery", new Object[] {
- new JIString(QUERY_FOR_ALL_LOG_EVENTS),
- new JIString("WQL"),
- new JIVariant(new Integer(RETURN_IMMEDIATE
- + FORWARD_ONLY)) });
- IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory
- .narrowObject((eventSourceSet[0]).getObjectAsComObject());
- // The result of the query is a SWbemEventSource object. This object
- // exposes a method that we can call in a loop to retrieve the
- // next Windows Event Log entry whenever it is created. This
- // "NextEvent" operation will block until we are given an event.
- // Note that you can specify timeouts, see the Microsoft
- // documentation for more details.
- boolean flag = true;
- int i=0;
- while (flag) {
- // this blocks until an event log entry appears.
- JIVariant eventAsVariant = (JIVariant) (wbemEventSource
- .callMethodA("NextEvent", new Object[] { JIVariant
- .OPTIONAL_PARAM() }))[0];
- IJIDispatch wbemEvent = toIDispatch(eventAsVariant);
- // WMI gives us events as SWbemObject instances (a base class of
- // any WMI object). We know in our case we asked for a specific
- // object
- // type, so we will go ahead and invoke methods supported by
- // that Win32_NTLogEvent class via the wbemEvent IDispatch
- // pointer.
- // In this case, we simply call the "GetObjectText_" method that
- // returns us the entire object as a CIM formatted string. We
- // could,
- // however, ask the object for its property values via
- // wbemEvent.get("PropertyName"). See the j-interop
- // documentation and examples
- // for how to query COM properties.
- JIVariant objTextAsVariant = (JIVariant) (wbemEvent
- .callMethodA("GetObjectText_",
- new Object[] { new Integer(1) }))[0];
- String asText = objTextAsVariant.getObjectAsString()
- .getString();
- System.out.println("******************************************=="+i++ +"==****************************");
- System.out.println(asText);
- //flag = false;
- // System.out.println("-----start------");
- // System.out.println(asText);
- // String[] texts = asText.split("\t");
- // for(int i = 0; i
- // {
- // System.out.println( "texts["+ i +"]= "+texts[i]);
- // }
- }
- } catch (Exception e) {
- e.printStackTrace();
- } finally {
- if (null != dcomSession) {
- try {
- JISession.destroySession(dcomSession);
- } catch (Exception ex) {
- ex.printStackTrace();
- }
- }
- }
- }
- }
输出结果:
******************************************==0==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {49, 0, 46, 0, 49, 0, 0, 0, 48, 0, 0, 0, 77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 32, 0, 50, 0, 48, 0, 48, 0, 51, 0, 0, 0, 53, 0, 46, 0, 50, 0, 46, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 66, 0, 117, 0, 105, 0, 108, 0, 100, 0, 32, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 105, 0, 99, 0, 101, 0, 32, 0, 80, 0, 97, 0, 99, 0, 107, 0, 32, 0, 50, 0, 0, 0, 85, 0, 110, 0, 105, 0, 112, 0, 114, 0, 111, 0, 99, 0, 101, 0, 115, 0, 115, 0, 111, 0, 114, 0, 32, 0, 70, 0, 114, 0, 101, 0, 101, 0, 0, 0, 51, 0, 55, 0, 57, 0, 48, 0, 46, 0, 115, 0, 114, 0, 118, 0, 48, 0, 51, 0, 95, 0, 115, 0, 112, 0, 50, 0, 95, 0, 114, 0, 116, 0, 109, 0, 46, 0, 48, 0, 55, 0, 48, 0, 50, 0, 49, 0, 54, 0, 45, 0, 49, 0, 55, 0, 49, 0, 48, 0, 0, 0, 52, 0, 101, 0, 99, 0, 98, 0, 49, 0, 56, 0, 52, 0, 52, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 48, 0, 0, 0, 49, 0, 0, 0, 51, 0, 56, 0, 52, 0, 0, 0, 56, 0, 48, 0, 52, 0, 0, 0, 117, 0, 102, 0, 99, 0, 45, 0, 54, 0, 97, 0, 48, 0, 97, 0, 48, 0, 98, 0, 49, 0, 102, 0, 55, 0, 54, 0, 99, 0, 0, 0, 0, 0};
EventCode = 6005;
EventIdentifier = 2147489653;
EventType = 3;
InsertionStrings = {"", "", "", "", "13", "60", "-480 中国标准时间"};
Logfile = "System";
Message = "事件日志服务已启动。
\n";
RecordNumber = 650;
SourceName = "EventLog";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564746875000";
};
******************************************==1==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 10026;
EventIdentifier = 1075849002;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\Ole\\EventLog"};
Logfile = "System";
Message = "COM 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\Ole\\EventLog。
\n";
RecordNumber = 651;
SourceName = "DCOM";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031250";
};
******************************************==2==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 3;
EventIdentifier = 1113194499;
EventType = 3;
Logfile = "System";
Message = "应用程序体验查找服务已成功地启动。
\n";
RecordNumber = 652;
SourceName = "AeLookupSvc";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031251";
};
******************************************==3==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "15"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 15 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 653;
SourceName = "W32Time";
TimeGenerated = "20111125085930.000000+480";
TimeWritten = "20111125085930.000000+480";
Type = "错误";
};
TIME_CREATED = "129666564747031252";
};
******************************************==4==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 199, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4295;
EventIdentifier = 1073746119;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序以 Bypass 模式启动。在此计算机启动时没有 IPSec
\n安全性会被应用到此计算机。如果配置了IPSec 策略,它们将在
\nIPSec 服务启动后被应用到此计算机。
\n";
RecordNumber = 654;
SourceName = "IPSec";
TimeGenerated = "20111125085914.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031253";
};
******************************************==5==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 198, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4294;
EventIdentifier = 1073746118;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序进入 Secure 状态。如果配置了 IPSec 策略,
\n将在现在被应用到此计算机。
\n";
RecordNumber = 655;
SourceName = "IPSec";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031254";
};
******************************************==6==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "开始"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务成功发送一个 开始 控件。
\n";
RecordNumber = 656;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031255";
};
******************************************==7==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "正在运行"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务处于 正在运行 状态。
\n";
RecordNumber = 657;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031256";
};
******************************************==8==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Terminal Services", "开始"};
Logfile = "System";
Message = "Terminal Services 服务成功发送一个 开始 控件。
\n";
RecordNumber = 658;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031257";
};
******************************************==9==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Terminal Services", "正在运行"};
Logfile = "System";
Message = "Terminal Services 服务处于 正在运行 状态。
\n";
RecordNumber = 659;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031258";
};
******************************************==10==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "开始"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务成功发送一个 开始 控件。
\n";
RecordNumber = 660;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031259";
};
******************************************==11==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "正在运行"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务处于 正在运行 状态。
\n";
RecordNumber = 661;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031260";
};
******************************************==12==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "TM";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4193;
EventIdentifier = 1073746017;
EventType = 3;
InsertionStrings = {"0", "0", "0", "0", "0", "0", "1"};
Logfile = "Application";
Message = "MS DTC 已启动,设置如下(OFF = 0,ON = 1):
\n
\n安全配置:
\n 事务的网络管理 = 0,
\n 网络客户端 = 0,
\n 使用本机 MSDTC 协议的入站分布式事务 = 0,
\n 使用本机 MSDTC 协议的出站分布式事务 = 0,
\n 事务 Internet 协议(TIP) = 0,
\n XA 事务 = 0
\n
\n筛选的重复事件 = 1";
RecordNumber = 152;
SourceName = "MSDTC";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187500";
};
******************************************==13==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4625;
EventIdentifier = 1073746449;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\EventSystem\\EventLog"};
Logfile = "Application";
Message = "EventSystem 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\EventSystem\\EventLog。
\n";
RecordNumber = 153;
SourceName = "EventSystem";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187501";
};
******************************************==14==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 100;
ComputerName = "UFC-6A0A0B1F76C";
Data = {65, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 32, 70, 97, 105, 108, 117, 114, 101, 32, 32, 115, 118, 99, 104, 111, 115, 116, 46, 101, 120, 101, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 105, 110, 32, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 97, 116, 32, 111, 102, 102, 115, 101, 116, 32, 48, 48, 48, 54, 98, 101, 98, 56};
EventCode = 1004;
EventIdentifier = 1004;
EventType = 3;
InsertionStrings = {"svchost.exe", "5.2.3790.3959", "kernel32.dll", "5.2.3790.3959", "0006beb8"};
Logfile = "Application";
Message = "报告队列中的错误: 错误应用程序 svchost.exe,版本 5.2.3790.3959,错误模块 kernel32.dll,版本 5.2.3790.3959,错误地址 0x0006beb8。
\n";
RecordNumber = 154;
SourceName = "Application Error";
TimeGenerated = "20111125085942.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187502";
};
******************************************==15==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"SYSTEM", "NT AUTHORITY", "(0x0,0x3E7)", "0", "-", "-", "-", "-", "-", "-", "-", "4", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tSYSTEM
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E7)
\n
\n\t登录类型: \t0
\n
\n\t登录进程: \t-
\n
\n\t身份验证数据包: \t-
\n
\n\t工作站名:\t-
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: 4
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3980;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748281250";
};
******************************************==16==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "5", "Advapi ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tNETWORK SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E4)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3981;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281251";
};
******************************************==17==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tNETWORK SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E4)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3982;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281252";
};
******************************************==18==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "5", "Advapi ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tLOCAL SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E5)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3983;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281253";
};
******************************************==19==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tLOCAL SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E5)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3984;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281254";
};
******************************************==20==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"", "", "(0x0,0xC2DE)", "3", "NtLmSsp ", "NTLM", "", "-", "-", "-", "-", "-", "-", "-", "-"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\t
\n
\n\t域:\t\t
\n
\n\t登录 ID:\t\t(0x0,0xC2DE)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3985;
SourceName = "Security";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\ANONYMOUS LOGON";
};
TIME_CREATED = "129666564748437500";
};
******************************************==21==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "Administrator", "UFC-6A0A0B1F76C", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tAdministrator
\n
\n源工作站: \tUFC-6A0A0B1F76C
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3986;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593750";
};
******************************************==22==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 552;
EventIdentifier = 552;
EventType = 4;
InsertionStrings = {"UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "-", "Administrator", "UFC-6A0A0B1F76C", "-", "localhost", "localhost", "332", "127.0.0.1", "0"};
Logfile = "Security";
Message = "使用明确凭据的登录尝试:
\n
\n登录的用户:
\n
\n\t用户名:\tUFC-6A0A0B1F76C$
\n
\n\t域:\t\tWORKGROUP
\n
\n\t登录 ID:\t\t(0x0,0x3E7)
\n
\n\t登录 GUID:\t-
\n
\n凭据被使用的用户:
\n
\n\t目标用户名:\tAdministrator
\n
\n\t目标域:\tUFC-6A0A0B1F76C
\n
\n\t目标登录 GUID: -
\n
\n
\n目标服务器名称:\tlocalhost
\n
\n目标服务器信息:\tlocalhost
\n
\n调用方进程 ID:\t332
\n
\n源网络地址:\t127.0.0.1
\n
\n源端口:\t0
\n
\n";
RecordNumber = 3987;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748593751";
};
******************************************==23==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "2", "User32 ", "Negotiate", "UFC-6A0A0B1F76C", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "332", "-", "127.0.0.1", "0"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tAdministrator
\n
\n\t域: \t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID: \t\t(0x0,0x10AB2)
\n
\n\t登录类型: \t2
\n
\n\t登录进程: \tUser32
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\tUFC-6A0A0B1F76C
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 332
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t127.0.0.1
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3988;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593752";
};
******************************************==24==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x10AB2)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3989;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750000";
};
******************************************==25==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "\\\\192.168.4.254", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \t\\\\192.168.4.254
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3990;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750001";
};
******************************************==26==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3991;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750002";
};
******************************************==27==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3", "NtLmSsp ", "NTLM", "\\\\192.168.4.254", "-", "-", "-", "-", "-", "-", "192.168.4.254", "0"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t\\\\192.168.4.254
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3992;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750003";
};
******************************************==28==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3993;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750004";
};
******************************************==29==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3994;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750005";
};
******************************************==30==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1863"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1863
\n
\n";
RecordNumber = 3995;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750006";
};
******************************************==31==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3996;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750007";
};
******************************************==32==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3997;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750008";
};
******************************************==33==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1864"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1864
\n
\n";
RecordNumber = 3998;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750009";
};
******************************************==34==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3999;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750010";
};
******************************************==35==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4000;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750011";
};
******************************************==36==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1865"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1865
\n
\n";
RecordNumber = 4001;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750012";
};
******************************************==37==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 538;
EventIdentifier = 538;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3"};
Logfile = "Security";
Message = "用户注销:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n";
RecordNumber = 4002;
SourceName = "Security";
TimeGenerated = "20111125090148.000000+480";
TimeWritten = "20111125090148.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666565081875000";
};
******************************************==38==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {94, 9, 0, 0, 95, 9, 0, 0, 84, 5, 0, 0};
EventCode = 1001;
EventIdentifier = 1073742825;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功删除 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有系统上一个计数器和上一个“帮助”注册表项的新数值。
\n";
RecordNumber = 155;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566116718750";
};
******************************************==39==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {96, 9, 0, 0, 108, 9, 0, 0, 97, 9, 0, 0, 109, 9, 0, 0};
EventCode = 1000;
EventIdentifier = 1073742824;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功加载 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有分配给这个服务的新索引数值。
\n";
RecordNumber = 156;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566169062500";
};
******************************************==40==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户: \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 4003;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656250";
};
******************************************==41==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4004;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656251";
};
******************************************==42==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1900"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1900
\n
\n";
RecordNumber = 4005;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656252";
};
******************************************==43==****************************
instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "30"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 30 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 662;
SourceName = "W32Time";
TimeGenerated = "20111125091430.000000+480";
TimeWritten = "20111125091430.000000+480";
Type = "错误";
};
TIME_CREATED = "129666572702812500";
};
相关推荐
三、如何使用JInterop获取Windows事件日志 在Java中,我们可以利用JInterop来调用.NET Framework的`System.Diagnostics.EventLog`类,从而读取或写入Windows事件日志。以下是一个简单的示例,演示如何使用JInterop...
而Java开发者有时需要在Java程序中获取Windows系统的详细信息,这时就可以借助于j-Interop库来实现与WMI的交互。本文将深入探讨如何使用j-Interop来连接WMI并获取Windows系统信息。 首先,j-Interop是一个开源项目...
其次,Windows Management Instrumentation (WMI) 是微软提供的一种管理系统和硬件资源的接口,它允许应用程序获取和操作系统的各种信息。在Java中,我们可以使用J-Interop库来与WMI进行交互。J-Interop是一个Java到...
该代码实现了在远程windows主机上 获取进程列表 及进程对应的端口;使用wmi4j 连接远程主机获取进程列表,创建文件夹、共享文件夹、执行netstat -ano输出到aa.txt文件,读取文件、撤销文件夹共享、删除文件夹及aa....
WMI(Windows Management Instrumentation)是微软Windows操作系统提供的一种管理和操作环境,允许应用程序通过标准接口访问和控制操作系统、硬件设备和服务等系统资源的信息。在Java环境中,若要进行WMI调用,通常...
Windows Management Instrumentation(WMI)是Microsoft提供的一种管理系统和应用程序的方法,它允许程序访问和管理Windows操作系统级别的信息。在Java编程中,利用WMI技术可以获取关于系统硬件、软件、网络等多方面...
随着技术的发展,OPC UA(OPC统一架构)出现,它不仅支持Windows平台,还支持跨平台操作,提供更安全、更高效的数据交换机制。 - OPC客户端是通过OPC协议连接到OPC服务器,获取或设置工业设备的数据。它需要实现OPC...
在Windows系统中,可以使用WMI(Windows Management Instrumentation)来查询系统事件日志。在Java中,可以使用Jacob或者其他提供WMI访问的库,比如Jinterop。以下是一个基本的WMI查询示例: ```java import ...
在Windows系统中,常见的IPC方式有管道、共享内存、消息队列、套接字、命名管道、事件、信号量等。在本例中,可能需要使用一种或多种IPC技术来实现对其他程序中超级列表框的控制。 2. **自动化技术**: 为了操作...
SWT通过使用本地窗口系统(如Windows的Win32 API、Mac OS的Cocoa或Unix的X Window System)来实现其功能,而不是像AWT和Swing那样使用Java虚拟机。这种设计使得SWT的应用程序运行速度更快,图形性能更佳。 在Java中...
此外,还可以使用一些第三方库,如JNA(Java Native Access)或JInterop(用于Windows),它们允许Java程序直接调用操作系统API,包括创建快捷方式的功能。这些库提供了更丰富的功能,同时也增加了代码的跨平台性。 ...