Windows PowerShell 导出指定时间的所有事件
以下脚本来自 Claude,拷贝到 ISE 中后修改 $StartTime 和 $EndTime,然后执行即可导出事件。导出格式为 txt 和 csv 两种,无论是普通账户还是管理员账户都能执行,但部分日志导出会报错,只有管理员账户才能访问。
# Windows事件日志导出脚本 - 指定时间段
# 将所有相关日志导出到文件
# 设置输出文件路径
$OutputFile = "C:\Temp\EventLogs_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
$CSVFile = "C:\Temp\EventLogs_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"
# 创建输出目录(如果不存在)
$OutputDir = Split-Path $OutputFile -Parent
if (!(Test-Path $OutputDir)) {
New-Item -ItemType Directory -Path $OutputDir -Force
}
# 设置查询时间范围(修改这里的日期和时间)
$StartTime = '2024-06-09 18:00:00'
$EndTime = '2024-06-09 19:00:00'
Write-Host "开始搜索事件日志..." -ForegroundColor Yellow
Write-Host "时间范围: $StartTime 到 $EndTime" -ForegroundColor Yellow
Write-Host "输出文件: $OutputFile" -ForegroundColor Yellow
# 初始化输出文件
"Windows事件日志分析报告" | Out-File -FilePath $OutputFile -Encoding UTF8
"==============================" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"查询时间范围: $StartTime 到 $EndTime" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"生成时间: $(Get-Date)" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"==============================`n" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
# 创建CSV集合用于汇总
$AllEvents = @()
# 获取所有有记录的日志
$logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount -gt 0}
$totalLogs = $logs.Count
$currentLog = 0
foreach ($log in $logs) {
$currentLog++
Write-Progress -Activity "搜索事件日志" -Status "处理: $($log.LogName)" -PercentComplete (($currentLog / $totalLogs) * 100)
try {
$events = Get-WinEvent -FilterHashtable @{
LogName=$log.LogName;
StartTime=$StartTime;
EndTime=$EndTime
} -ErrorAction SilentlyContinue
if ($events) {
# 写入文本文件
"`n=== $($log.LogName) ===" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"事件数量: $($events.Count)" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"-" * 50 | Out-File -FilePath $OutputFile -Append -Encoding UTF8
foreach ($event in $events) {
$eventInfo = @"
时间: $($event.TimeCreated)
事件ID: $($event.Id)
级别: $($event.LevelDisplayName)
提供程序: $($event.ProviderName)
消息: $($event.Message -replace "`r`n", " " -replace "`n", " ")
$("-" * 30)
"@
$eventInfo | Out-File -FilePath $OutputFile -Append -Encoding UTF8
# 添加到CSV集合
$AllEvents += [PSCustomObject]@{
LogName = $log.LogName
TimeCreated = $event.TimeCreated
EventId = $event.Id
Level = $event.LevelDisplayName
ProviderName = $event.ProviderName
Message = ($event.Message -replace "`r`n", " " -replace "`n", " ").Substring(0, [Math]::Min(200, $event.Message.Length))
}
}
}
}
catch {
# 忽略访问被拒绝等错误
}
}
Write-Progress -Activity "搜索事件日志" -Completed
# 导出CSV文件
if ($AllEvents.Count -gt 0) {
$AllEvents | Export-Csv -Path $CSVFile -NoTypeInformation -Encoding UTF8
# 写入汇总信息
"`n`n=== 汇总信息 ===" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"总事件数: $($AllEvents.Count)" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
"涉及日志数: $($AllEvents | Group-Object LogName | Measure-Object).Count" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
# 按日志类型统计
"`n按日志类型统计:" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
$AllEvents | Group-Object LogName | Sort-Object Count -Descending | ForEach-Object {
"$($_.Name): $($_.Count) 条事件" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
}
# 按事件级别统计
"`n按事件级别统计:" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
$AllEvents | Group-Object Level | Sort-Object Count -Descending | ForEach-Object {
"$($_.Name): $($_.Count) 条事件" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
}
# 按时间分布统计(每10分钟)
"`n按时间分布统计:" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
$AllEvents | ForEach-Object {
$timeSlot = $_.TimeCreated.ToString("HH:mm").Substring(0,4) + "0"
[PSCustomObject]@{TimeSlot = $timeSlot}
} | Group-Object TimeSlot | Sort-Object Name | ForEach-Object {
"$($_.Name): $($_.Count) 条事件" | Out-File -FilePath $OutputFile -Append -Encoding UTF8
}
}
Write-Host "`n搜索完成!" -ForegroundColor Green
Write-Host "详细报告已保存到: $OutputFile" -ForegroundColor Green
Write-Host "CSV数据已保存到: $CSVFile" -ForegroundColor Green
if ($AllEvents.Count -gt 0) {
Write-Host "共找到 $($AllEvents.Count) 条事件" -ForegroundColor Green
# 显示前10个最常见的事件ID
Write-Host "`n最常见的事件ID:" -ForegroundColor Cyan
$AllEvents | Group-Object EventId | Sort-Object Count -Descending | Select-Object -First 10 | ForEach-Object {
Write-Host "事件ID $($_.Name): $($_.Count) 次" -ForegroundColor White
}
} else {
Write-Host "在指定时间范围内未找到任何事件" -ForegroundColor Yellow
}
# 打开输出文件夹
Invoke-Item $OutputDir