#coding=utf8

import copy

import ctypes

from ctypes import byref, POINTER, cast, c_uint64, c_ulong, c_char_p, c_wchar_p

from ctypes.wintypes import BOOL, DWORD, HANDLE, LPVOID, WORD, HKEY, LONG

import datetime

c_uint64_p = POINTER(c_uint64)

c_int_p = POINTER(c_ulong)

LPDWORD = ctypes.POINTER(DWORD)

advapi32 = ctypes.CDLL("advapi32")

def openEventLog(computer=None, channel="Application"):

    param_oel = ((1, 'lpUNCServerName'),(1, 'lpSourceName'))

    _openEventLog = ctypes.WINFUNCTYPE(HANDLE, ctypes.c_wchar_p, ctypes.c_wchar_p)

    openEventlog = _openEventLog(('OpenEventLogW', advapi32), param_oel)

    h = openEventlog(computer, channel)

    return h

def readEventLog(h, flag=9, offset=0):

    class EVENTLOGRECORD(ctypes.Structure):

        _fields_ = [ ('Length', DWORD),('Reserved', DWORD),('RecordNumber',DWORD),('TimeGenerated',DWORD),

        ('TimeWritten',DWORD),('EventID',DWORD),('EventType', WORD),('NumStrings', WORD),('EventCategory',WORD),

        ('ReservedFlags',WORD),('ClosingRecordNumber',DWORD),('StringOffset',DWORD),('UserSidLength',DWORD),

        ('UserSidOffset',DWORD),('DataLength',DWORD),('DataOffset',DWORD)]

    lpBuffer = ctypes.create_string_buffer(5600) # 没找到释放方法(自动释放?)

    param_rel = ((1, 'hEventLog'), (1, 'dwReadFlags'), (1, 'dwRecordOffset'),

        (2, 'lpBuffer', lpBuffer),(1, 'nNumberOfBytesToRead', 5600),

        (2, 'pnBytesRead'),(2, 'pnMinNumberOfBytesNeeded'))#第五个参数默认值怎么设置合适

    _readEventLog = ctypes.WINFUNCTYPE(BOOL, HANDLE, DWORD, DWORD, LPVOID, DWORD, LPDWORD, LPDWORD)

    readEventLog = _readEventLog(('ReadEventLogW', advapi32), param_rel)

    events = readEventLog(h, flag, 0)

    eventlist = []

    max_count = events[1]

    p = events[0]

    length = 0

    while max_count > length:

        p1 = c_char_p(p[length:length+56])

        pevent = cast(p1, POINTER(EVENTLOGRECORD))

        if not pevent[0].Length:

            break

        length += pevent[0].Length

        eventlist.append(pevent[0])

    return eventlist

def closeEventLog(hevent):

    param_rel = ((1, 'hEventLog'),)

    _closeEventLog = ctypes.WINFUNCTYPE(BOOL, HANDLE)

    closeEventLog = _closeEventLog(('ReadEventLogW', advapi32), param_rel)

    return True

def getNumberOfEventLogRecords(hevent):

    param_rel = ((1, 'hEventLog'), (2, 'NumberOfRecords'))

    _getNumberOfEventLogRecords = ctypes.WINFUNCTYPE(BOOL, HANDLE, LPDWORD)

    getNumberOfEventLogRecords = _getNumberOfEventLogRecords(('GetNumberOfEventLogRecords', advapi32), param_rel)

    return getNumberOfEventLogRecords(hevent)

def lookupAccountSid(computer, sid):

    ''' restype: domain, username, account_type'''

    sid = str(sid)

    cchName = DWORD(255)

    cchReferencedDomainName = DWORD(255)

    try:

        NameBuff = ctypes.create_unicode_buffer(255)

        DomainBuff = ctypes.create_unicode_buffer(255)

        paramflags = ((1, 'lpSystemName'), (1, 'lpSid'), (2, 'lpName', NameBuff), (1, 'cchName', byref(cchName)),

                (2, "lpReferencedDomainName", DomainBuff),

                (1, "cchReferencedDomainName", byref(cchReferencedDomainName)), (2, "peUse"))

        pass

        _LookupAccountSid = ctypes.WINFUNCTYPE(BOOL, c_wchar_p, c_wchar_p, c_wchar_p, LPDWORD, c_wchar_p, LPDWORD, c_int_p)

        _LookupAccountSid = _LookupAccountSid(('LookupAccountSidW', advapi32), paramflags)

    except AttributeError as e:

        NameBuff = ctypes.create_string_buffer(255)

        DomainBuff = ctypes.create_string_buffer(255)

        paramflags = ((1, 'lpSystemName'), (1, 'lpSid'), (2, 'lpName', NameBuff), (1, 'cchName', 255),

                (2, "lpReferencedDomainName", DomainBuff), (1, "cchReferencedDomainName", 255), (2, "peUse"))

        _LookupAccountSid = ctypes.WINFUNCTYPE(BOOL, c_char_p, c_char_p, c_char_p, LPDWORD, c_char_p, LPDWORD ,c_int_p)

        _LookupAccountSid = _LookupAccountSid(('LookupAccountSidA', advapi32), paramflags)

#    def _LookupAccountSid_errcheck(result, func, args):

 #       if not result:

  #          raise ctypes.WinError()

   #     return args[2].value, args[1].value, args[3].value

#

 #   _LookupAccountSid.errcheck = _LookupAccountSid_errcheck

    return _LookupAccountSid(computer, sid)

def regEnumKeyEx(hKey):

    lpName = ctypes.create_unicode_buffer(255)

    paramflags = ((1, 'hKey'), (1, 'dwIndex'), (2, 'lpName', lpName), (1, 'ccnName', 255))

    _regEnumKey = ctypes.WINFUNCTYPE(LONG, HKEY, DWORD, c_wchar_p, DWORD)

    regEnumKey = _regEnumKey(('RegEnumKeyW', advapi32), paramflags)

    list1 = []

    i = 0

    s = ''

    while True:

        keyname = regEnumKey(hKey, i)

        if keyname.value != s:

            list1.append(keyname.value)

            s = keyname.value

        else:

            break

        i += 1

    return list1

def regOpenKey(hKey, lpSubKey, ulOptions, samDesired):

    param_rel = ((1, 'hKey'), (1, 'lpSubKey'), (1, 'ulOptions'), (1, 'samDesired'), (2, 'phkResult'))

    _regOpenKeyEx = ctypes.WINFUNCTYPE(LONG, HKEY, c_wchar_p, DWORD, c_ulong, PHKEY)

    regOpenKeyEx = _regOpenKeyEx(('RegOpenKeyExW', advapi32), param_rel)

    return regOpenKeyEx(hKey, lpSubKey, ulOptions, samDesired)

def getNumberOfEventLogRecords(hevent):

    param_rel = ((1, 'hEventLog'), (2, 'NumberOfRecords'))

    _getNumberOfEventLogRecords = ctypes.WINFUNCTYPE(BOOL, HANDLE, PDWORD)

    getNumberOfEventLogRecords = _getNumberOfEventLogRecords(('GetNumberOfEventLogRecords', advapi32), param_rel)

    return getNumberOfEventLogRecords(hevent)

#def _LookupAccountSid_errcheck(result, func, args):

 #   if result != 0:

  #      raise ctypes.WinError()

   # return args

#''

#readEventLog.errcheck = _LookupAccountSid_errcheck

if __name__ == "__main__":

    import pprint

    h = openEventLog()

    print(h)

    # for i in readEventLog(h):

    #     print(i.Length, i.Reserved, i.RecordNumber, i.TimeGenerated, i.TimeWritten, i.EventID, i.EventType, i.NumStrings,

    #         i.EventCategory, i.ReservedFlags, i.ClosingRecordNumber, i.StringOffset, i.UserSidLength, i.UserSidOffset,

    #         i.DataLength, i.DataOffset)

  有些日志位于C:\Windows\System32\winevt\Logs目录下,需要用python第三方包解析,比如想要研究的Microsoft-Windows-TaskScheduler%4Operational.evtx,待研究

wevtutil gl Microsoft-Windows-TaskScheduler/Operational

wevtutil.exe qe Microsoft-Windows-TaskScheduler/Operational "/q:*[System [(EventID=140)]]" /f:text /rd:true /c:100 > c:\sys.txt

查看所有任务: chcp 437|schtasks /Query /fo List /v

查看具体某一任务:schtasks /query /TN test

计划任务保存在C:\Windows\System32\Tasks这个文件夹中

用python查看windows事件日志的方法(待后续研究)的更多相关文章

  1. Python处理Windows事件日志(json)

    通过NXlog将Windows事件日志保存为json格式文件,然后在Python中使用json.loads()进行处理. NXlog在将Windows事件日志保存为json格式文件,文件中带入了BOM ...

  2. 使用EventLog类写Windows事件日志

    在程序中经常需要将指定的信息(包括异常信息和正常处理信息)写到日志中.在C#3.0中可以使用EventLog类将各种信息直接写入Windows日志.EventLog类在System.Diagnosti ...

  3. .NET 操作 EventLog(Windows事件日志监控)(转载)

    操作Windows日志:EventLog 如果要在.NET Core控制台项目中使用EventLog(Windows事件日志监控),首先需要下载Nuget包: System.Diagnostics.E ...

  4. Syslog和Windows事件日志收集

    Syslog和Windows事件日志收集 EventLog Analyzer从分布式Windows设备收集事件日志,或从分布式Linux和UNIX设备.交换机和路由器(Cisco)收集syslog.事 ...

  5. 为什么要使用日志管理?syslog和Windows事件日志

    为什么要使用日志管理?syslog和Windows事件日志 日志管理 - 确保网络安全的先决条件 日志给予您有关网络活动的第一手信息.日志管理确保日志中隐藏的网络活动数据转换为有意义的可操作的安全信息 ...

  6. .NET拾忆:EventLog(Windows事件日志监控)

    操作Windows日志:EventLog 1:事件日志名(logName):“事件查看器”中的每一项,如“应用程序”.“Internet Explorer”.“安全性”和“系统”都是日志(严格地说是日 ...

  7. C#操作windows事件日志项

    /// <summary> /// 指定事件日志项的事件类型 /// </summary> public enum EventLogLevel { /// <summar ...

  8. SQL Server 无法生成 FRunCM 线程。请查看 SQL Server 错误日志和 Windows 事件日志

    1.IP地址配置不正确: 打开 Microsoft SQL Server 2005配置工具下的SQL Server Configuration Manager,选择MSSQLSERVER协议, 然后双 ...

  9. Zabbix监控Windows事件日志

    1.zabbix_agentd.win文件修改: LogFile=c:\zabbix\zabbix_agentd.log Server=1.16.2.4 ServerActive=1.16.2.4 H ...

随机推荐

  1. 使用sharepoint里Open with explorer功能

    使用这个功能时,遇到几个问题: 1. 当点击library时,ie报错:A problem with this webpage caused Internet Explorer to close an ...

  2. Logstash 解析Json字符串,删除json嵌套字段

    一.场景:此文以一个简单的json字符串文件为例,描述如何用logstash解析嵌套的json,并删除其中的某些字段 我们在linux中test.json的内容如下: {"timestamp ...

  3. java反射出字段信息和值

    /** * */ package test; import java.lang.reflect.Field; import java.lang.reflect.Modifier; /** * @aut ...

  4. 【tools】vim删除命令

    x 删除当前光标下的字符dw 删除光标之后的单词剩余部分.d$ 删除光标之后的该行剩余部分.dd 删除当前行. c 功能和d相同,区别在于完成删除操作后进入INSERT MODEcc 也是删除当前行, ...

  5. Scala进阶之路-Scala中的高级类型

    Scala进阶之路-Scala中的高级类型 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.类型(Type)与类(Class)的区别 在Java里,一直到jdk1.5之前,我们说 ...

  6. webpack配置说明

    webpack是一个现代JavaScript应用程序的静态模块打包器. 它有几个核心概念: 一.entry(入口) 指示webpack应该使用哪个模块,来作为构建其内部依赖图的开始, 可以在webpa ...

  7. Study 4 —— 数据类型(1)

    基本类型数字字符串布尔 数字 整数 int    在32位机器上,整数的位数为32位,取值范围为-2**31~2**30    在64位机器上,整数的位数为64位,取值范围为-2**63~2**62 ...

  8. HDU - 3002 King of Destruction(最小割)

    http://acm.hdu.edu.cn/showproblem.php?pid=3002   最小割模板 #include<iostream> #include<cmath> ...

  9. 解决idea中找不到程序包和找不到符号的问题

    问题如图: 解决方法: 将三处编码都设置成UTF-8,亲测有效 本人也是拜读大佬博客后解决的: http://www.cnblogs.com/wzhanke/p/4747966.html

  10. u-boot移植(一)---准备工作

    一.工具链的制作 1.1 工具 软件工具:crosstool-ng 下载地址:git clone https://github.com/crosstool-ng/crosstool-ng crosst ...