#coding=utf8

import copy

import ctypes

from ctypes import byref, POINTER, cast, c_uint64, c_ulong, c_char_p, c_wchar_p

from ctypes.wintypes import BOOL, DWORD, HANDLE, LPVOID, WORD, HKEY, LONG

import datetime

c_uint64_p = POINTER(c_uint64)

c_int_p = POINTER(c_ulong)

LPDWORD = ctypes.POINTER(DWORD)

advapi32 = ctypes.CDLL("advapi32")

def openEventLog(computer=None, channel="Application"):

    param_oel = ((1, 'lpUNCServerName'),(1, 'lpSourceName'))

    _openEventLog = ctypes.WINFUNCTYPE(HANDLE, ctypes.c_wchar_p, ctypes.c_wchar_p)

    openEventlog = _openEventLog(('OpenEventLogW', advapi32), param_oel)

    h = openEventlog(computer, channel)

    return h

def readEventLog(h, flag=9, offset=0):

    class EVENTLOGRECORD(ctypes.Structure):

        _fields_ = [ ('Length', DWORD),('Reserved', DWORD),('RecordNumber',DWORD),('TimeGenerated',DWORD),

        ('TimeWritten',DWORD),('EventID',DWORD),('EventType', WORD),('NumStrings', WORD),('EventCategory',WORD),

        ('ReservedFlags',WORD),('ClosingRecordNumber',DWORD),('StringOffset',DWORD),('UserSidLength',DWORD),

        ('UserSidOffset',DWORD),('DataLength',DWORD),('DataOffset',DWORD)]

    lpBuffer = ctypes.create_string_buffer(5600) # 没找到释放方法(自动释放?)

    param_rel = ((1, 'hEventLog'), (1, 'dwReadFlags'), (1, 'dwRecordOffset'),

        (2, 'lpBuffer', lpBuffer),(1, 'nNumberOfBytesToRead', 5600),

        (2, 'pnBytesRead'),(2, 'pnMinNumberOfBytesNeeded'))#第五个参数默认值怎么设置合适

    _readEventLog = ctypes.WINFUNCTYPE(BOOL, HANDLE, DWORD, DWORD, LPVOID, DWORD, LPDWORD, LPDWORD)

    readEventLog = _readEventLog(('ReadEventLogW', advapi32), param_rel)

    events = readEventLog(h, flag, 0)

    eventlist = []

    max_count = events[1]

    p = events[0]

    length = 0

    while max_count > length:

        p1 = c_char_p(p[length:length+56])

        pevent = cast(p1, POINTER(EVENTLOGRECORD))

        if not pevent[0].Length:

            break

        length += pevent[0].Length

        eventlist.append(pevent[0])

    return eventlist

def closeEventLog(hevent):

    param_rel = ((1, 'hEventLog'),)

    _closeEventLog = ctypes.WINFUNCTYPE(BOOL, HANDLE)

    closeEventLog = _closeEventLog(('ReadEventLogW', advapi32), param_rel)

    return True

def getNumberOfEventLogRecords(hevent):

    param_rel = ((1, 'hEventLog'), (2, 'NumberOfRecords'))

    _getNumberOfEventLogRecords = ctypes.WINFUNCTYPE(BOOL, HANDLE, LPDWORD)

    getNumberOfEventLogRecords = _getNumberOfEventLogRecords(('GetNumberOfEventLogRecords', advapi32), param_rel)

    return getNumberOfEventLogRecords(hevent)

def lookupAccountSid(computer, sid):

    ''' restype: domain, username, account_type'''

    sid = str(sid)

    cchName = DWORD(255)

    cchReferencedDomainName = DWORD(255)

    try:

        NameBuff = ctypes.create_unicode_buffer(255)

        DomainBuff = ctypes.create_unicode_buffer(255)

        paramflags = ((1, 'lpSystemName'), (1, 'lpSid'), (2, 'lpName', NameBuff), (1, 'cchName', byref(cchName)),

                (2, "lpReferencedDomainName", DomainBuff),

                (1, "cchReferencedDomainName", byref(cchReferencedDomainName)), (2, "peUse"))

        pass

        _LookupAccountSid = ctypes.WINFUNCTYPE(BOOL, c_wchar_p, c_wchar_p, c_wchar_p, LPDWORD, c_wchar_p, LPDWORD, c_int_p)

        _LookupAccountSid = _LookupAccountSid(('LookupAccountSidW', advapi32), paramflags)

    except AttributeError as e:

        NameBuff = ctypes.create_string_buffer(255)

        DomainBuff = ctypes.create_string_buffer(255)

        paramflags = ((1, 'lpSystemName'), (1, 'lpSid'), (2, 'lpName', NameBuff), (1, 'cchName', 255),

                (2, "lpReferencedDomainName", DomainBuff), (1, "cchReferencedDomainName", 255), (2, "peUse"))

        _LookupAccountSid = ctypes.WINFUNCTYPE(BOOL, c_char_p, c_char_p, c_char_p, LPDWORD, c_char_p, LPDWORD ,c_int_p)

        _LookupAccountSid = _LookupAccountSid(('LookupAccountSidA', advapi32), paramflags)

#    def _LookupAccountSid_errcheck(result, func, args):

 #       if not result:

  #          raise ctypes.WinError()

   #     return args[2].value, args[1].value, args[3].value

#

 #   _LookupAccountSid.errcheck = _LookupAccountSid_errcheck

    return _LookupAccountSid(computer, sid)

def regEnumKeyEx(hKey):

    lpName = ctypes.create_unicode_buffer(255)

    paramflags = ((1, 'hKey'), (1, 'dwIndex'), (2, 'lpName', lpName), (1, 'ccnName', 255))

    _regEnumKey = ctypes.WINFUNCTYPE(LONG, HKEY, DWORD, c_wchar_p, DWORD)

    regEnumKey = _regEnumKey(('RegEnumKeyW', advapi32), paramflags)

    list1 = []

    i = 0

    s = ''

    while True:

        keyname = regEnumKey(hKey, i)

        if keyname.value != s:

            list1.append(keyname.value)

            s = keyname.value

        else:

            break

        i += 1

    return list1

def regOpenKey(hKey, lpSubKey, ulOptions, samDesired):

    param_rel = ((1, 'hKey'), (1, 'lpSubKey'), (1, 'ulOptions'), (1, 'samDesired'), (2, 'phkResult'))

    _regOpenKeyEx = ctypes.WINFUNCTYPE(LONG, HKEY, c_wchar_p, DWORD, c_ulong, PHKEY)

    regOpenKeyEx = _regOpenKeyEx(('RegOpenKeyExW', advapi32), param_rel)

    return regOpenKeyEx(hKey, lpSubKey, ulOptions, samDesired)

def getNumberOfEventLogRecords(hevent):

    param_rel = ((1, 'hEventLog'), (2, 'NumberOfRecords'))

    _getNumberOfEventLogRecords = ctypes.WINFUNCTYPE(BOOL, HANDLE, PDWORD)

    getNumberOfEventLogRecords = _getNumberOfEventLogRecords(('GetNumberOfEventLogRecords', advapi32), param_rel)

    return getNumberOfEventLogRecords(hevent)

#def _LookupAccountSid_errcheck(result, func, args):

 #   if result != 0:

  #      raise ctypes.WinError()

   # return args

#''

#readEventLog.errcheck = _LookupAccountSid_errcheck

if __name__ == "__main__":

    import pprint

    h = openEventLog()

    print(h)

    # for i in readEventLog(h):

    #     print(i.Length, i.Reserved, i.RecordNumber, i.TimeGenerated, i.TimeWritten, i.EventID, i.EventType, i.NumStrings,

    #         i.EventCategory, i.ReservedFlags, i.ClosingRecordNumber, i.StringOffset, i.UserSidLength, i.UserSidOffset,

    #         i.DataLength, i.DataOffset)

  有些日志位于C:\Windows\System32\winevt\Logs目录下,需要用python第三方包解析,比如想要研究的Microsoft-Windows-TaskScheduler%4Operational.evtx,待研究

wevtutil gl Microsoft-Windows-TaskScheduler/Operational

wevtutil.exe qe Microsoft-Windows-TaskScheduler/Operational "/q:*[System [(EventID=140)]]" /f:text /rd:true /c:100 > c:\sys.txt

查看所有任务: chcp 437|schtasks /Query /fo List /v

查看具体某一任务:schtasks /query /TN test

计划任务保存在C:\Windows\System32\Tasks这个文件夹中

用python查看windows事件日志的方法(待后续研究)的更多相关文章

  1. Python处理Windows事件日志(json)

    通过NXlog将Windows事件日志保存为json格式文件,然后在Python中使用json.loads()进行处理. NXlog在将Windows事件日志保存为json格式文件,文件中带入了BOM ...

  2. 使用EventLog类写Windows事件日志

    在程序中经常需要将指定的信息(包括异常信息和正常处理信息)写到日志中.在C#3.0中可以使用EventLog类将各种信息直接写入Windows日志.EventLog类在System.Diagnosti ...

  3. .NET 操作 EventLog(Windows事件日志监控)(转载)

    操作Windows日志:EventLog 如果要在.NET Core控制台项目中使用EventLog(Windows事件日志监控),首先需要下载Nuget包: System.Diagnostics.E ...

  4. Syslog和Windows事件日志收集

    Syslog和Windows事件日志收集 EventLog Analyzer从分布式Windows设备收集事件日志,或从分布式Linux和UNIX设备.交换机和路由器(Cisco)收集syslog.事 ...

  5. 为什么要使用日志管理?syslog和Windows事件日志

    为什么要使用日志管理?syslog和Windows事件日志 日志管理 - 确保网络安全的先决条件 日志给予您有关网络活动的第一手信息.日志管理确保日志中隐藏的网络活动数据转换为有意义的可操作的安全信息 ...

  6. .NET拾忆:EventLog(Windows事件日志监控)

    操作Windows日志:EventLog 1:事件日志名(logName):“事件查看器”中的每一项,如“应用程序”.“Internet Explorer”.“安全性”和“系统”都是日志(严格地说是日 ...

  7. C#操作windows事件日志项

    /// <summary> /// 指定事件日志项的事件类型 /// </summary> public enum EventLogLevel { /// <summar ...

  8. SQL Server 无法生成 FRunCM 线程。请查看 SQL Server 错误日志和 Windows 事件日志

    1.IP地址配置不正确: 打开 Microsoft SQL Server 2005配置工具下的SQL Server Configuration Manager,选择MSSQLSERVER协议, 然后双 ...

  9. Zabbix监控Windows事件日志

    1.zabbix_agentd.win文件修改: LogFile=c:\zabbix\zabbix_agentd.log Server=1.16.2.4 ServerActive=1.16.2.4 H ...

随机推荐

  1. 【转】 cJSON 源码解析

    关于cjson的介绍和使用方法就不在这里介绍了,详情请查看上一篇博客cjson使用方法. JSON的内存结构像广义表,可以认为是有层次的双向链表. cJSON程序中的细节点如下: 大量宏替换 大量静态 ...

  2. FFMEPG -- A ffmpeg and SDL Tutorial : tutorial05

    修改了同步播放ffmpeg问题.并且增加可以放大视频. // tutorial05.c // A pedagogical video player that really works! // // C ...

  3. Java读取“桌面”、“我的文档”路径的方法

    读取“桌面”的方法: javax.swing.filechooser.FileSystemView fsv = javax.swing.filechooser.FileSystemView.getFi ...

  4. react中跨域请求天气预报接口数据

    背景故事:同源策略(Same origin policy)是一种约定,它是浏览器最核心也最基本的安全功能, 如果缺少了同源策略,则浏览器的正常功能可能都会受到影响.可以说Web是构建在同源策略基础之上 ...

  5. python3之rabbitMQ

    1.RabbitMQ介绍 RabbitMQ是一个由erlang开发的AMQP(Advanced Message Queue )的开源实现.AMQP 的出现其实也是应了广大人民群众的需求,虽然在同步消息 ...

  6. CRC-16的原理和实现

    CRC的全称为Cyclic Redundancy Check,中文名称为循环冗余校验.它是一类重要的线性分组码,编码和解码方法简单,检错和纠错能力强,在通信领域广泛地用于实现差错控制.实际上,除 数据 ...

  7. hdu 2874(裸LCA)

    传送门:Problem 2874 https://www.cnblogs.com/violet-acmer/p/9686774.html 改了一晚上bug,悲伤辣么大,明天再补详细题解 题解: 题目中 ...

  8. DOM表单(复选框)

    在表单中,尤为重要的一个属性是name <!--复选框的全选.全不选.反选--> <!DOCTYPE> <html> <head lang="en& ...

  9. Linux中的Diff和Patch

    本文主要记录两个命令的学习情况:diff 和 patch.diff 和 patch 是一对工具,使用这对工具可以获取更新文件与历史文件的差异,并将更新应用到历史文件上.在数学上说,diff就是对两个集 ...

  10. maveb安装与配置(win10)

    转载:https://www.cnblogs.com/eagle6688/p/7838224.html 看了几篇博客,感觉这篇博客写的含金量最高了,因为我电脑的系统是win10的,所以配置有细微的差别 ...