#coding=utf8

import copy

import ctypes

from ctypes import byref, POINTER, cast, c_uint64, c_ulong, c_char_p, c_wchar_p

from ctypes.wintypes import BOOL, DWORD, HANDLE, LPVOID, WORD, HKEY, LONG

import datetime

c_uint64_p = POINTER(c_uint64)

c_int_p = POINTER(c_ulong)

LPDWORD = ctypes.POINTER(DWORD)

advapi32 = ctypes.CDLL("advapi32")

def openEventLog(computer=None, channel="Application"):

    param_oel = ((1, 'lpUNCServerName'),(1, 'lpSourceName'))

    _openEventLog = ctypes.WINFUNCTYPE(HANDLE, ctypes.c_wchar_p, ctypes.c_wchar_p)

    openEventlog = _openEventLog(('OpenEventLogW', advapi32), param_oel)

    h = openEventlog(computer, channel)

    return h

def readEventLog(h, flag=9, offset=0):

    class EVENTLOGRECORD(ctypes.Structure):

        _fields_ = [ ('Length', DWORD),('Reserved', DWORD),('RecordNumber',DWORD),('TimeGenerated',DWORD),

        ('TimeWritten',DWORD),('EventID',DWORD),('EventType', WORD),('NumStrings', WORD),('EventCategory',WORD),

        ('ReservedFlags',WORD),('ClosingRecordNumber',DWORD),('StringOffset',DWORD),('UserSidLength',DWORD),

        ('UserSidOffset',DWORD),('DataLength',DWORD),('DataOffset',DWORD)]

    lpBuffer = ctypes.create_string_buffer(5600) # 没找到释放方法(自动释放?)

    param_rel = ((1, 'hEventLog'), (1, 'dwReadFlags'), (1, 'dwRecordOffset'),

        (2, 'lpBuffer', lpBuffer),(1, 'nNumberOfBytesToRead', 5600),

        (2, 'pnBytesRead'),(2, 'pnMinNumberOfBytesNeeded'))#第五个参数默认值怎么设置合适

    _readEventLog = ctypes.WINFUNCTYPE(BOOL, HANDLE, DWORD, DWORD, LPVOID, DWORD, LPDWORD, LPDWORD)

    readEventLog = _readEventLog(('ReadEventLogW', advapi32), param_rel)

    events = readEventLog(h, flag, 0)

    eventlist = []

    max_count = events[1]

    p = events[0]

    length = 0

    while max_count > length:

        p1 = c_char_p(p[length:length+56])

        pevent = cast(p1, POINTER(EVENTLOGRECORD))

        if not pevent[0].Length:

            break

        length += pevent[0].Length

        eventlist.append(pevent[0])

    return eventlist

def closeEventLog(hevent):

    param_rel = ((1, 'hEventLog'),)

    _closeEventLog = ctypes.WINFUNCTYPE(BOOL, HANDLE)

    closeEventLog = _closeEventLog(('ReadEventLogW', advapi32), param_rel)

    return True

def getNumberOfEventLogRecords(hevent):

    param_rel = ((1, 'hEventLog'), (2, 'NumberOfRecords'))

    _getNumberOfEventLogRecords = ctypes.WINFUNCTYPE(BOOL, HANDLE, LPDWORD)

    getNumberOfEventLogRecords = _getNumberOfEventLogRecords(('GetNumberOfEventLogRecords', advapi32), param_rel)

    return getNumberOfEventLogRecords(hevent)

def lookupAccountSid(computer, sid):

    ''' restype: domain, username, account_type'''

    sid = str(sid)

    cchName = DWORD(255)

    cchReferencedDomainName = DWORD(255)

    try:

        NameBuff = ctypes.create_unicode_buffer(255)

        DomainBuff = ctypes.create_unicode_buffer(255)

        paramflags = ((1, 'lpSystemName'), (1, 'lpSid'), (2, 'lpName', NameBuff), (1, 'cchName', byref(cchName)),

                (2, "lpReferencedDomainName", DomainBuff),

                (1, "cchReferencedDomainName", byref(cchReferencedDomainName)), (2, "peUse"))

        pass

        _LookupAccountSid = ctypes.WINFUNCTYPE(BOOL, c_wchar_p, c_wchar_p, c_wchar_p, LPDWORD, c_wchar_p, LPDWORD, c_int_p)

        _LookupAccountSid = _LookupAccountSid(('LookupAccountSidW', advapi32), paramflags)

    except AttributeError as e:

        NameBuff = ctypes.create_string_buffer(255)

        DomainBuff = ctypes.create_string_buffer(255)

        paramflags = ((1, 'lpSystemName'), (1, 'lpSid'), (2, 'lpName', NameBuff), (1, 'cchName', 255),

                (2, "lpReferencedDomainName", DomainBuff), (1, "cchReferencedDomainName", 255), (2, "peUse"))

        _LookupAccountSid = ctypes.WINFUNCTYPE(BOOL, c_char_p, c_char_p, c_char_p, LPDWORD, c_char_p, LPDWORD ,c_int_p)

        _LookupAccountSid = _LookupAccountSid(('LookupAccountSidA', advapi32), paramflags)

#    def _LookupAccountSid_errcheck(result, func, args):

 #       if not result:

  #          raise ctypes.WinError()

   #     return args[2].value, args[1].value, args[3].value

#

 #   _LookupAccountSid.errcheck = _LookupAccountSid_errcheck

    return _LookupAccountSid(computer, sid)

def regEnumKeyEx(hKey):

    lpName = ctypes.create_unicode_buffer(255)

    paramflags = ((1, 'hKey'), (1, 'dwIndex'), (2, 'lpName', lpName), (1, 'ccnName', 255))

    _regEnumKey = ctypes.WINFUNCTYPE(LONG, HKEY, DWORD, c_wchar_p, DWORD)

    regEnumKey = _regEnumKey(('RegEnumKeyW', advapi32), paramflags)

    list1 = []

    i = 0

    s = ''

    while True:

        keyname = regEnumKey(hKey, i)

        if keyname.value != s:

            list1.append(keyname.value)

            s = keyname.value

        else:

            break

        i += 1

    return list1

def regOpenKey(hKey, lpSubKey, ulOptions, samDesired):

    param_rel = ((1, 'hKey'), (1, 'lpSubKey'), (1, 'ulOptions'), (1, 'samDesired'), (2, 'phkResult'))

    _regOpenKeyEx = ctypes.WINFUNCTYPE(LONG, HKEY, c_wchar_p, DWORD, c_ulong, PHKEY)

    regOpenKeyEx = _regOpenKeyEx(('RegOpenKeyExW', advapi32), param_rel)

    return regOpenKeyEx(hKey, lpSubKey, ulOptions, samDesired)

def getNumberOfEventLogRecords(hevent):

    param_rel = ((1, 'hEventLog'), (2, 'NumberOfRecords'))

    _getNumberOfEventLogRecords = ctypes.WINFUNCTYPE(BOOL, HANDLE, PDWORD)

    getNumberOfEventLogRecords = _getNumberOfEventLogRecords(('GetNumberOfEventLogRecords', advapi32), param_rel)

    return getNumberOfEventLogRecords(hevent)

#def _LookupAccountSid_errcheck(result, func, args):

 #   if result != 0:

  #      raise ctypes.WinError()

   # return args

#''

#readEventLog.errcheck = _LookupAccountSid_errcheck

if __name__ == "__main__":

    import pprint

    h = openEventLog()

    print(h)

    # for i in readEventLog(h):

    #     print(i.Length, i.Reserved, i.RecordNumber, i.TimeGenerated, i.TimeWritten, i.EventID, i.EventType, i.NumStrings,

    #         i.EventCategory, i.ReservedFlags, i.ClosingRecordNumber, i.StringOffset, i.UserSidLength, i.UserSidOffset,

    #         i.DataLength, i.DataOffset)

  有些日志位于C:\Windows\System32\winevt\Logs目录下,需要用python第三方包解析,比如想要研究的Microsoft-Windows-TaskScheduler%4Operational.evtx,待研究

wevtutil gl Microsoft-Windows-TaskScheduler/Operational

wevtutil.exe qe Microsoft-Windows-TaskScheduler/Operational "/q:*[System [(EventID=140)]]" /f:text /rd:true /c:100 > c:\sys.txt

查看所有任务: chcp 437|schtasks /Query /fo List /v

查看具体某一任务:schtasks /query /TN test

计划任务保存在C:\Windows\System32\Tasks这个文件夹中

用python查看windows事件日志的方法(待后续研究)的更多相关文章

  1. Python处理Windows事件日志(json)

    通过NXlog将Windows事件日志保存为json格式文件,然后在Python中使用json.loads()进行处理. NXlog在将Windows事件日志保存为json格式文件,文件中带入了BOM ...

  2. 使用EventLog类写Windows事件日志

    在程序中经常需要将指定的信息(包括异常信息和正常处理信息)写到日志中.在C#3.0中可以使用EventLog类将各种信息直接写入Windows日志.EventLog类在System.Diagnosti ...

  3. .NET 操作 EventLog(Windows事件日志监控)(转载)

    操作Windows日志:EventLog 如果要在.NET Core控制台项目中使用EventLog(Windows事件日志监控),首先需要下载Nuget包: System.Diagnostics.E ...

  4. Syslog和Windows事件日志收集

    Syslog和Windows事件日志收集 EventLog Analyzer从分布式Windows设备收集事件日志,或从分布式Linux和UNIX设备.交换机和路由器(Cisco)收集syslog.事 ...

  5. 为什么要使用日志管理?syslog和Windows事件日志

    为什么要使用日志管理?syslog和Windows事件日志 日志管理 - 确保网络安全的先决条件 日志给予您有关网络活动的第一手信息.日志管理确保日志中隐藏的网络活动数据转换为有意义的可操作的安全信息 ...

  6. .NET拾忆:EventLog(Windows事件日志监控)

    操作Windows日志:EventLog 1:事件日志名(logName):“事件查看器”中的每一项,如“应用程序”.“Internet Explorer”.“安全性”和“系统”都是日志(严格地说是日 ...

  7. C#操作windows事件日志项

    /// <summary> /// 指定事件日志项的事件类型 /// </summary> public enum EventLogLevel { /// <summar ...

  8. SQL Server 无法生成 FRunCM 线程。请查看 SQL Server 错误日志和 Windows 事件日志

    1.IP地址配置不正确: 打开 Microsoft SQL Server 2005配置工具下的SQL Server Configuration Manager,选择MSSQLSERVER协议, 然后双 ...

  9. Zabbix监控Windows事件日志

    1.zabbix_agentd.win文件修改: LogFile=c:\zabbix\zabbix_agentd.log Server=1.16.2.4 ServerActive=1.16.2.4 H ...

随机推荐

  1. 洛谷 P1054 等价表达式 解题报告

    P1054 等价表达式 题目描述 明明进了中学之后,学到了代数表达式.有一天,他碰到一个很麻烦的选择题.这个题目的题干中首先给出了一个代数表达式,然后列出了若干选项,每个选项也是一个代数表达式,题目的 ...

  2. .NET:C# 如何实现的闭包?

    背景 C# 在编译器层面为我们提供了闭包机制(Java7 和 Go 也是这种思路),本文简单的做个解释. 背景知识 你必须了解:引用类型.值类型.引用.对象.值类型的值(简称值). 关于引用.对象和值 ...

  3. (HDU 1542) Atlantis 矩形面积并——扫描线

    n个矩形,可以重叠,求面积并. n<=100: 暴力模拟扫描线.模拟赛大水题.(n^2) 甚至网上一种“分块”:分成n^2块,每一块看是否属于一个矩形. 甚至这个题就可以这么做. n<=1 ...

  4. 常用服务器构建 ftp

    ftp服务器1.安装vsftpd服务器sudo apt-get install vsftpd2.配置vsftpd.conf文件sudo vi /etc/vsftpd.conf添加下面设置anonymo ...

  5. Educational Codeforces Round 52 (Rated for Div. 2) E. Side Transmutations

    http://codeforces.com/contest/1065/problem/E 数学推导题 #include <bits/stdc++.h> using namespace st ...

  6. Java + 腾讯邮箱 SSL加密问题 重要通知

    原来的jdk8版本如果不替换jce就会在发邮件的过程中报错,而此次使用的jdk1.8.0_131,并没有出现问题,也就是说,如果你使用的版本是 就不用考虑发邮件因为加密算法而导致的错误了

  7. 线程优先级.Priority()

    线程对象.Priority(),线程优先级1-10,10优先级最高.此功能比较鸡肋,不起作用.了解即可 以下案例:循环输出加减乘除,除优先级最高 //MyThread线程 class MyThread ...

  8. 求矩形面积(问题来自PythonTip)

    描述: 已知矩形长a,宽b,输出其面积和周长,面积和周长以一个空格隔开. 例如:a = 3, b = 8 则输出:24 22 方法一: a=int(input('')) //input返回的是字符串类 ...

  9. JVM性能调优2:JVM性能调优参数整理

    序号 参数名 说明 JDK 默认值 使用过 1 JVM执行模式 2 -client-server 设置该JVM运行与Client 或者Server Hotspot模式,这两种模式从本质上来说是在JVM ...

  10. oracle表结构和表内容差异比对【原】

    oracle表结构和表内容差异比对 oracle中有三种集合操作,他们会把左边和右边的select 结果集进行集合操作. union 并集 intersect 交集 minus 差集 假设有如下两张表 ...