Powershell - 获取任务计划程序运行结果的历史记录

【问题标题】:Powershell - Getting History of Task Scheduler Run ResultsPowershell - 获取任务计划程序运行结果的历史记录
【发布时间】:2021-02-27 18:27:13
【问题描述】:

我有一个 Powershell 脚本如下:

if (something)
{
    # do something
    # will return 0 on success
}
else
{
    exit 12345
}

我希望能够检查在过去 24 小时内至少有一次成功(返回代码 0)(脚本将返回 12345 多于 0)

在另一个脚本中我有这个代码:


$events = @(
     Get-WinEvent  -FilterXml @'
     <QueryList>
      <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
       <Select Path="Microsoft-Windows-TaskScheduler/Operational">
        *[EventData/Data[@Name='taskname']='\My Test']
       </Select>
      </Query>
     </QueryList>
'@  -ErrorAction Stop


$events | Where-Object {$_.ID -eq 102} | Select-Object *

它向我显示了任务运行的历史记录,但我找不到如何从这里获得运行结果。

我可以如下查询单个历史项目:

$a = $events | Where-Object {$_.ID -eq 102} | Select-Object *
$a[0] | Get-Member

返回

Name                 MemberType   Definition                                                                                                                                         
----                 ----------   ----------                                                                                                                                         
Equals               Method       bool Equals(System.Object obj)                                                                                                                     
GetHashCode          Method       int GetHashCode()                                                                                                                                  
GetType              Method       type GetType()                                                                                                                                     
ToString             Method       string ToString()                                                                                                                                  
ActivityId           NoteProperty guid ActivityId=d6ac8489-c0e1-4dbd-b06e-7ecefaf1c20c                                                                                               
Bookmark             NoteProperty EventBookmark Bookmark=System.Diagnostics.Eventing.Reader.EventBookmark                                                                            
ContainerLog         NoteProperty string ContainerLog=Microsoft-Windows-TaskScheduler/Operational                                                                                    
Id                   NoteProperty int Id=102                                                                                                                                         
Keywords             NoteProperty long Keywords=-9223372036854775807                                                                                                                 
KeywordsDisplayNames NoteProperty ReadOnlyCollection[string] KeywordsDisplayNames=System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]                                 
Level                NoteProperty byte Level=4                                                                                                                                       
LevelDisplayName     NoteProperty string LevelDisplayName=Information                                                                                                                
LogName              NoteProperty string LogName=Microsoft-Windows-TaskScheduler/Operational                                                                                         
MachineName          NoteProperty string MachineName=MyPC.mydomain                                                                                                           
MatchedQueryIds      NoteProperty uint32[] MatchedQueryIds=System.UInt32[]                                                                                                           
Message              NoteProperty string Message=Task Scheduler successfully finished "{d6ac8489-c0e1-4dbd-b06e-7ecefaf1c20c}" instance of the "\My Test" task for user "MyD...
Opcode               NoteProperty int16 Opcode=2                                                                                                                                     
OpcodeDisplayName    NoteProperty string OpcodeDisplayName=Stop                                                                                                                      
ProcessId            NoteProperty int ProcessId=2544                                                                                                                                 
Properties           NoteProperty List[EventProperty] Properties=System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]                                 
ProviderId           NoteProperty guid ProviderId=de7b24ea-73c8-4a09-985d-5bdadcfa9017                                                                                               
ProviderName         NoteProperty string ProviderName=Microsoft-Windows-TaskScheduler                                                                                                
Qualifiers           NoteProperty object Qualifiers=null                                                                                                                             
RecordId             NoteProperty long RecordId=21093                                                                                                                                
RelatedActivityId    NoteProperty object RelatedActivityId=null                                                                                                                      
Task                 NoteProperty int Task=102                                                                                                                                       
TaskDisplayName      NoteProperty string TaskDisplayName=Task completed                                                                                                              
ThreadId             NoteProperty int ThreadId=14152                                                                                                                                 
TimeCreated          NoteProperty datetime TimeCreated=16/11/2020 13:26:20                                                                                                           
UserId               NoteProperty SecurityIdentifier UserId=S-1-5-18                                                                                                                 
Version              NoteProperty byte Version=0

但是我在任何属性中都找不到我需要的信息。我希望它以十六进制格式存储在某处(0x3039)

【问题讨论】:

    标签: powershell windows-10 scheduled-tasks


    【解决方案1】:

    您是否尝试在事件的 XML-Output 中找到输出代码?

    foreach ($e in $events){
    [xml]$eXmls = $e.ToXml()
    $eXmls.event.EventData
}

    【讨论】:

      【解决方案2】:

      你有你需要的。您只需将其公开以进行查看/捕获等。 下面的示例使用原始的 Windows 沙盒,配置日志记录,创建一个简单的任务,运行一次,然后获取结果。

      wevtutil set-log Microsoft-Windows-TaskScheduler/Operational /enabled:true
wevtutil get-log Microsoft-Windows-TaskScheduler/Operational

Get-WinEvent -ListLog * | 
Where-Object -Property logname -match task
# Results
<#
LogMode   MaximumSizeInBytes RecordCount LogName                                                                                                                                              
-------   ------------------ ----------- -------                                                                                                                                              
Circular            10485760          37 Microsoft-Windows-TaskScheduler/Operational                                                                                                          
Circular             1052672           8 Microsoft-Windows-TaskScheduler/Maintenance                                                                                                          
Circular             1052672           0 Microsoft-Windows-Shell-Core/LogonTasksChannel                                                                                                       
Circular             1052672           0 Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational                                                                                
Circular             1052672           0 Microsoft-Windows-BackgroundTaskInfrastructure/Operational   
#>


$XmlQuery = @'
     <QueryList>
      <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
       <Select Path="Microsoft-Windows-TaskScheduler/Operational">
        *[EventData/Data[@Name='taskname']='\TestTask']
       </Select>
      </Query>
     </QueryList>
'@

Get-WinEvent -FilterXml $XmlQuery
# Results
<#
   ProviderName: Microsoft-Windows-TaskScheduler

TimeCreated                      Id LevelDisplayName Message                                                                                                                                  
-----------                      -- ---------------- -------                                                                                                                                  
11/16/2020 2:52:16 PM           102 Information      Task Scheduler successfully finished "{ca247629-6342-4e3d-9848-af234f84ae0c}" instance of the "\TestTask" task for user "F2B00BB4-0260...
11/16/2020 2:52:16 PM           201 Information      Task Scheduler successfully completed task "\TestTask" , instance "{ca247629-6342-4e3d-9848-af234f84ae0c}" , action "C:\Windows\System...
11/16/2020 2:52:08 PM           110 Information      Task Scheduler launched "{ca247629-6342-4e3d-9848-af234f84ae0c}"  instance of task "\TestTask"  for user "WDAGUtilityAccount" .          
11/16/2020 2:52:08 PM           200 Information      Task Scheduler launched action "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" in instance "{ca247629-6342-4e3d-9848-af234...
11/16/2020 2:52:08 PM           100 Information      Task Scheduler started "{ca247629-6342-4e3d-9848-af234f84ae0c}" instance of the "\TestTask" task for user "F2B00BB4-0260-4\WDAGUtility...
11/16/2020 2:52:08 PM           129 Information      Task Scheduler launch task "\TestTask" , instance "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"  with process ID 5520.     
11/16/2020 2:52:04 PM           106 Information      User "F2B00BB4-0260-4\WDAGUtilityAccount"  registered Task Scheduler task "\TestTask
#>

($events = @(
     Get-WinEvent -FilterXml $XmlQuery -ErrorAction Stop
)) | 
Where-Object {$PSItem.ID -eq 106} | 
Select-Object -Property '*' -First 1 | 
Format-List -Force
<#
Message              : User "F2B00BB4-0260-4\WDAGUtilityAccount"  registered Task Scheduler task "\TestTask"
Id                   : 106
Version              : 0
Qualifiers           : 
Level                : 4
Task                 : 106
Opcode               : 0
Keywords             : -9223372036854775808
RecordId             : 1
ProviderName         : Microsoft-Windows-TaskScheduler
ProviderId           : de7b24ea-73c8-4a09-985d-5bdadcfa9017
LogName              : Microsoft-Windows-TaskScheduler/Operational
ProcessId            : 960
ThreadId             : 1440
MachineName          : f2b00bb4-0260-425b-b5d3-7b0331e05b80
UserId               : S-1-5-18
TimeCreated          : 11/16/2020 2:52:04 PM
ActivityId           : 
RelatedActivityId    : 
ContainerLog         : Microsoft-Windows-TaskScheduler/Operational
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : Task registered
KeywordsDisplayNames : {}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty}
#>



(($events = @(
     Get-WinEvent -FilterXml $XmlQuery -ErrorAction Stop
)) | 
Where-Object {$PSItem.ID -eq 106} | 
Select-Object -Property '*' -First 1).Message
# Results
<#
User "F2B00BB4-0260-4\WDAGUtilityAccount"  registered Task Scheduler task "\TestTask"
#>



(($events = @(
     Get-WinEvent -FilterXml $XmlQuery -ErrorAction Stop
)) | 
Where-Object {$PSItem.ID -eq 106} | 
Select-Object -Property '*' -First 1).Opcode
# Results
<#
0
#>

# Code Reference
<#
Op Codes    Description
________    ____________
0 or 0x0    The operation completed successfully.
1 or 0x1    Incorrect function called or unknown function called.
2 or 0x2    File not found.
10 or 0xa   The environment is incorrect.
0x41300     Task is ready to run at its next scheduled time.
0x41301     Task is currently running.
0x41302     Task is disabled.
0x41303     Task has not yet run.
0x41304     There are no more runs scheduled for this task.
0x41306     Task is terminated.
0x8004131F  An instance of this task is already running.
0x800704DD  The service is not available (is ‘Run only when a user is logged on’ checked?)
0xC000013A  The application terminated as a result of a CTRL+C.
0xC06D007E  Unknown software exception.
#>

      【讨论】:

        猜你喜欢
        • 2012-06-16
        • 2014-04-06
        • 2017-05-28
        • 1970-01-01
        • 2012-02-10
        • 2020-08-07
        • 2018-03-09
        • 2015-07-22
        • 1970-01-01
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode