如何通过 WMI 读取应用程序和服务日志？

Question

我可以通过 WMI 在 powershell 中获取所有事件日志消息，例如

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"

枚举我使用的所有事件日志

Get-WmiObject win32_nteventlogfile
FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
26218496 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      75510
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 OAlerts                C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx                             39
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
12652544 Security               C:\WINDOWS\System32\Winevt\Logs\Security.evtx                         18840
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
 8458240 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           15108
   69632 Windows Azure          C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx                        0
 2166784 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx                1656

到目前为止，还没有办法解析应用程序和服务日志下显示的所有其他日志

使用 Powershell，我可以通过

获取日志文件

Get-WinEvent -ListLog *

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            15728640        1656 Windows PowerShell
Circular             1052672           0 Windows Azure
Circular            20971520       15123 System
Circular            20971520       19404 Security
Circular             1052672          39 OAlerts
Circular            20971520           0 Key Management Service
Circular             1052672           0 Internet Explorer
Circular            20971520           0 HardwareEvents
Circular            26214400       75525 Application
Circular             1052672           0 WitnessClientAdmin
Circular             1052672             Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular             1052672             Windows Networking Vpn Plugin Platform/Operational
Circular             1052672           0 SMSApi
Circular             1052672          66 Setup
Circular             1052672           0 OpenSSH/Operational
Circular             1052672           0 OpenSSH/Admin
Circular             1052672             Network Isolation Operational
Circular             1052672           0 Microsoft-WS-Licensing/Admin
Circular             1052672           0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular             1052672           0 Microsoft-Windows-WWAN-SVC-Events/Operational

但是当我尝试读取其他日志文件时，我什么也得不到。当我尝试阅读时Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant 文件我一无所获：

Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"

日志文件有不​​同的名称

 Directory of C:\Windows\System32\winevt\Logs

12/26/2019  07:55 PM            69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

在事件查看器中，名称显示为

我需要输入 WMI 查询以读取事件的正确日志文件名是什么？

Answer 1

迟到总比没有好。

在注册表中创建以下键：

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic

不需要任何值，只需键即可。 然后您应该能够运行这样的查询

select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'