Windows XP Windows 7 Windows 2003 Windows Vista Windows教程綜合 Linux 系統教程
Windows 10 Windows 8 Windows 2008 Windows NT Windows Server 電腦軟件教程
 Windows教程網 >> Windows Vista系統教程 >> Windows Vista系統基礎知識 >> 玩轉Vista/Windows7下老格式事件日志分析

玩轉Vista/Windows7下老格式事件日志分析

日期:2017/1/24 12:05:08      編輯:Windows Vista系統基礎知識

如果有一個,一個朋友對你說他的電腦出現了問題,可能,你需要去分析它的系統的事件日志。畢竟,在Windows系統裡面,系統事件日志裡面記錄了太多的信息,應用程序的使用、崩潰等記錄,Windows系統的各種事件記錄等等。然而,當你的朋友把他的Windows目錄下的日志發過來,你想進行查看分析的時候,卻發現,提示事件日志崩潰!

這是怎麼回事呢?

原因很簡單,Vista之前事件日志是.evt文件,Vista及之後是.evtx文件!

我們可以用微軟提供的Log Parser 2.2(點擊進入微軟官方頁面),它能在相應的系統上解析各自支持的格式,解析命令為:

logparser -i:EVT "SELECT * INTO a.csv FROM b.evt"

但如果在Vista、Windows Server 2008、Windows7及之後系統上解析.evt格式日志可能會提示事件日志崩潰,這時需要將.evt格式轉換為.evtx格式,幸運的是Vista及之後的系統提供了Wevtutil-Windows Events Command Line Utility這個工具!

運行命令:wevtutil epl application.evt application.evtx /lf:true 就能轉化。

玩轉Vista/Windows7下老格式事件日志分析

wevtutil 在系統裡面的提示都是英文,:

Windows Events Command Line Utility.

Enables you to retrIEve information about event logs and Publishers, install
and uninstall event manifests, run querIEs, and export, archive, and clear logs.

Usage:

You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names. Commands,
options and option values are not case-sensitive.

Variables are noted in all upper-case.

wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]

Commands:

el | enum-logs List log names.
gl | get-log Get log configuration information.
sl | set-log Modify configuration of a log.
ep | enum-publishers List event publishers.
gp | get-publisher Get publisher configuration information.
im | install-manifest Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events Query events from a log or log file.
gli | get-log-info Get log status information.
epl | export-log Export a log.
al | archive-log Archive an exported log.
cl | clear-log Clear a log.

Common options:

/{r | remote}:VALUE
If specifIEd, run the command on a remote computer. VALUE is the remote computer
name. Options /im and /um do not support remote Operations.

/{u | username}:VALUE
Specify a different user to log on to the remote computer. VALUE is a user name
in the form domain\user or user. Only applicable when option /r is specifIEd.

/{p | passWord}:VALUE
PassWord for the specified user. If not specifIEd, or if VALUE is "*", the user
will be prompted to enter a passWord. Only applicable when the /u option is
specifIEd.

/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]
Authentication type for connecting to remote computer. The default is Negotiate.

/{uni | unicode}:[true|false]
Display output in Unicode. If true, then output is in Unicode.

To learn more about a specific command, type the following:

wevtutil COMMAND /?

Copyright © Windows教程網 All Rights Reserved