原文地址:
[plain] view plain copy print?
- <img alt="" src="https://img-blog.csdn.net/20130912111656265?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvaXV4aW4=/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast">
- #
- # 操作系统账号事件(登录、注销、新增、删除、软件安装)
- # 主函数 Main
- # @param string $str not null
- # @param string $code not null
- #
- # Description:
- # 设置登录事件的任务计划时,必须传递这两个参数
- #
- #region get-serverip 获取IP
- function get-serverip
- {
- $serverip=gwmi win32_networkadapterconfiguration | ?{$_.IPAddress -ne $null -and $_.dhcpenabled -eq $false -and {$_.IPEnabled}} | %{$_.IPAddress}
- if(($serverip.gettype()).isarray)
- {
- return $serverip[0]
- }
- else
- {
- return $serverip
- }
- }
- #endregion
- #region Send-Mail 发送邮件
- function Send-Mail($Subject,$Body)
- {
- $password = ConvertTo-SecureString 'password' -AsPlainText -Force
- $Credential = New-Object System.Management.Automation.PSCredential('account',$password)
- $SmptServer="<a href="http://bxing.net" target="_blank">mail.xx.com.cn</a>"
- <a href="mailto:$From='a@xx.com.cn'" target="_blank">$From='a@xx.com.cn'
- </a> $To="test@xx.com.cn"
- #抄送
- #$Cc="cc@xx.com.cn"
- $encode=[System.Text.UTF8Encoding]::UTF8
- Send-MailMessage -SmtpServer $SmptServer -Credential $Credential -From $From -to $To -Encoding $Encode -Body $Body -Subject $Subject -Priority High -BodyAsHtml
- }
- #endregion
- #region cut-string 裁剪字符串
- function cut-string
- {
- param(
- $str,
- $start,
- $end
- )
- return $str.substring($str.indexof($start),$str.indexof($end)-$str.indexof($start))
- }
- #endregion
- #region get_login_user 获取登录账户
- #return string
- function get_login_user
- {
- $users=query user
- $lists=New-Object system.Collections.ArrayList
- for($i=1;$i -lt $users.Count;$i++)
- {
- $user = $users[$i] -replace(' ',' ')
- while($user.indexof(' ') -gt 0)
- {
- $user = $user -replace(' ',' ')
- }
- if($user.indexof(' ') -eq 0 -or $user.indexof('>') -eq 0)
- {
- $user=$user.substring(1)
- }
- $user=$user -split(' ')
- $list=New-Object psobject
- #$time=$user[5]+" "+$user[6]
- Add-Member -Name name -Value $user[0] -MemberType NoteProperty -InputObject $list
- Add-Member -Name status -Value $user[3] -MemberType NoteProperty -InputObject $list
- #Add-Member -Name time -Value $time -MemberType NoteProperty -InputObject $list
- $lists +=@($list)
- }
- $loginUser = $lists | ?{$_.status -eq '运行中'} | select name
- foreach($userName in $loginUser)
- {
- if($userNames -eq $null)
- {
- $userNames=$userName.name
- }
- else
- {
- $userNames=$userNames + ',' + $userName.name
- }
- }
- return $userNames
- }
- #endregion
- #region Login-Succ-Notice 成功登录事件
- function Login-Succ-Notice
- {
- $loginInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4624} | select timecreated,message
- if($loginInfo -eq $null)
- {
- break
- }
- if(($loginInfo.gettype()).isarray)
- {
- $time=$loginInfo[0].timecreated
- $message=$loginInfo[0].message
- }
- else
- {
- $time=$loginInfo.timecreated
- $message=$loginInfo.message
- }
- if($code -eq 1)
- {
- $loginType=cut-string $message '登录类型:' '新登录:'
- $loginType=$loginType -replace('登录类型:','')
- $loginType=$loginType -replace(' ','')
- if($loginType -eq 4)
- {
- break
- }
- }
- $processInfo=cut-string $message '进程名:' '网络信息:'
- $processInfo=$processInfo -replace('进程名: ','')
- $message=cut-string $message '新登录' '详细身份验证信息'
- $loginName=cut-string $message '帐户名:' '帐户域:'
- $loginName=$loginName -replace('帐户名:','')
- $loginIp=cut-string $message '源网络地址:' '源端口:'
- $loginIp=$loginIp -replace('源网络地址:','')
- $ip=get-serverip
- $loginedName=get_login_user
- $Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
- <tr style='background:#39F'>
- <td>服务器</td>
- <td>登录账号</td>
- <td>进程</td>
- <td>登录时间</td>
- <td>客户端IP</td>
- <td>已登录账号</td>
- </tr>
- <tr>
- <td>$ip</td>
- <td>$loginName</td>
- <td>$processInfo</td>
- <td>$time</td>
- <td>$loginIp</td>
- <td>$loginedName</td>
- </tr>
- </table>"
- try
- {
- Send-Mail "Login on $ip" $Body
- }
- catch
- {
- ac -Path c:\UserNotice.log -Value "[ $time Login] $error[0]"
- }
- }
- #endregion
- #region Cancel-Succ-Notice 注销登录事件
- function Cancel-Succ-Notice
- {
- $cancelInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4634} | select timecreated,message
- if($cancelInfo -eq $null)
- {
- break
- }
- if(($cancelInfo.gettype()).isarray)
- {
- $time=$cancelInfo[0].timecreated
- $message=$cancelInfo[0].message
- }
- else
- {
- $time=$cancelInfo.timecreated
- $message=$cancelInfo.message
- }
- $cancelName=cut-string $message '帐户名:' '帐户域:'
- $cancelName=$cancelName -replace('帐户名:','')
- $ip=get-serverip
- $loginedName=get_login_user
- $Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
- <tr style='background:#39F'>
- <td>服务器</td>
- <td>注销账号</td>
- <td>注销时间</td>
- <td>未注销账号</td>
- </tr>
- <tr>
- <td>$ip</td>
- <td>$cancelName</td>
- <td>$time</td>
- <td>$loginedName</td>
- </tr>
- </table>"
- try
- {
- Send-Mail "Cancel on $ip" $Body
- }
- catch
- {
- ac -Path c:\UserNotice.log -Value "[ $time Cancel] $error[0]"
- }
- }
- #endregion
- #region Create-User-Notice 新增账号事件
- function Create-User-Notice
- {
- $userinfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4722} | select timecreated,message
- if($userinfo -eq $null)
- {
- break
- }
- if(($userinfo.gettype()).isarray)
- {
- $time=$userinfo[0].timecreated
- $message=$userinfo[0].message
- }
- else
- {
- $time=$userinfo.timecreated
- $message=$userinfo.message
- }
- $operateUser=cut-string $message '主题:' '目标帐户:'
- $operateUser=cut-string $operateUser '帐户名:' '帐户域:'
- $operateUser=$operateUser -replace('帐户名:','')
- $addUser=$message.substring($message.indexof('目标帐户:'))
- $addUser=cut-string $addUser '帐户名:' '帐户域:'
- $addUser=$addUser -replace('帐户名:','')
- $ip=get-serverip
- $loginedUser=get_login_user
- $Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
- <tr style='background:#39F'>
- <td>服务器</td>
- <td>操作账号</td>
- <td>被添加账号</td>
- <td>操作时间</td>
- <td>已登录账号</td>
- </tr>
- <tr>
- <td>$ip</td>
- <td>$operateUser</td>
- <td>$addUser</td>
- <td>$time</td>
- <td>$loginedUser</td>
- </tr>
- </table>"
- try
- {
- Send-Mail "AddUser on $ip" $Body
- }
- catch
- {
- ac -Path c:\UserNotice.log -Value "[ $time AddUser] $error[0]"
- }
- }
- #endregion
- #region Delete-User-Notice 删除账号事件
- function Delete-User-Notice{
- $userInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4726} | select timecreated,message
- if($userinfo -eq $null)
- {
- break
- }
- if(($userinfo.gettype()).isarray)
- {
- $time=$userinfo[0].timecreated
- $message=$userinfo[0].message
- }
- else
- {
- $time=$userinfo.timecreated
- $message=$userinfo.message
- }
- $ip=get-serverip
- $loginedUser=get_login_user
- $operateUser=cut-string $message '主题:' '目标帐户:'
- $operateUser=cut-string $operateUser '帐户名:' '帐户域:'
- $operateUser=$operateUser -replace('帐户名:','')
- $delUser=$message.substring($message.indexof('目标帐户:'))
- $delUser=cut-string $delUser '帐户名:' '帐户域:'
- $delUser=$delUser -replace('帐户名:','')
- $Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
- <tr style='background:#39F'>
- <td>服务器</td>
- <td>操作账号</td>
- <td>被删除账号</td>
- <td>操作时间</td>
- <td>已登录账号</td>
- </tr>
- <tr>
- <td>$ip</td>
- <td>$operateUser</td>
- <td>$delUser</td>
- <td>$time</td>
- <td>$loginedUser</td>
- </tr>
- </table>"
- try
- {
- Send-Mail "Delete on $ip" $Body
- }
- catch
- {
- ac -Path c:\UserNotice.log -Value "[ $time Delete] $error[0]"
- }
- }
- #endregion
- #region Software-Setup-Notice 软件安装事件
- function Software-Setup-Notice
- {
- $softinfo=Get-WinEvent -logname setup -maxevents 10 | ? {$_.id -eq 1610} | select timecreated,message
- if($softinfo -eq $null)
- {
- break
- }
- if(($softinfo.gettype()).isarray)
- {
- $time=$softinfo[0].timecreated
- $time=$softinfo[0].tostring()
- $message=$softinfo[0].message
- }
- else
- {
- $time=$softinfo.timecreated
- $time=$time.tostring()
- $message=$softinfo.message
- }
- $ip=get-serverip
- $loginedUser=get_login_user
- $Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
- <tr style='background:#39F'>
- <td>服务器</td>
- <td>已登录账号</td>
- <td>安装时间</td>
- <td>安装信息</td>
- </tr>
- <tr>
- <td>$ip</td>
- <td>$loginedUser</td>
- <td>$time</td>
- <td>$message</td>
- </tr>
- </table>"
- try
- {
- Send-Mail 'Setup on $ip' $Body
- }
- catch
- {
- ac -Path c:\UserNotice.log -Value "[ $time Setup] $error[0]"
- }
- }
- #endregion
- #region Main 入口函数
- function Main{
- param(
- $str,
- $script:code
- )
- if($str -eq $null)
- {
- Write-Warning 参数丢失!
- sleep 2
- break
- }
- if($str -eq 'login')
- {
- Login-Succ-Notice
- }
- if($str -eq 'cancel')
- {
- Cancel-Succ-Notice
- }
- if($str -eq 'add')
- {
- Create-User-Notice
- }
- if($str -eq 'delete')
- {
- Delete-User-Notice
- }
- if($str -eq 'setup')
- {
- Software-Setup-Notice
- }
- }
- #endregion
- main $args[0] $args[1]
#
# 操作系统账号事件(登录、注销、新增、删除、软件安装)
# 主函数 Main
# @param string $str not null
# @param string $code not null
#
# Description:
# 设置登录事件的任务计划时,必须传递这两个参数
#
#region get-serverip 获取IP
function get-serverip
{
$serverip=gwmi win32_networkadapterconfiguration | ?{$_.IPAddress -ne $null -and $_.dhcpenabled -eq $false -and {$_.IPEnabled}} | %{$_.IPAddress}
if(($serverip.gettype()).isarray)
{
return $serverip[0]
}
else
{
return $serverip
}
}
#endregion
#region Send-Mail 发送邮件
function Send-Mail($Subject,$Body)
{
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential('account',$password)
$SmptServer="mail.xx.com.cn"
$From='a@xx.com.cn'
$To="test@xx.com.cn"
#抄送
#$Cc="cc@xx.com.cn"
$encode=[System.Text.UTF8Encoding]::UTF8
Send-MailMessage -SmtpServer $SmptServer -Credential $Credential -From $From -to $To -Encoding $Encode -Body $Body -Subject $Subject -Priority High -BodyAsHtml
}
#endregion
#region cut-string 裁剪字符串
function cut-string
{
param(
$str,
$start,
$end
)
return $str.substring($str.indexof($start),$str.indexof($end)-$str.indexof($start))
}
#endregion
#region get_login_user 获取登录账户
#return string
function get_login_user
{
$users=query user
$lists=New-Object system.Collections.ArrayList
for($i=1;$i -lt $users.Count;$i++)
{
$user = $users[$i] -replace(' ',' ')
while($user.indexof(' ') -gt 0)
{
$user = $user -replace(' ',' ')
}
if($user.indexof(' ') -eq 0 -or $user.indexof('>') -eq 0)
{
$user=$user.substring(1)
}
$user=$user -split(' ')
$list=New-Object psobject
#$time=$user[5]+" "+$user[6]
Add-Member -Name name -Value $user[0] -MemberType NoteProperty -InputObject $list
Add-Member -Name status -Value $user[3] -MemberType NoteProperty -InputObject $list
#Add-Member -Name time -Value $time -MemberType NoteProperty -InputObject $list
$lists +=@($list)
}
$loginUser = $lists | ?{$_.status -eq '运行中'} | select name
foreach($userName in $loginUser)
{
if($userNames -eq $null)
{
$userNames=$userName.name
}
else
{
$userNames=$userNames + ',' + $userName.name
}
}
return $userNames
}
#endregion
#region Login-Succ-Notice 成功登录事件
function Login-Succ-Notice
{
$loginInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4624} | select timecreated,message
if($loginInfo -eq $null)
{
break
}
if(($loginInfo.gettype()).isarray)
{
$time=$loginInfo[0].timecreated
$message=$loginInfo[0].message
}
else
{
$time=$loginInfo.timecreated
$message=$loginInfo.message
}
if($code -eq 1)
{
$loginType=cut-string $message '登录类型:' '新登录:'
$loginType=$loginType -replace('登录类型:','')
$loginType=$loginType -replace(' ','')
if($loginType -eq 4)
{
break
}
}
$processInfo=cut-string $message '进程名:' '网络信息:'
$processInfo=$processInfo -replace('进程名: ','')
$message=cut-string $message '新登录' '详细身份验证信息'
$loginName=cut-string $message '帐户名:' '帐户域:'
$loginName=$loginName -replace('帐户名:','')
$loginIp=cut-string $message '源网络地址:' '源端口:'
$loginIp=$loginIp -replace('源网络地址:','')
$ip=get-serverip
$loginedName=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr style='background:#39F'>
<td>服务器</td>
<td>登录账号</td>
<td>进程</td>
<td>登录时间</td>
<td>客户端IP</td>
<td>已登录账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$loginName</td>
<td>$processInfo</td>
<td>$time</td>
<td>$loginIp</td>
<td>$loginedName</td>
</tr>
</table>"
try
{
Send-Mail "Login on $ip" $Body
}
catch
{
ac -Path c:\UserNotice.log -Value "[ $time Login] $error[0]"
}
}
#endregion
#region Cancel-Succ-Notice 注销登录事件
function Cancel-Succ-Notice
{
$cancelInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4634} | select timecreated,message
if($cancelInfo -eq $null)
{
break
}
if(($cancelInfo.gettype()).isarray)
{
$time=$cancelInfo[0].timecreated
$message=$cancelInfo[0].message
}
else
{
$time=$cancelInfo.timecreated
$message=$cancelInfo.message
}
$cancelName=cut-string $message '帐户名:' '帐户域:'
$cancelName=$cancelName -replace('帐户名:','')
$ip=get-serverip
$loginedName=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr style='background:#39F'>
<td>服务器</td>
<td>注销账号</td>
<td>注销时间</td>
<td>未注销账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$cancelName</td>
<td>$time</td>
<td>$loginedName</td>
</tr>
</table>"
try
{
Send-Mail "Cancel on $ip" $Body
}
catch
{
ac -Path c:\UserNotice.log -Value "[ $time Cancel] $error[0]"
}
}
#endregion
#region Create-User-Notice 新增账号事件
function Create-User-Notice
{
$userinfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4722} | select timecreated,message
if($userinfo -eq $null)
{
break
}
if(($userinfo.gettype()).isarray)
{
$time=$userinfo[0].timecreated
$message=$userinfo[0].message
}
else
{
$time=$userinfo.timecreated
$message=$userinfo.message
}
$operateUser=cut-string $message '主题:' '目标帐户:'
$operateUser=cut-string $operateUser '帐户名:' '帐户域:'
$operateUser=$operateUser -replace('帐户名:','')
$addUser=$message.substring($message.indexof('目标帐户:'))
$addUser=cut-string $addUser '帐户名:' '帐户域:'
$addUser=$addUser -replace('帐户名:','')
$ip=get-serverip
$loginedUser=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr style='background:#39F'>
<td>服务器</td>
<td>操作账号</td>
<td>被添加账号</td>
<td>操作时间</td>
<td>已登录账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$operateUser</td>
<td>$addUser</td>
<td>$time</td>
<td>$loginedUser</td>
</tr>
</table>"
try
{
Send-Mail "AddUser on $ip" $Body
}
catch
{
ac -Path c:\UserNotice.log -Value "[ $time AddUser] $error[0]"
}
}
#endregion
#region Delete-User-Notice 删除账号事件
function Delete-User-Notice{
$userInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4726} | select timecreated,message
if($userinfo -eq $null)
{
break
}
if(($userinfo.gettype()).isarray)
{
$time=$userinfo[0].timecreated
$message=$userinfo[0].message
}
else
{
$time=$userinfo.timecreated
$message=$userinfo.message
}
$ip=get-serverip
$loginedUser=get_login_user
$operateUser=cut-string $message '主题:' '目标帐户:'
$operateUser=cut-string $operateUser '帐户名:' '帐户域:'
$operateUser=$operateUser -replace('帐户名:','')
$delUser=$message.substring($message.indexof('目标帐户:'))
$delUser=cut-string $delUser '帐户名:' '帐户域:'
$delUser=$delUser -replace('帐户名:','')
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr style='background:#39F'>
<td>服务器</td>
<td>操作账号</td>
<td>被删除账号</td>
<td>操作时间</td>
<td>已登录账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$operateUser</td>
<td>$delUser</td>
<td>$time</td>
<td>$loginedUser</td>
</tr>
</table>"
try
{
Send-Mail "Delete on $ip" $Body
}
catch
{
ac -Path c:\UserNotice.log -Value "[ $time Delete] $error[0]"
}
}
#endregion
#region Software-Setup-Notice 软件安装事件
function Software-Setup-Notice
{
$softinfo=Get-WinEvent -logname setup -maxevents 10 | ? {$_.id -eq 1610} | select timecreated,message
if($softinfo -eq $null)
{
break
}
if(($softinfo.gettype()).isarray)
{
$time=$softinfo[0].timecreated
$time=$softinfo[0].tostring()
$message=$softinfo[0].message
}
else
{
$time=$softinfo.timecreated
$time=$time.tostring()
$message=$softinfo.message
}
$ip=get-serverip
$loginedUser=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr style='background:#39F'>
<td>服务器</td>
<td>已登录账号</td>
<td>安装时间</td>
<td>安装信息</td>
</tr>
<tr>
<td>$ip</td>
<td>$loginedUser</td>
<td>$time</td>
<td>$message</td>
</tr>
</table>"
try
{
Send-Mail 'Setup on $ip' $Body
}
catch
{
ac -Path c:\UserNotice.log -Value "[ $time Setup] $error[0]"
}
}
#endregion
#region Main 入口函数
function Main{
param(
$str,
$script:code
)
if($str -eq $null)
{
Write-Warning 参数丢失!
sleep 2
break
}
if($str -eq 'login')
{
Login-Succ-Notice
}
if($str -eq 'cancel')
{
Cancel-Succ-Notice
}
if($str -eq 'add')
{
Create-User-Notice
}
if($str -eq 'delete')
{
Delete-User-Notice
}
if($str -eq 'setup')
{
Software-Setup-Notice
}
}
#endregion
main $args[0] $args[1]