`
yuanlijia1
  • 浏览: 113541 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

jinterop获取windows事件三类日志(Security、Application、System)

    博客分类:
  • java
阅读更多
package com.mytest;

import java.io.IOException;
import java.util.logging.Level;
import org.jinterop.dcom.common.JIException;
import org.jinterop.dcom.common.JISystem;
import org.jinterop.dcom.core.JIComServer;
import org.jinterop.dcom.core.JIProgId;
import org.jinterop.dcom.core.JISession;
import org.jinterop.dcom.core.JIString;
import org.jinterop.dcom.core.JIVariant; 
import org.jinterop.dcom.impls.JIObjectFactory;
import org.jinterop.dcom.impls.automation.IJIDispatch;

public class EventLogListener {
	private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2";

	private static JISession configAndConnectDCom(String domain, String user,
			String pass) throws Exception {
		JISystem.getLogger().setLevel(Level.OFF);
		try {
			JISystem.setInBuiltLogHandler(false);
		} catch (IOException ignored) {
			;
		}
		JISystem.setAutoRegisteration(true);
		JISession dcomSession = JISession.createSession(domain, user, pass);
		dcomSession.useSessionSecurity(true);
		return dcomSession;
	}

	private static IJIDispatch getWmiLocator(String host, JISession dcomSession)
			throws Exception {
		JIComServer wbemLocatorComObj = new JIComServer(JIProgId
				.valueOf("WbemScripting.SWbemLocator"), host, dcomSession);
		return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj
				.createInstance().queryInterface(IJIDispatch.IID));
	}

	private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant)
			throws JIException {
		return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant
				.getObjectAsComObject());
	}

	public static void main(String[] args) {
		//if (args.length != 4) {
			//System.out.println("Usage: "
					//+ EventLogListener.class.getSimpleName()
					//+ " domain host username password");
			//return;
		//}
		String domain = "";
		String host = "192.168.4.253";
		String user = "administrator";
		String pass ="123456";
		JISession dcomSession = null;
		try {
			// Connect to DCOM on the remote system, and create an instance of
			// the WbemScripting.SWbemLocator object to talk to WMI.
			dcomSession = configAndConnectDCom(domain, user, pass);
			IJIDispatch wbemLocator = getWmiLocator(host, dcomSession);
			// Invoke the "ConnectServer" method on the SWbemLocator object via
			// it's IDispatch COM pointer. We will connect to
			// the default ROOT\CIMV2 namespace. This will result in us having a
			// reference to a "SWbemServices" object.
			JIVariant results[] = wbemLocator.callMethodA("ConnectServer",
					new Object[] { new JIString(host),
							new JIString(WMI_DEFAULT_NAMESPACE),
							JIVariant.OPTIONAL_PARAM(),
							JIVariant.OPTIONAL_PARAM(),
							JIVariant.OPTIONAL_PARAM(),
							JIVariant.OPTIONAL_PARAM(), new Integer(0),
							JIVariant.OPTIONAL_PARAM() });
			IJIDispatch wbemServices = toIDispatch(results[0]);
			// Now that we have a SWbemServices DCOM object reference, we
			// prepare a WMI Query Language (WQL) request to be informed
			// whenever a
			// new instance of the "Win32_NTLogEvent" WMI class is created on
			// the remote host. This is submitted to the remote host via the
			// "ExecNotificationQuery" method on SWbemServices. This gives us
			// all events as they come in. Refer to WQL documentation to
			// learn how to restrict the query if you want a narrower focus.
			final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'";
			//final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'System'";
			//Application
			//Security
			//System
			// and TargetInstance.LogFile = 'System'
			final int RETURN_IMMEDIATE = 16;
			final int FORWARD_ONLY = 32;
			JIVariant[] eventSourceSet = wbemServices.callMethodA(
					"ExecNotificationQuery", new Object[] {
							new JIString(QUERY_FOR_ALL_LOG_EVENTS),
							new JIString("WQL"),
							new JIVariant(new Integer(RETURN_IMMEDIATE
									+ FORWARD_ONLY)) });
			IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory
					.narrowObject((eventSourceSet[0]).getObjectAsComObject());
			// The result of the query is a SWbemEventSource object. This object
			// exposes a method that we can call in a loop to retrieve the
			// next Windows Event Log entry whenever it is created. This
			// "NextEvent" operation will block until we are given an event.
			// Note that you can specify timeouts, see the Microsoft
			// documentation for more details.
			boolean flag = true;
			int i=0;
			while (flag) {
				// this blocks until an event log entry appears.
				JIVariant eventAsVariant = (JIVariant) (wbemEventSource
						.callMethodA("NextEvent", new Object[] { JIVariant
								.OPTIONAL_PARAM() }))[0];
				IJIDispatch wbemEvent = toIDispatch(eventAsVariant);
				// WMI gives us events as SWbemObject instances (a base class of
				// any WMI object). We know in our case we asked for a specific
				// object
				// type, so we will go ahead and invoke methods supported by
				// that Win32_NTLogEvent class via the wbemEvent IDispatch
				// pointer.
				// In this case, we simply call the "GetObjectText_" method that
				// returns us the entire object as a CIM formatted string. We
				// could,
				// however, ask the object for its property values via
				// wbemEvent.get("PropertyName"). See the j-interop
				// documentation and examples
				// for how to query COM properties.
				JIVariant objTextAsVariant = (JIVariant) (wbemEvent
						.callMethodA("GetObjectText_",
								new Object[] { new Integer(1) }))[0];
				String asText = objTextAsVariant.getObjectAsString()
						.getString();
				System.out.println("******************************************=="+i++ +"==****************************");

				System.out.println(asText);
				
				//flag = false;
				
//				System.out.println("-----start------");
//				System.out.println(asText);
//				String[] texts = asText.split("\t");
//				for(int i = 0; i < texts.length; i++)
//				{ 
//		            System.out.println( "texts["+ i +"]= "+texts[i]); 
//		        } 

			}
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (null != dcomSession) {
				try {
					JISession.destroySession(dcomSession);
				} catch (Exception ex) {
					ex.printStackTrace();
				}
			}
		}
	}
}


输出结果:
******************************************==0==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {49, 0, 46, 0, 49, 0, 0, 0, 48, 0, 0, 0, 77, 0, 105, 0, 99, 0, 114, 0, 111, 0, 115, 0, 111, 0, 102, 0, 116, 0, 32, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 101, 0, 114, 0, 32, 0, 50, 0, 48, 0, 48, 0, 51, 0, 0, 0, 53, 0, 46, 0, 50, 0, 46, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 66, 0, 117, 0, 105, 0, 108, 0, 100, 0, 32, 0, 51, 0, 55, 0, 57, 0, 48, 0, 32, 0, 83, 0, 101, 0, 114, 0, 118, 0, 105, 0, 99, 0, 101, 0, 32, 0, 80, 0, 97, 0, 99, 0, 107, 0, 32, 0, 50, 0, 0, 0, 85, 0, 110, 0, 105, 0, 112, 0, 114, 0, 111, 0, 99, 0, 101, 0, 115, 0, 115, 0, 111, 0, 114, 0, 32, 0, 70, 0, 114, 0, 101, 0, 101, 0, 0, 0, 51, 0, 55, 0, 57, 0, 48, 0, 46, 0, 115, 0, 114, 0, 118, 0, 48, 0, 51, 0, 95, 0, 115, 0, 112, 0, 50, 0, 95, 0, 114, 0, 116, 0, 109, 0, 46, 0, 48, 0, 55, 0, 48, 0, 50, 0, 49, 0, 54, 0, 45, 0, 49, 0, 55, 0, 49, 0, 48, 0, 0, 0, 52, 0, 101, 0, 99, 0, 98, 0, 49, 0, 56, 0, 52, 0, 52, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 78, 0, 111, 0, 116, 0, 32, 0, 65, 0, 118, 0, 97, 0, 105, 0, 108, 0, 97, 0, 98, 0, 108, 0, 101, 0, 0, 0, 48, 0, 0, 0, 49, 0, 0, 0, 51, 0, 56, 0, 52, 0, 0, 0, 56, 0, 48, 0, 52, 0, 0, 0, 117, 0, 102, 0, 99, 0, 45, 0, 54, 0, 97, 0, 48, 0, 97, 0, 48, 0, 98, 0, 49, 0, 102, 0, 55, 0, 54, 0, 99, 0, 0, 0, 0, 0};
EventCode = 6005;
EventIdentifier = 2147489653;
EventType = 3;
InsertionStrings = {"", "", "", "", "13", "60", "-480 中国标准时间"};
Logfile = "System";
Message = "事件日志服务已启动。
\n";
RecordNumber = 650;
SourceName = "EventLog";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564746875000";
};

******************************************==1==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 10026;
EventIdentifier = 1075849002;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\Ole\\EventLog"};
Logfile = "System";
Message = "COM 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\Ole\\EventLog。
\n";
RecordNumber = 651;
SourceName = "DCOM";
TimeGenerated = "20111125085922.000000+480";
TimeWritten = "20111125085922.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031250";
};

******************************************==2==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 3;
EventIdentifier = 1113194499;
EventType = 3;
Logfile = "System";
Message = "应用程序体验查找服务已成功地启动。
\n";
RecordNumber = 652;
SourceName = "AeLookupSvc";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031251";
};

******************************************==3==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "15"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 15 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 653;
SourceName = "W32Time";
TimeGenerated = "20111125085930.000000+480";
TimeWritten = "20111125085930.000000+480";
Type = "错误";
};
TIME_CREATED = "129666564747031252";
};

******************************************==4==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 199, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4295;
EventIdentifier = 1073746119;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序以 Bypass 模式启动。在此计算机启动时没有 IPSec
\n安全性会被应用到此计算机。如果配置了IPSec 策略,它们将在
\nIPSec 服务启动后被应用到此计算机。
\n";
RecordNumber = 654;
SourceName = "IPSec";
TimeGenerated = "20111125085914.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031253";
};

******************************************==5==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {0, 0, 0, 0, 1, 0, 84, 0, 0, 0, 0, 0, 198, 16, 0, 64, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
EventCode = 4294;
EventIdentifier = 1073746118;
EventType = 3;
InsertionStrings = {""};
Logfile = "System";
Message = "IPSec 驱动程序进入 Secure 状态。如果配置了 IPSec 策略,
\n将在现在被应用到此计算机。
\n";
RecordNumber = 655;
SourceName = "IPSec";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085944.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031254";
};

******************************************==6==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "开始"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务成功发送一个 开始 控件。
\n";
RecordNumber = 656;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031255";
};

******************************************==7==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Network Location Awareness (NLA)", "正在运行"};
Logfile = "System";
Message = "Network Location Awareness (NLA) 服务处于 正在运行 状态。
\n";
RecordNumber = 657;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031256";
};

******************************************==8==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Terminal Services", "开始"};
Logfile = "System";
Message = "Terminal Services 服务成功发送一个 开始 控件。
\n";
RecordNumber = 658;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031257";
};

******************************************==9==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Terminal Services", "正在运行"};
Logfile = "System";
Message = "Terminal Services 服务处于 正在运行 状态。
\n";
RecordNumber = 659;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031258";
};

******************************************==10==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7035;
EventIdentifier = 1073748859;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "开始"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务成功发送一个 开始 控件。
\n";
RecordNumber = 660;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564747031259";
};

******************************************==11==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 7036;
EventIdentifier = 1073748860;
EventType = 3;
InsertionStrings = {"Application Layer Gateway Service", "正在运行"};
Logfile = "System";
Message = "Application Layer Gateway Service 服务处于 正在运行 状态。
\n";
RecordNumber = 661;
SourceName = "Service Control Manager";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747031260";
};

******************************************==12==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "TM";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4193;
EventIdentifier = 1073746017;
EventType = 3;
InsertionStrings = {"0", "0", "0", "0", "0", "0", "1"};
Logfile = "Application";
Message = "MS DTC 已启动,设置如下(OFF = 0,ON = 1):


\n
\n安全配置:

\n     事务的网络管理 = 0,

\n     网络客户端 = 0,

\n     使用本机 MSDTC 协议的入站分布式事务 = 0,

\n     使用本机 MSDTC 协议的出站分布式事务 = 0,

\n     事务 Internet 协议(TIP) = 0,

\n     XA 事务 = 0

\n
\n筛选的重复事件 = 1";
RecordNumber = 152;
SourceName = "MSDTC";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187500";
};

******************************************==13==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 4625;
EventIdentifier = 1073746449;
EventType = 3;
InsertionStrings = {"86400", "SuppressDuplicateDuration", "Software\\Microsoft\\EventSystem\\EventLog"};
Logfile = "Application";
Message = "EventSystem 子系统正在取消 86400 秒持续时间内重复的事件日志项。可以通过下列注册表项下名为 SuppressDuplicateDuration 的 REG_DWORD 值控制取消超时: HKLM\\Software\\Microsoft\\EventSystem\\EventLog。
\n";
RecordNumber = 153;
SourceName = "EventSystem";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187501";
};

******************************************==14==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 100;
ComputerName = "UFC-6A0A0B1F76C";
Data = {65, 112, 112, 108, 105, 99, 97, 116, 105, 111, 110, 32, 70, 97, 105, 108, 117, 114, 101, 32, 32, 115, 118, 99, 104, 111, 115, 116, 46, 101, 120, 101, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 105, 110, 32, 107, 101, 114, 110, 101, 108, 51, 50, 46, 100, 108, 108, 32, 53, 46, 50, 46, 51, 55, 57, 48, 46, 51, 57, 53, 57, 32, 97, 116, 32, 111, 102, 102, 115, 101, 116, 32, 48, 48, 48, 54, 98, 101, 98, 56};
EventCode = 1004;
EventIdentifier = 1004;
EventType = 3;
InsertionStrings = {"svchost.exe", "5.2.3790.3959", "kernel32.dll", "5.2.3790.3959", "0006beb8"};
Logfile = "Application";
Message = "报告队列中的错误: 错误应用程序 svchost.exe,版本 5.2.3790.3959,错误模块 kernel32.dll,版本 5.2.3790.3959,错误地址 0x0006beb8。
\n";
RecordNumber = 154;
SourceName = "Application Error";
TimeGenerated = "20111125085942.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "信息";
};
TIME_CREATED = "129666564747187502";
};

******************************************==15==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"SYSTEM", "NT AUTHORITY", "(0x0,0x3E7)", "0", "-", "-", "-", "-", "-", "-", "-", "4", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tSYSTEM
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E7)
\n
\n\t登录类型: \t0
\n
\n\t登录进程: \t-
\n
\n\t身份验证数据包: \t-
\n
\n\t工作站名:\t-
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: 4
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3980;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748281250";
};

******************************************==16==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "5", "Advapi  ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tNETWORK SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E4)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3981;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281251";
};

******************************************==17==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"NETWORK SERVICE", "NT AUTHORITY", "(0x0,0x3E4)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tNETWORK SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E4)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3982;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\NETWORK SERVICE";
};
TIME_CREATED = "129666564748281252";
};

******************************************==18==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "5", "Advapi  ", "Negotiate", "", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "380", "-", "-", "-"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tLOCAL SERVICE
\n
\n\t域: \t\tNT AUTHORITY
\n
\n\t登录 ID: \t\t(0x0,0x3E5)
\n
\n\t登录类型: \t5
\n
\n\t登录进程: \tAdvapi 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 380
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3983;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281253";
};

******************************************==19==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"LOCAL SERVICE", "NT AUTHORITY", "(0x0,0x3E5)", "SeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tLOCAL SERVICE
\n
\n\t域:\t\tNT AUTHORITY
\n
\n\t登录 ID:\t\t(0x0,0x3E5)
\n
\n\t特权:\tSeAuditPrivilege
\n\t\t\tSeAssignPrimaryTokenPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3984;
SourceName = "Security";
TimeGenerated = "20111125085926.000000+480";
TimeWritten = "20111125085926.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\LOCAL SERVICE";
};
TIME_CREATED = "129666564748281254";
};

******************************************==20==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"", "", "(0x0,0xC2DE)", "3", "NtLmSsp ", "NTLM", "", "-", "-", "-", "-", "-", "-", "-", "-"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\t
\n
\n\t域:\t\t
\n
\n\t登录 ID:\t\t(0x0,0xC2DE)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t-
\n
\n\t源端口:\t-
\n
\n";
RecordNumber = 3985;
SourceName = "Security";
TimeGenerated = "20111125085929.000000+480";
TimeWritten = "20111125085929.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\ANONYMOUS LOGON";
};
TIME_CREATED = "129666564748437500";
};

******************************************==21==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "Administrator", "UFC-6A0A0B1F76C", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tAdministrator
\n
\n源工作站: \tUFC-6A0A0B1F76C
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3986;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593750";
};

******************************************==22==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 552;
EventIdentifier = 552;
EventType = 4;
InsertionStrings = {"UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "-", "Administrator", "UFC-6A0A0B1F76C", "-", "localhost", "localhost", "332", "127.0.0.1", "0"};
Logfile = "Security";
Message = "使用明确凭据的登录尝试:
\n
\n登录的用户:
\n
\n\t用户名:\tUFC-6A0A0B1F76C$
\n
\n\t域:\t\tWORKGROUP
\n
\n\t登录 ID:\t\t(0x0,0x3E7)
\n
\n\t登录 GUID:\t-
\n
\n凭据被使用的用户:
\n
\n\t目标用户名:\tAdministrator
\n
\n\t目标域:\tUFC-6A0A0B1F76C
\n
\n\t目标登录 GUID: -
\n
\n
\n目标服务器名称:\tlocalhost
\n
\n目标服务器信息:\tlocalhost
\n
\n调用方进程 ID:\t332
\n
\n源网络地址:\t127.0.0.1
\n
\n源端口:\t0
\n
\n";
RecordNumber = 3987;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "NT AUTHORITY\\SYSTEM";
};
TIME_CREATED = "129666564748593751";
};

******************************************==23==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 528;
EventIdentifier = 528;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "2", "User32  ", "Negotiate", "UFC-6A0A0B1F76C", "-", "UFC-6A0A0B1F76C$", "WORKGROUP", "(0x0,0x3E7)", "332", "-", "127.0.0.1", "0"};
Logfile = "Security";
Message = "登录成功:
\n
\n\t用户名: \tAdministrator
\n
\n\t域: \t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID: \t\t(0x0,0x10AB2)
\n
\n\t登录类型: \t2
\n
\n\t登录进程: \tUser32 
\n
\n\t身份验证数据包: \tNegotiate
\n
\n\t工作站名:\tUFC-6A0A0B1F76C
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\tUFC-6A0A0B1F76C$
\n
\n\t调用方域:\tWORKGROUP
\n
\n\t调用方登录 ID:\t(0x0,0x3E7)
\n
\n\t调用方进程 ID: 332
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t127.0.0.1
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3988;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748593752";
};

******************************************==24==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x10AB2)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x10AB2)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3989;
SourceName = "Security";
TimeGenerated = "20111125085941.000000+480";
TimeWritten = "20111125085942.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750000";
};

******************************************==25==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "\\\\192.168.4.254", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \t\\\\192.168.4.254
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3990;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750001";
};

******************************************==26==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3991;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750002";
};

******************************************==27==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3", "NtLmSsp ", "NTLM", "\\\\192.168.4.254", "-", "-", "-", "-", "-", "-", "192.168.4.254", "0"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\t\\\\192.168.4.254
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t0
\n
\n";
RecordNumber = 3992;
SourceName = "Security";
TimeGenerated = "20111125090112.000000+480";
TimeWritten = "20111125090112.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750003";
};

******************************************==28==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3993;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750004";
};

******************************************==29==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3994;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750005";
};

******************************************==30==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1C919)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1863"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1C919)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1863
\n
\n";
RecordNumber = 3995;
SourceName = "Security";
TimeGenerated = "20111125090113.000000+480";
TimeWritten = "20111125090113.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750006";
};

******************************************==31==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3996;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750007";
};

******************************************==32==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 3997;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750008";
};

******************************************==33==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE72)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1864"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE72)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1864
\n
\n";
RecordNumber = 3998;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750009";
};

******************************************==34==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 3999;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750010";
};

******************************************==35==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4000;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750011";
};

******************************************==36==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1CE8B)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1865"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1CE8B)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1865
\n
\n";
RecordNumber = 4001;
SourceName = "Security";
TimeGenerated = "20111125090114.000000+480";
TimeWritten = "20111125090114.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666564748750012";
};

******************************************==37==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 538;
EventIdentifier = 538;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1A9BF)", "3"};
Logfile = "Security";
Message = "用户注销:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1A9BF)
\n
\n\t登录类型:\t3
\n
\n";
RecordNumber = 4002;
SourceName = "Security";
TimeGenerated = "20111125090148.000000+480";
TimeWritten = "20111125090148.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666565081875000";
};

******************************************==38==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {94, 9, 0, 0, 95, 9, 0, 0, 84, 5, 0, 0};
EventCode = 1001;
EventIdentifier = 1073742825;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功删除 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有系统上一个计数器和上一个“帮助”注册表项的新数值。
\n";
RecordNumber = 155;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566116718750";
};

******************************************==39==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 84, 1, 0, 0, 96, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 64, 1, 12, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 97, 0, 110, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 99, 0, 101, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 99, 0, 101, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
Data = {96, 9, 0, 0, 108, 9, 0, 0, 97, 9, 0, 0, 109, 9, 0, 0};
EventCode = 1000;
EventIdentifier = 1073742824;
EventType = 3;
InsertionStrings = {"WmiApRpl", "WmiApRpl"};
Logfile = "Application";
Message = "已成功加载 WmiApRpl (WmiApRpl)服务的性能计数器。记录数据含有分配给这个服务的新索引数值。
\n";
RecordNumber = 156;
SourceName = "LoadPerf";
TimeGenerated = "20111125090331.000000+480";
TimeWritten = "20111125090331.000000+480";
Type = "信息";
};
TIME_CREATED = "129666566169062500";
};

******************************************==40==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 9;
CategoryString = "帐户登录";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 680;
EventIdentifier = 680;
EventType = 4;
InsertionStrings = {"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", "administrator", "JCIFS8_186_16", "0x0"};
Logfile = "Security";
Message = "尝试登录的用户: \tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0
\n
\n登录帐户:  \tadministrator
\n
\n源工作站: \tJCIFS8_186_16
\n
\n错误代码: \t0x0
\n
\n";
RecordNumber = 4003;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656250";
};

******************************************==41==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 576;
EventIdentifier = 576;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "SeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege"};
Logfile = "Security";
Message = "指派给新登录的特殊权限:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t特权:\tSeSecurityPrivilege
\n\t\t\tSeBackupPrivilege
\n\t\t\tSeRestorePrivilege
\n\t\t\tSeTakeOwnershipPrivilege
\n\t\t\tSeDebugPrivilege
\n\t\t\tSeSystemEnvironmentPrivilege
\n\t\t\tSeLoadDriverPrivilege
\n\t\t\tSeImpersonatePrivilege
\n";
RecordNumber = 4004;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656251";
};

******************************************==42==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 108, 0, 0, 0, 120, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 88, 0, 3, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 2;
CategoryString = "登录/注销";
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 540;
EventIdentifier = 540;
EventType = 4;
InsertionStrings = {"Administrator", "UFC-6A0A0B1F76C", "(0x0,0x1F28E)", "3", "NtLmSsp ", "NTLM", "JCIFS8_186_16", "-", "-", "-", "-", "-", "-", "192.168.4.254", "1900"};
Logfile = "Security";
Message = "成功的网络登录:
\n
\n\t用户名:\tAdministrator
\n
\n\t域:\t\tUFC-6A0A0B1F76C
\n
\n\t登录 ID:\t\t(0x0,0x1F28E)
\n
\n\t登录类型:\t3
\n
\n\t登录过程:\tNtLmSsp
\n
\n\t身份验证数据包:\tNTLM
\n
\n\t工作站名:\tJCIFS8_186_16
\n
\n\t登录 GUID:\t-
\n
\n\t调用方用户名:\t-
\n
\n\t调用方域:\t-
\n
\n\t调用方登录 ID:\t-
\n
\n\t调用方进程 ID: -
\n
\n\t传递服务: -
\n
\n\t源网络地址:\t192.168.4.254
\n
\n\t源端口:\t1900
\n
\n";
RecordNumber = 4005;
SourceName = "Security";
TimeGenerated = "20111125090510.000000+480";
TimeWritten = "20111125090510.000000+480";
Type = "审核成功";
User = "UFC-6A0A0B1F76C\\Administrator";
};
TIME_CREATED = "129666567102656252";
};

******************************************==43==****************************

instance of __InstanceCreationEvent
{
SECURITY_DESCRIPTOR = {1, 0, 4, 128, 32, 1, 0, 0, 44, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 2, 0, 12, 1, 10, 0, 0, 0, 1, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 7, 0, 0, 0, 0, 0, 0, 0, 1, 0, 28, 0, 95, 0, 15, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 34, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 95, 0, 15, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 34, 2, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 39, 2, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 69, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 37, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 65, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 37, 2, 0, 0, 0, 0, 28, 0, 66, 0, 0, 0, 1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0, 0, 0, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 19, 0, 0, 0, 32, 2, 0, 0, 0, 0, 24, 0, 66, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 20, 0, 0, 0, 32, 2, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0};
TargetInstance =
instance of Win32_NTLogEvent
{
Category = 0;
ComputerName = "UFC-6A0A0B1F76C";
EventCode = 17;
EventIdentifier = 2186936337;
EventType = 1;
InsertionStrings = {"time.windows.com,0x1", "套接字操作尝试一个无法连接的主机。 (0x80072751)", "30"};
Logfile = "System";
Message = "时间提供程序 NtpClient: 在 DNS 查询手动配置的对等机器 'time.windows.com,0x1' 时发生一个错误。
\nNtpClient 将在 30 分钟内重试 NDS 查询。
\n错误为: 套接字操作尝试一个无法连接的主机。 (0x80072751)
\n";
RecordNumber = 662;
SourceName = "W32Time";
TimeGenerated = "20111125091430.000000+480";
TimeWritten = "20111125091430.000000+480";
Type = "错误";
};
TIME_CREATED = "129666572702812500";
};

-------------------------
三类日志信息都输出了,Logfile = "System";根据Logfile区分。
分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics