2. Tech
  3. Windows2000 Config

Windows2000 Config

zhaozj2021-02-16  49

The Windows2000 system log is divided into application logs, security logs, system logs, and DNS server logs. . Location in% systemroot% / system32 / config default size is 512K

Security% SystemRoot% / System32 / Config / SECEVENT.EVT

System% SystemRoot% / System32 / Config / SYSEVENT.EVT

Application% SystemRoot% / System / Config / APPEVENT.EVT

These log files in the registry

HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / EVENTLOG

System32 / config default size is 512K, you can change his size, if you don't have a log, you will report an error.

Registry HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / eventlog corresponds to each log, and a log has a subkey. Modify

1 --- Log configuration

You can also use Microsoft's scripts to set the maximum log of up to 25m, and allow you to overwrite the log of 14 days ago.

Script uses WMI objects, WMI (Windows Management Instrument) is a system management tool under Windows provided by Microsoft

StrComputer = "."

Set objwmiservice = getObject ("WinMgmts:" _

& "{ImpersonationLevel = Impersonate, (Security)}}! //" & _

Strcomputer & "/ root / cimv2") "Get VMI objects

Set collogfiles = objwmiservice.execQuery_

("SELECT * WIN32_NTEVENTLOGFILE")

For Each Objlogfile in Collogfiles

Strlogfilename = Objlogfile.name

Set WMISWBEMOBJECT = GetObject_

("Winmgmts: {ImpersonationLevel = Impersonate}! //./ Root / CIMv2:" _

& "Win32_nteventlogfile.name = '" & strlogfilename & "" ")

WMISWBEMOBJECT.MAXFILESIZE = 2500000000

WMISWBEMOBJECT.OVERWRITEOUTDATED = 14

WMISWBEMOBJECT.PUT_

NEXT

Save the above * .vbs can be used, strComputer = "." Localhost

To execute "." To the host name (of course, you have to establish an IPC connection and have administrator privileges)

2 --- Log Query and Backup

He mentioned Dumpel.exe in the Microsoft Resourcekit toolbox, but did not find: P

You can first understand the usage!

It is estimated to operate in CMD. .

Dumpel -f filename -s // server -l log

-f filename

-S // Server remote computer log

-l log log include system, security, Application and DNS

For example, the SYSTEM log of the target server Server is used as backupsystem.log

Dumpel -s // server -l system -f backupsystem.log

You can also use WMI to implement

EXAMPLE: APPLICATION

Backuplog.vbs

StrComputer = "."

Set objwmiservice = getObject ("WinMgmts:" _

& "{ImpersonationLevel = Impersonate, (Backup)}! //" & _

Strcomputer & "/ root / cimv2") "Get VMI objects

Set collogfiles = objwmiservice.execQuery_

("SELECT * WIN32_NTEVENTLOGFILE WHERE LOGFILENAME = 'Application'") 'Gets application logs in log objects

For Each Objlogfile in Collogfiles

ErrBackuplog = Objlogfile.backupeventLog ("f: /Application.evt") 'to back up logs to f: /Application.evt

IF Errbackuplog <> 0 THEN

WScript.echo "The Application Event log could not be backed up."

Else Wscript.echo "Success Backup Log"

END IF

NEXT

Success should be prompted "Success Backup Log" or "The Application Event Log Could Not Be Backed Up"

However, the backup format is also * .evt is turned on with notepad, it is garbled, no Dumpel is convenient! (It seems that you want to see the Dongdong in Config, you still need Dumpel, hey, it's really trouble!)

3 - Log Clear

As a hacker, this is very important. Of course, I don't really involve such a problem. After all, I have only played some tricks in Lan :), I have a nonsense, and this is also written to himself. Use, don't have to die!

First point, of course, use Tool! Xiao Yi's elsave.exe I don't know if there is any included, you need to have administrator privileges, and IPC connection (this is not TMD is nonsense, you have invaded, can you have JB, haha?

Cmd

Elsave -s // ip -l application -c ("c" is something, wait for Elsave.exe to say)

In order to use WMI, there is a writing of Dongdong, MB, but first get Object Logo, using clearventlog ()

Cleanevent.vbs

StrComputer = "."

Set objwmiservice = getObject ("WinMgmts:" _

& "{ImpersonationLevel = Impersonate, (Backup)}! //" & _

STRComputer & "/ root / cimv2")

DIM MYLOGS (3) MYLOGS (1) = "Application"

MYLOGS (2) = "system"

MYLOGS (3) = "Security"

For Each Logs in Mylogs

Set collogfiles = objwmiservice.execQuery_

("SELECT * WIN32_NTEVENTLOGFILE WHERE LOGFILENAME = '" & logs & "'")

For Each Objlogfile in Collogfiles

Objlogfile.cleareventlog ()

NEXT

NEXT

In the above code, create an array, for Application, Security, if there is any other log, you can join an array.

Then use a for loop to delete each element in the array, that is, each log.

1. Use the EventLog method in the script program is to create logs very simple; look at a code below

Createlog.vbs

SET WS = WScript.createObject ("wscript.shell")

WS.LoGevent 0, "Write Log Success" creates a successful log

This code is easy to read, first get a shell object of WScript, then use the LOGEVENT method of the shell object.

Logevent Usage: Logevent EventType, "Description" [, Remote System]

EventType is the log type, you can use as follows: 0 represents successful execution, 1 Perform an error, 2 warning, 4, information, 8 successful auditing 16 troubleshooting

Therefore, in the above code, the 0 is changed to 1, 2, 4, 8, 16, and the quotation marks will be described.

The log writes by this method has a disadvantage that only the application log can only be written, and the days to the source can only be WSH, which is Windows Scripting Host, so there is not much hidden role.

2, Microsoft In order to facilitate system administrators and programmers, Microsoft has a new command line tool, EventCreate.exe, using it, and create a log easier.

Eventcreate -s server -l logname -u username -p password -so source -t evenettype -id ID-DSCRIPTION

Meaning: -s Create a log for a remote host: -U remote host user password

-l log; you can create System and Application can't create a Security log.

-so log Source, you can be any log -T log type such as Information information, Error error, Warning warning,

-d log description, can be any statement-ID autonomous log is 1-1000

For example, we have to create a system log locally, and the source is admin, the log type is a warning, described as "this is a test", the event ID is 500

You can use the following parameters

Eventcreate -l system -so administrator -t warning -d "this is a test" -ID 500

This tool cannot create a security log. As for how to create a security log, I hope everyone can find a good way!

Supplementary a method of regularly storeing logs, but still uses Dumpel.exe in Resource Kit, but also needs to use Run in WScript.Shell to perform Dumpel.exe's usage. It should be said very well, in addition to supplement a bit

Dumpel -f file -s // server -l log (find this Tool, you will know)

Specific code, because I don't know how WScript.Shell, can not fully understand, the specific code COPY is as follows

LogReport.js

Month = new array (12)

Month [1] = "January"

Month [2] = "February"

Month [3] = "March"

Month [4] = "April"

Month [5] = "May"

Month [6] = "June"

Month [7] = "July"

Month [8] = "August"

Month [9] = "September"

Month [10] = "October"

Month [11] = "November"

Month [12] = "December"

Days = new arch (7)

Days [1] = "Sunday"

Days [2] = "Monday"

Days [3] = "Tuesday"

Days [4] = "Wednesday"

Days [5] = "Thursday"

Days [6] = "Friday"

Days [7] = "Saturday"

Function hasData (ADATE)

{

Var currentday = days [adate.getday () 1]

Var currentmonth = month [adate.getmonth () 1]

Return Currentday "," CurrentMonth "," Adate.Getdate ()

}

Var Result; Result = 0

Var ws = wscript.createObject ("wscript.shell")

c = ws.expandenvironmentStrings ("% computername%")

NetDrive = "Date // Backup"

Today = new date ()

Var logday = Today.getdate ()

Var logmonth = Today.getMonth ()

LogArray = new array (2)

LogArray [0] = "system"

LogArray [1] = "Application"

LogArray [2] = "security"

For (l in logarray) {

WS.Run ("Dumpel.exe / S Server / L" LOGARRAY [L] "/ F" NetDrive "" " " " " " " " " LOGARRAY " ] ". LOG / D 1",

0, "True")

}

Forreading = 1Forappending = 8

For (l in logarray) {

VAR fs = new activ ("scripting.filesystemobject")

VAR f = fs.opentextfile (" NetDrive " C "-" LogMonth "-" logDay () "-" logArray [l] ". log", forreading, "true")

fcontents = f.readall ()

f.close ()

VAR f = fs.opentextfile (" NetDrive " C " " LogMonth "-" LogDay () " " LOGARRAY [L] "HTM", FORAPPPPpending, "True")

Fheader = " Daily"</p> <p>Fheader = LogArray [l]</p> <p>Fheader = C</p> <p>Fheader = "</ Title> </ head>"</p> <p>Fheader = "<body bgcolor = # ffffff text = # 000000>"</p> <p>Fheader = "<h1> daily"</p> <p>Fheader = LogArray [l]</p> <p>Fheader = "Log Report for"</p> <p>Fheader = C</p> <p>Fimer = "</ h1>"</p> <p>Fheader = "<h3>"</p> <p>Fheader = theseData (Today)</p> <p>Fimer = "</ h3>"</p> <p>Fimer = "<pre>"</p> <p>F.Write (Fheader)</p> <p>F.Write (fcontents)</p> <p>Ffooter = "</ pre> </ body> </ html>"</p> <p>FWRITE (FFOOTER)</p> <p>f.close ()</p> <p>}</p> <p>Save * .js, and Dumpel.exe, you can do it.</p> <p>To implement this feature, you can also complete it through the Windows graphical schedule, or "at" command!</p> <p>AT Server / Every M, T, W, TH, F, S, Su 0:00 "Path // Logport.js"</p> <p>Server is logport.js</p> <p>Path is logport.js default is% systemroot%</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-22065.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="22065" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.039</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'EXw7NqBos5Fx_2FFO_2FnYtbs1Hv_2Bk7YQnXuYqsE4b_2B11MXN86vLSco_2BweGYUcODi1VZEUQ5ra1PbHaLETfpVZ5YEw_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>