日志和进程
应用程序日志存储路径:
C:\Windows\System32\winevt\Logs
用于管理事件日志的服务:windows event log
停用上述服务后,便可删除上述路径的日志文件133个;
继续启用上述服务,便会在上述路径自动建立133个日志文件(初始68K);
点击上述文件便会自动打开:事件查看器对话框;
也可通过命令打开:eventvwr
日志筛选:
eventvwr---日志管理器---选择某类日志---action---filter current log…
可以选择的筛选变量:日期、严重等级等;
在事件日志中,每一事件都带有严重程序,从信息性的事件到一般的警告事件、到严重事件(比如关键性错误与失败等)。
信息information,表示系统发生了信息性的事件,通常与革一成功的动作相关;
警告warning,表示一般性的警告,一般用于提醒用户防止以后的系统问题;
错误error,表示系统中发生了关键性的错误,比如某次服务启动失败;
成功审核,表示通过审核进行追踪的某个操作成功执行,比如特权使用;
失败审核,表示通过审核进行追踪的某个操作执行失败,比如登录失败;
事件日志管理:wevtutil
以.evtx格式导出日志:
wevtutil epl logname savelocation
wevtutil epl application c:\logs\applog.evtx
清除日志事件
wevtutil cl logname
wevtutil cl application
也可先备份后删除
wevtutil cl application /bu:c:\logs\applog.evtx
进程显示:tasklist
显示进程及对应的服务:tasklist /svc
强制终止PID为1346的进程:
taskkill /f /pid 1346
终止镜像名为cmd.exe的所有进程
taskkill /im cmd.exe
性能监视器
%windir%\system32\perfmon.msc /s
查看当前配置的数据收集器
logman query
默认的记录位置:%systemdrive%perflogs/admin
wevtutil
Windows Events Command Line Utility.
Enables you to retrieve information about event logs and publishers, install and uninstall event manifests, run queries, and export, archive, and clear logs.
Usage:
You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names. Commands,
options and option values are not case-sensitive.
Variables are noted in all upper-case.
wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]
Commands:
el | enum-logs List log names.
gl | get-log Get log configuration information.
sl | set-log Modify configuration of a log.
ep | enum-publishers List event publishers.
gp | get-publisher Get publisher configuration information.
im | install-manifest Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events Query events from a log or log file.
gli | get-log-info Get log status information.
epl | export-log Export a log.
al | archive-log Archive an exported log.
cl | clear-log Clear a log.
Common options:
/{r | remote}:VALUE
If specified, run the command on a remote computer. VALUE is the remote computer
name. Options /im and /um do not support remote operations.
/{u | username}:VALUE
Specify a different user to log on to the remote computer. VALUE is a user name
in the form domain\user or user. Only applicable when option /r is specified.
/{p | password}:VALUE
Password for the specified user. If not specified, or if VALUE is "*", the user
will be prompted to enter a password. Only applicable when the /u option is
specified.
/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]
Authentication type for connecting to remote computer. The default is Negotiate.
/{uni | unicode}:[true|false]
Display output in Unicode. If true, then output is in Unicode.
To learn more about a specific command, type the following: