Desidero monitorare i comandi di PowerShell che vengono eseguiti dagli utenti nella intranet. Come posso fare questo?
Ho bisogno delle informazioni dell'utente e dei loro comandi eseguiti. È possibile?
Modifica 1: immagino di poter usare;
Set-PSDebug -Trace 1
Come posso creare uno script che poi posso distribuire su un'intera intranet. Uso anche un orchestrator.
Modifica 2: ho provato;
$created = Get-WinEvent -FilterHashtable @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 } #| Where-Object { $_.<...> }
$sortedScripts = $created | sort { $_.Properties[0].Value }
$mergedScript = -join ($sortedScripts | % { $_.Properties[2].Value })
E ha ottenuto questo risultato;
DEBUG: 1+ >>>> $created = Get-WinEvent -FilterHashtable @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 }# | Where-Object { $_.<...> }
DEBUG: 2+ >>>> $sortedScripts = $created | sort { $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort >>>> { $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { >>>> $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { $_.Properties[0].Value >>>> }
DEBUG: 2+ $sortedScripts = $created | sort >>>> { $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { >>>> $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { $_.Properties[0].Value >>>> }
DEBUG: 2+ $sortedScripts = $created | sort >>>> { $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { >>>> $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { $_.Properties[0].Value >>>> }
DEBUG: 2+ $sortedScripts = $created | sort >>>> { $_.Properties[0].Value }
DEBUG: 2+ $sortedScripts = $created | sort { >>>> $_.Properties[0].Value }...
Ho commentato i codici della pipeline perché non potevo ottenere "$ _. < ... >" parametro.
Modifica 3: funziona perfettamente; Innanzitutto ho scritto il blocco di codice di abilitazione ScriptBlock di Microsoft
function Enable-PSScriptBlockLogging {
[CmdletBinding()]
param ()
$BasePath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
if (-not (Test-Path $BasePath)) {
Write-Verbose "ScriptBlockLogging registry key doesn't exist. Creating now."
$null = New-Item $BasePath –Force
Write-Verbose "Setting registry key value to 1 of type DWORD."
$null = New-ItemProperty $BasePath -Name EnableScriptBlockLogging -Value "1" -PropertyType DWORD
} else {
if ((Get-ItemProperty -Path $BasePath).EnableScriptBlockLogging.getType().Name -eq 'Int32') {
Write-Verbose "Key exists, updating value to 1."
Set-ItemProperty $BasePath -Name EnableScriptBlockLogging -Value "1"
} else {
Write-Verbose "Key exists of wrong data type, removing existing entry."
Remove-ItemProperty $BasePath -Name EnableScriptBlockLogging
Write-Verbose "Setting new registry key value to 1 of type DWORD."
$null = New-ItemProperty $BasePath -Name EnableScriptBlockLogging -Value "1" -PropertyType DWORD
}
}
}
Quindi, quando apro il Visualizzatore eventi GOTCHA! I registri vedono perfettamente. Ora ho bisogno di gestire questi registri con PowerShell.