Windows 主机侧日志排查

0x00 背景

应急响应时，有些日志在主机侧没有收集到日志平台，需要上主机快速排查日志定位问题。

0x01 powershell 日志排查

1. 查询 Security 日志的 EventID 4624（成功登录事件），并列出所有字段

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624]]" -MaxEvents 1 | ForEach-Object { $xml = [xml]$_.ToXml()$xml.Event.EventData.Data | Select-Object Name, "#text" | Format-Table -AutoSize}

Name                      #text
-----                          -----
SubjectUserSid            S-1-5-18
SubjectUserName           W01Server0111$
SubjectDomainName         yourdomain
SubjectLogonId            0x3e7
TargetUserSid             S-1-5-21-1xxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1003
TargetUserName            XXXX
TargetDomainName          W01Server0111
TargetLogonId             0x3xxxxxxxx
LogonType                 10
LogonProcessName          User32
AuthenticationPackageName Negotiate
WorkstationName           W01Server0111
LogonGuid                 {00000000-0000-0000-0000-000000000000}
TransmittedServices       -
LmPackageName             -
KeyLength                 0
ProcessId                 0x58
ProcessName               C:\Windows\System32\svchost.exe
IpAddress                 10.111.1.100
IpPort                    0
ImpersonationLevel        %%1833
RestrictedAdminMode       %%1843
TargetOutboundUserName    -
TargetOutboundDomainName  -
VirtualAccount            %%1843
TargetLinkedLogonId       0x3e4cdeb1e
ElevatedToken             %%1843

2. 查询 Security 日志的 EventID 4624（成功登录事件），并过滤特定字段

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624]]" -MaxEvents 1 | ForEach-Object { $xml = [xml]$_.ToXml(); $xml.Event.EventData.Data | Where-Object { $_.Name -in "TargetUserName", "IpAddress" } | Select-Object Name, "#text"}

Name                      #text
-----                          -----
TargetUserName    XXXX
IpAddress               10.111.1.100

3. 查询 Security 日志的 EventID 4688（进程创建事件），并列出所有字段

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688]]" -MaxEvents 1 | ForEach-Object { $xml = [xml]$_.ToXml()$xml.Event.EventData.Data | Select-Object Name, "#text" | Format-Table -AutoSize}

 Name               #text
----               -----
SubjectUserSid     S-1-5-18
SubjectUserName    W01Server0111$
SubjectDomainName  yourdomain
SubjectLogonId     0x3e8
NewProcessId       0x1688
NewProcessName     C:\Program Files\TitanAgent\titan_guard.exe
TokenElevationType %%1936
ProcessId          0x24dc
CommandLine        titan_guard.exe  --log
TargetUserSid      S-1-0-0
TargetUserName     -
TargetDomainName   -
TargetLogonId      0x0
ParentProcessName  C:\Windows\System32\cmd.exe
MandatoryLabel     S-1-16-16384

4. 获取时间字段

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688]]" -MaxEvents 2 | ForEach-Object { $xml = [xml]$_.ToXml()[PSCustomObject]@{Time = $_.TimeCreated NewProcessName = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "NewProcessName" }).'#text'CommandLine = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'SubjectUserName = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName" }).'#text'}} | Format-Table -AutoSize

 Time                 NewProcessName                                                           CommandLine                                                                 SubjectUserName
----                 --------------                                                           -----------                                                                 ---------------
7/01/2025 11:00:01 PM C:\Program Files\TitanAgent\titan_guard.exe                              titan_guard.exe  --monitor                                                  W01Server0111$
7/01/2025 11:00:02 PM C:\Program Files\TitanAgent\titan_guard.exe                              titan_guard.exe  --full_check                                               W01Server0111$

5. 查询最近1000条日志，并排除processName和CommandLine含有一些关键字的单词

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688]]" -MaxEvents 1000 | Where-Object { $xml = [xml]$_.ToXml()$processName = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "NewProcessName" }).'#text'$CommandLine = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'$processName -notmatch 'titan_guard\.exe' -and $processName -notmatch 'splunk-.*\.exe' -and $processName -notmatch 'conhost\.exe' -and $processName -notmatch 'Dllhost\.exe' -and$CommandLine -notmatch 'agent_.*\.bat'} | ForEach-Object { $xml = [xml]$_.ToXml()[PSCustomObject]@{Time    = $_.TimeCreatedProcess = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "NewProcessName" }).'#text'Command = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'User    = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName" }).'#text'}} | Format-Table -AutoSize

6. 新增时间过滤条件

$StartTime = Get-Date "2025-07-01 00:00:00" # 开始时间  
$EndTime = Get-Date "2025-07-01 01:50:59"   # 结束时间$Filter = @{LogName   = 'Security'ID        = 4688            # 进程创建事件      StartTime = $StartTime          EndTime   = $EndTime              
}Get-WinEvent -FilterHashtable $Filter -MaxEvents 1000 | Where-Object { $xml = [xml]$_.ToXml()$processName = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "NewProcessName" }).'#text'$CommandLine = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'$processName -notmatch 'titan_guard\.exe' -and $processName -notmatch 'splunk-.*\.exe' -and $processName -notmatch 'conhost\.exe' -and $processName -notmatch 'Dllhost\.exe' -and$CommandLine -notmatch 'agent_.*\.bat'} | ForEach-Object { $xml = [xml]$_.ToXml()[PSCustomObject]@{Time    = $_.TimeCreatedProcess = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "NewProcessName" }).'#text'Command = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'User    = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName" }).'#text'}} | Format-Table -AutoSize

# 0x02 后记

点赞，收藏，关注，后续会持续更新该笔记！