如何使用powershell获取最近的防火墙更改列表和详细信息?

问题描述 投票:0回答:1

我想要一份最近的防火墙更改列表(通常是通过安装软件进行的),并查看所做的防火墙更改的详细信息。

我设法在特定时间范围内从 EventLogs 获取列表,其中 

message
包含有趣的信息,但我不确定如何在不诉诸长正则表达式的情况下最好地获取该详细信息。

Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"; id=2097; StartTime=(Get-Date).AddHours(-2); EndTime=Get-Date}

   ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2024-11-22 18:18:24           2097 Information      A rule has been added to the Windows Defender Firewall exception list.…
2024-11-22 18:18:24           2097 Information      A rule has been added to the Windows Defender Firewall exception list.…
2024-11-22 18:18:21           2097 Information      A rule has been added to the Windows Defender Firewall exception list.…
2024-11-22 18:18:21           2097 Information      A rule has been added to the Windows Defender Firewall exception list.…

将上一个命令通过管道传输到 

Format-List
(
fl
) 可提供详细信息:

TimeCreated  : 2024-11-22 18:18:24
ProviderName : Microsoft-Windows-Windows Firewall With Advanced Security
Id           : 2097
Message      : A rule has been added to the Windows Defender Firewall exception list.

               Added Rule:
                Rule ID:        UDP Query User{D0EBCDC7-8C31-463A-ADB9-A72A2FE0EFA9}C:\bin\arduino\arduino ide.exe
                Rule Name:      Arduino IDE
                Origin: Local
                Active: Yes
                Direction:      Inbound
                Profiles:       Public
                Action: Block
                Application Path:       C:\bin\arduino\arduino ide.exe
                Service Name:
                Protocol:       UDP
                Security Options:       None
                Edge Traversal: None
                Modifying User: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
                Modifying Application:  C:\Windows\System32\svchost.exe
                PolicyAppId:
                Error Code:     0

如何有选择地获取包含这些列的表格?

TimeCreated, Protocol, Direction, 'Rule Name', 'Application Path'

额外加分是添加端口号。

windows powershell firewall
1个回答
0
投票

您可以使用与这个答案中所示的逻辑相同的逻辑,但是这有一个警告,获得的

Protocol
Direction
将是
uint
ushort
并且没有可用的API处理从这些值到人类可读数据的转换,即 
6
-> 
Inbound
1
-> 
TCP
等。事件消息由 
EvtFormatMessage
函数创建。

如果这对您来说不重要,那么这种方法:

$selector = [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new(
    [string[]]@(
        "Event/EventData/Data[@Name='Protocol']"
        "Event/EventData/Data[@Name='Direction']"
        "Event/EventData/Data[@Name='RuleName']"
        "Event/EventData/Data[@Name='ApplicationPath']"))

Get-WinEvent -FilterHashtable ..... | ForEach-Object {
    $Protocol, $Direction, $RuleName, $ApplicationPath = $_.GetPropertyValues($selector)
    [pscustomobject]@{
        TimeCreated     = $_.TimeCreated
        Protocol        = $Protocol
        Direction       = $Direction
        RuleName        = $RuleName
        ApplicationPath = $ApplicationPath
    }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.