脚本来自微软官方,(其中有几个未做测试,第7个略做修改)
这是个好“地方”:http://www.microsoft.com/china/technet/community/scriptcenter/default.mspx
1.监视进程创建-
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredProcesses = objWMIService. _
- ExecNotificationQuery("select * from __instancecreationevent " _
- & " within 1 where TargetInstance isa 'Win32_Process'")
- i = 0
- Do While i = 0
- Set objLatestProcess = colMonitoredProcesses.NextEvent
- Wscript.Echo objLatestProcess.TargetInstance.Name
- Loop
复制代码 2.监视进程退出-
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredProcesses = objWMIService. _
- ExecNotificationQuery("select * from __instancedeletionevent " _
- & "within 1 where TargetInstance isa 'Win32_Process'")
- i = 0
- Do While i = 0
- Set objLatestProcess = colMonitoredProcesses.NextEvent
- Wscript.Echo objLatestProcess.TargetInstance.Name
- Loop
复制代码 3.监视服务状态的改变- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colServices = objWMIService. _
- ExecNotificationQuery("Select * from __instancemodificationevent " _
- & "within 30 where TargetInstance isa 'Win32_Service'")
- i = 0
- Do While i = 0
- Set objService = colServices.NextEvent
- If objService.TargetInstance.State <> _
- objService.PreviousInstance.State Then
- Wscript.Echo objService.TargetInstance.Name _
- & " is " & objService.TargetInstance.State _
- & ". The service previously was " & objService.PreviousInstance.State & "."
- End If
- Loop
复制代码 4.监视可用磁盘空间-
- Const LOCAL_HARD_DISK = 3
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredDisks = objWMIService.ExecNotificationQuery _
- ("Select * from __instancemodificationevent within 30 where " _
- & "TargetInstance isa 'Win32_LogicalDisk'")
- i = 0
- Do While i = 0
- Set objDiskChange = colMonitoredDisks.NextEvent
- If objDiskChange.TargetInstance.DriveType = LOCAL_HARD_DISK Then
- If objDiskChange.TargetInstance.Size < 100000000 Then
- Wscript.Echo "Hard disk space is below 100000000 bytes."
- End If
- End If
- Loop
复制代码 5.监视磁盘驱动器的剩余空间-
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colDiskDrives = objWMIService.ExecQuery _
- ("Select * from win32_perfformatteddata_perfdisk_logicaldisk where Name <> '_Total'")
- For each objDiskDrive in colDiskDrives
- Wscript.Echo "Drive Name: " & objDiskDrive.Name
- Wscript.Echo "Free Space: " & objDiskDrive.FreeMegabytes
- Next
复制代码 6.监视事件日志- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
- ("Select * from __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.EventCode = '533' ")
- Do
- Set objLatestEvent = colMonitoredEvents.NextEvent
- strAlertToSend = objLatestEvent.TargetInstance.User _
- & " attempted to access DatabaseServer."
- Wscript.Echo strAlertToSend
- Loop
复制代码 7.监视用户登陆- StrComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
- ("Select * from __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.EventCode = '528' ")
- Do
- Set objLatestEvent = colMonitoredEvents.NextEvent
- strAlertToSend = objLatestEvent.TargetInstance.user _
- &MSGBOX ("某个用户已经成功登陆此计算机!.",48,"警告!")
- Loop
复制代码 8.监视注册表子项事件- Set wmiServices = GetObject("winmgmts:root/default")
- Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
- wmiServices.ExecNotificationQueryAsync wmiSink, _
- "SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
- "KeyPath='SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'"
- WScript.Echo "Listening for Registry Change Events..." & vbCrLf
- While(1)
- WScript.Sleep 1000
- Wend
- Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
- WScript.Echo "Received Registry Change Event" & vbCrLf & _
- "------------------------------" & vbCrLf & _
- wmiObject.GetObjectText_()
- End Sub
复制代码
[ 本帖最后由 lxzzr 于 2009-7-19 01:37 编辑 ] |