批处理之家 - Powered by Discuz! Board

Option Explicit
Dim intIntervalDay, strLoginLog, strComputer, colLoggedEvents, objEvent
Dim objShell, objFSO, objSWbemDateTime, objDstFile, objWMIService
intIntervalDay=7 'How many days ago
strLoginLog="C:\test\LoginList.log" 'Where to record the log
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
Set objDstFile = objFSO.OpenTextFile(strLoginLog,8,True)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' and EventCode = '528'")
For Each objEvent in colLoggedEvents
Dim dtmLocalTime, dtmEventTime, intDiffDay
' Wscript.Echo "Time Written: " & objEvent.TimeWritten
' Wscript.Echo "Computer Name: " & objEvent.ComputerName
' Wscript.Echo "Event Code: " & objEvent.EventCode
' Wscript.Echo "User: " & objEvent.User
' Wscript.Echo "Category: " & objEvent.Category
' Wscript.Echo "Message: " & objEvent.Message
' Wscript.Echo "Record Number: " & objEvent.RecordNumber
' Wscript.Echo "Source Name: " & objEvent.SourceName
' Wscript.Echo "Event Type: " & objEvent.Type
' =================================================
objSWbemDateTime.Value = objEvent.TimeWritten
dtmLocalTime = objSWbemDateTime.GetVarDate(true)
dtmEventTime = CDate(dtmLocalTime)
intDiffDay = DateDiff("d", dtmEventTime, Now)
' =================================================
If (intDiffDay <= intIntervalDay) Then
If (objEvent.User <> "NT AUTHORITY\NETWORK SERVICE") Then
If (objEvent.User <> "NT AUTHORITY\LOCAL SERVICE") Then
objDstFile.WriteLine objEvent.TimeWritten _
& " " & objEvent.ComputerName _
& " " & objEvent.EventCode _
& " " & objEvent.User
End If
End If
End If
Next
objDstFile.Close
objShell.Run "notepad " & strLoginLog