标题: 转载几个系统监视的VBS脚本 [打印本页]
作者: lxzzr 时间: 2009-7-19 01:11 标题: 转载几个系统监视的VBS脚本
脚本来自微软官方,(其中有几个未做测试,第7个略做修改)
这是个好“地方”:http://www.microsoft.com/china/technet/community/scriptcenter/default.mspx
1.监视进程创建-
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredProcesses = objWMIService. _
- ExecNotificationQuery("select * from __instancecreationevent " _
- & " within 1 where TargetInstance isa 'Win32_Process'")
- i = 0
- Do While i = 0
- Set objLatestProcess = colMonitoredProcesses.NextEvent
- Wscript.Echo objLatestProcess.TargetInstance.Name
- Loop
复制代码
2.监视进程退出-
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredProcesses = objWMIService. _
- ExecNotificationQuery("select * from __instancedeletionevent " _
- & "within 1 where TargetInstance isa 'Win32_Process'")
- i = 0
- Do While i = 0
- Set objLatestProcess = colMonitoredProcesses.NextEvent
- Wscript.Echo objLatestProcess.TargetInstance.Name
- Loop
复制代码
3.监视服务状态的改变- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colServices = objWMIService. _
- ExecNotificationQuery("Select * from __instancemodificationevent " _
- & "within 30 where TargetInstance isa 'Win32_Service'")
- i = 0
- Do While i = 0
- Set objService = colServices.NextEvent
- If objService.TargetInstance.State <> _
- objService.PreviousInstance.State Then
- Wscript.Echo objService.TargetInstance.Name _
- & " is " & objService.TargetInstance.State _
- & ". The service previously was " & objService.PreviousInstance.State & "."
- End If
- Loop
复制代码
4.监视可用磁盘空间-
- Const LOCAL_HARD_DISK = 3
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredDisks = objWMIService.ExecNotificationQuery _
- ("Select * from __instancemodificationevent within 30 where " _
- & "TargetInstance isa 'Win32_LogicalDisk'")
- i = 0
- Do While i = 0
- Set objDiskChange = colMonitoredDisks.NextEvent
- If objDiskChange.TargetInstance.DriveType = LOCAL_HARD_DISK Then
- If objDiskChange.TargetInstance.Size < 100000000 Then
- Wscript.Echo "Hard disk space is below 100000000 bytes."
- End If
- End If
- Loop
复制代码
5.监视磁盘驱动器的剩余空间-
- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
- Set colDiskDrives = objWMIService.ExecQuery _
- ("Select * from win32_perfformatteddata_perfdisk_logicaldisk where Name <> '_Total'")
- For each objDiskDrive in colDiskDrives
- Wscript.Echo "Drive Name: " & objDiskDrive.Name
- Wscript.Echo "Free Space: " & objDiskDrive.FreeMegabytes
- Next
复制代码
6.监视事件日志- strComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
- ("Select * from __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.EventCode = '533' ")
- Do
- Set objLatestEvent = colMonitoredEvents.NextEvent
- strAlertToSend = objLatestEvent.TargetInstance.User _
- & " attempted to access DatabaseServer."
- Wscript.Echo strAlertToSend
- Loop
复制代码
7.监视用户登陆- StrComputer = "."
- Set objWMIService = GetObject("winmgmts:" _
- & "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")
- Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
- ("Select * from __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.EventCode = '528' ")
- Do
- Set objLatestEvent = colMonitoredEvents.NextEvent
- strAlertToSend = objLatestEvent.TargetInstance.user _
- &MSGBOX ("某个用户已经成功登陆此计算机!.",48,"警告!")
- Loop
复制代码
8.监视注册表子项事件- Set wmiServices = GetObject("winmgmts:root/default")
- Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
- wmiServices.ExecNotificationQueryAsync wmiSink, _
- "SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
- "KeyPath='SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'"
- WScript.Echo "Listening for Registry Change Events..." & vbCrLf
- While(1)
- WScript.Sleep 1000
- Wend
- Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
- WScript.Echo "Received Registry Change Event" & vbCrLf & _
- "------------------------------" & vbCrLf & _
- wmiObject.GetObjectText_()
- End Sub
复制代码
[ 本帖最后由 lxzzr 于 2009-7-19 01:37 编辑 ]
作者: Batcher 时间: 2009-7-19 09:24
微软脚本中心实乃初学者必到之处^_^
作者: BBCC 时间: 2009-7-19 18:52
可惜bat不能做实时监控啊...
作者: Taurus 时间: 2009-11-12 06:22
原帖由 BBCC 于 2009-7-19 18:52 发表
可惜bat不能做实时监控啊...
应该可以,只是Wscript.Sleep较节省资源
'>nul 2>nul&@echo off&cls&color 70&setlocal EnableDelayedExpansion&set Get=2&set /a BSc=59&set /a BSl=3&set sec=%time:~3,2%&set min=0&mode con: cols=!BSc! lines=!BSl!&title C^:\^>Process Monitor_
':setPuocess>nul 2>nul
'>nul 2>nul&cls&echo. Please input the name of target process^:
'>nul 2>nul&set /p Puocess1= ^>
'>nul 2>nul&if "!Puocess1!"=="" goto :setPuocess>nul 2>nul
':SetAlarm>nul 2>nul
'>nul 2>nul&cls&echo. If catch up the target object then send out alarm ? (Y/N)
'>nul 2>nul&set /p alarm= ^>
'>nul 2>nul&If !alarm!==Y (set "alarm1= ALARM ON"&set "alarm2= ALARM OFF "&set "c1=a"&set "c2=c"&goto :box>nul 2>nul)
'>nul 2>nul&If !alarm!==y (set "alarm1= ALARM ON"&set "alarm2= ALARM OFF "&set "c1=a"&set "c2=c"&goto :box>nul 2>nul)
'>nul 2>nul&If !alarm!==N (set "alarm2= ALARM ON"&set "alarm1= ALARM OFF "&set "c2=a"&set "c1=c"&goto :box>nul 2>nul)
'>nul 2>nul&If !alarm!==n (set "alarm2= ALARM ON"&set "alarm1= ALARM OFF "&set "c2=a"&set "c1=c"&goto :box>nul 2>nul)
'>nul 2>nul&goto :SetAlarm>nul 2>nul
':box>nul 2>nul
'>nul 2>nul&set /a BSc-=2
'>nul 2>nul&mode con: cols=!BSc!
'>nul 2>nul&If not !BSc!==15 ( goto :box>nul 2>nul )
'>nul 2>nul&title !min! /mins
':loop>nul 2>nul
'>nul 2>nul&cls&color 0a
'>nul 2>nul&if not %time:~3,2%==!sec! ( set /a min+=1 &set sec=%time:~3,2%&title !min! /mins )
'>nul 2>nul&for /f "skip=3" %%a in ('tasklist /svc /fi "imagename eq !Puocess1!" 2^>NUL') do set Puocess2=%%a
'>nul 2>nul&if "!Puocess1!"=="!Puocess2!" set Get=1
'>nul 2>nul&call color %%c!Get!%%0&echo.&call echo.%%alarm!Get!%%&set Get=2&set Puocess2=
'>nul 2>nul&CScript.EXE ""%0 2"" //Nologo //e:VBS
'>nul 2>nul&goto :loop>nul 2>nul
Wscript.Sleep 1000
作者: spfnug 时间: 2009-11-29 16:36
如果想同时监视进程和服务该怎么写呢?
作者: keen 时间: 2009-11-29 18:20 标题: 回复 5楼 的帖子
在别人的帖子里面跟帖提问的话,很少有人能看到你的问题,愿意回答问题的就更少了。以后有问题请到相应版块单独发帖提问,这样才可能使问题得到快速的解决。
欢迎光临 批处理之家 (http://bathome.net./) |
Powered by Discuz! 7.2 |