如何使用System.Diagnostics.EventLog从任意evxt文件读取?
问题描述:
如何使用 EventLog 可以从任意evtx文件中读取?
How can I use EventLog to read from an arbitrary evtx file?
EventLogQuery 可以打开evtx文件,但在.NET 2.0中不可用.
EventLogQuery is able to open evtx files, but it is not available in .NET 2.0.
答
让我们假设日志文件为LogA.evtx.
Let's assume the log file is LogA.evtx.
将LogA.evtx复制到C:\Windows\System32\winevt\Logs.
将新的注册表项添加到:
Add a new registry key to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
称为LogA.例如.在PowerShell中:
called LogA. E.g. in PowerShell:
Set-Location HKLM:
New-Item .\SYSTEM\CurrentControlSet\services\eventlog -Name LogA
打开事件查看器以验证 LogA 是否显示在应用程序和服务日志下.
Open Event Viewer to verify that LogA shows up under Applications and Services Logs.
您现在可以使用EventLog打开LogA:
using System;
using System.Diagnostics;
namespace EventLogTest
{
class Program
{
static void Main(string[] args)
{
var log = new EventLog("LogA");
Console.WriteLine(log.Entries.Count);
}
}
}
您可以通过PowerShell删除LogA:
You can delete LogA via PowerShell:
[System.Diagnostics.EventLog]::Delete("LogA")