获取最新开机事件12和6005的时间差

2024-04-12 17:24:23 浏览数 (1)

Windows系统,获取最新开机事件12和6005的时间差

简版

代码语言:javascript复制
# 获取事件ID 12的最新事件
$event12 = Get-WinEvent -FilterHashtable @{LogName = "System"; ID = 12} -MaxEvents 1

# 获取事件ID 6005的最新事件
$event6005 = Get-WinEvent -FilterHashtable @{LogName = "System"; ID = 6005} -MaxEvents 1

# 计算两个事件之间的时间差
$timeDifference = $event6005.TimeCreated - $event12.TimeCreated

# 输出结果
$timeDifference

# 输出结果为秒
$timeDifference.TotalSeconds

健壮版

代码语言:javascript复制
$event12 =Get-WinEvent -FilterHashtable @{logname='System';id=@(12);StartTime=(Get-Date).AddDays(-10) } -EA 0 | Where-Object {$_.ProviderName -eq "Microsoft-Windows-Kernel-General" -or $_.ProviderName -eq "User32" -or $_.ProviderName -eq "EventLog" } | Sort-Object -Property TimeCreated -Descending:$true|Select-Object -First 1

$event6005 =Get-WinEvent -FilterHashtable @{logname='System';id=@(6005);StartTime=(Get-Date).AddDays(-10) } -EA 0 | Where-Object {$_.ProviderName -eq "Microsoft-Windows-Kernel-General" -or $_.ProviderName -eq "User32" -or $_.ProviderName -eq "EventLog" } | Sort-Object -Property TimeCreated -Descending:$true|Select-Object -First 1

$event12

$event6005

($event6005.TimeCreated - $event12.TimeCreated).TotalSeconds

如果上面这个健壮版不行,试试最后面那段,在腾讯云还能通过metadata获取一些实例相关信息,比如

腾讯云

代码语言:javascript复制
#查看实例元数据 https://cloud.tencent.com/document/product/213/4934

#cvm实例ID
$instanceid=(Invoke-WebRequest 'http://169.254.0.23/latest/meta-data/instance-id' -UseBasicParsing).Content

#cvm外网IP(如果需要内网IP,url里的public-ipv4换成local-ipv4)
$ip=(Invoke-WebRequest 'http://169.254.0.23/latest/meta-data/public-ipv4' -UseBasicParsing).Content

#查看cvm uuid
$uuid=(Invoke-WebRequest 'http://169.254.0.23/latest/meta-data/uuid' -UseBasicParsing).Content

#获取硬盘实例id
(Invoke-WebRequest 'http://169.254.0.23/meta-data/volumes/' -UseBasicParsing).Content >  c:diskidtmp.txt
$disk0id=(Get-Content c:diskidtmp.txt | Select -Index 0).split("/")[0]
$disk1id=(Get-Content c:diskidtmp.txt | Select -Index 1).split("/")[0]

#获取实例机型
$instancetype=(Invoke-WebRequest 'http://169.254.0.23/meta-data/instance/instance-type' -UseBasicParsing).Content

#获取实例镜像ID
$imageid=(Invoke-WebRequest 'http://169.254.0.23/meta-data/instance/image-id' -UseBasicParsing).Content

#获取实例账号appid
$appid=(Invoke-WebRequest 'http://169.254.0.23/meta-data/app-id' -UseBasicParsing).Content

阿里云

代码语言:javascript复制
#查看实例元数据 https://help.aliyun.com/zh/ecs/user-guide/use-instance-identities

$instanceid=(Invoke-WebRequest 'http://100.100.100.200/latest/meta-data/instance-id' -UseBasicParsing).Content

$ip=(Invoke-WebRequest 'http://100.100.100.200/latest/meta-data/eipv4' -UseBasicParsing).Content

$uuid=(Invoke-WebRequest 'http://100.100.100.200/latest/meta-data/hostname' -UseBasicParsing).Content

$disk0id=(get-disk|where {$_.Number -eq 0}).SerialNumber

$disk1id=(get-disk|where {$_.Number -eq 1}).SerialNumber

$instancetype=(Invoke-WebRequest 'http://100.100.100.200/latest/meta-data/instance/instance-type' -UseBasicParsing).Content

$imageid=(Invoke-WebRequest 'http://100.100.100.200/latest/meta-data/image-id' -UseBasicParsing).Content

$appid=(Invoke-WebRequest 'http://100.100.100.200/latest/meta-data/owner-account-id' -UseBasicParsing).Content
代码语言:javascript复制
#Get-WinEvent -FilterHashtable @{logname='System';id=@(12,6005);StartTime=(Get-Date).AddDays(-10)}|Sort-Object -Property TimeCreated -Descending:$true |Select-Object -First 2 > c:12_6005_timediff.txt
#Get-WinEvent -FilterHashtable @{logname='System';id=@(12,6005);StartTime=(Get-Date).AddDays(-10)}|Sort-Object -Property TimeCreated -Descending:$true |Select-Object -Index 0,1 > c:12_6005_timediff.txt
#Get-WinEvent -FilterHashtable @{logname='System';id=@(12,6005);StartTime=(Get-Date).AddDays(-10)}|Sort-Object -Property TimeCreated -Descending:$true |Select-Object -Index 2,3 > c:12_6005_timediff.txt
Get-WinEvent -FilterHashtable @{logname='System';id=@(12,6005);StartTime=(Get-Date).AddDays(-10) } | Where-Object {$_.ProviderName -eq "Microsoft-Windows-Kernel-General" -or $_.ProviderName -eq "User32" -or $_.ProviderName -eq "EventLog" } | Sort-Object -Property TimeCreated -Descending:$true |Select-Object -First 2 > c:12_6005_timediff.txt
if((get-content C:12_6005_timediff.txt|Select -Index 6) -eq $null)
{
$a1="1900-01-01"
} else
{
$a1=(get-content C:12_6005_timediff.txt|Select -Index 6).split(" ")[0]
}

if((get-content C:12_6005_timediff.txt|Select -Index 6) -eq $null)
{
$a2="00:00:00"
} else
{
$a2=(get-content C:12_6005_timediff.txt|Select -Index 6).split(" ")[1]
}

if((get-content C:12_6005_timediff.txt|Select -Index 13) -eq $null)
{
$b1="1900-01-01"
} else
{
$b1=(get-content C:12_6005_timediff.txt|Select -Index 13).split(" ")[0]
}

if((get-content C:12_6005_timediff.txt|Select -Index 13) -eq $null)
{
$b2="00:00:00"
} else
{
$b2=(get-content C:12_6005_timediff.txt|Select -Index 13).split(" ")[1]
}

if( ($a1 -eq "1900-01-01") -or ($a2 -eq "00:00:00") )
{
$a1="1900-01-01"
$a2="00:00:00"
$b1="1900-01-01"
$b2="00:00:00"
}

if( ($b1 -eq "1900-01-01") -or ($b2 -eq "00:00:00") )
{
$a1="1900-01-01"
$a2="00:00:00"
$b1="1900-01-01"
$b2="00:00:00"
}

$str1=$a1 " " $a2
$str2=$b1 " " $b2

$starttime_12_1=$str1
$endtime_6005_1=$str2

$TimeSpan_a=New-TimeSpan -Start "$starttime_12_1" -End "$endtime_6005_1"
#($ToDate - $FromDate).TotalMinutes
$timediff_12_6005_1=$TimeSpan_a.TotalSeconds
#$timediff_12_6005_1=$TimeSpan_a
#$timediff_12_6005_1=$TimeSpan_a.minutes*60 $TimeSpan_a.seconds*1
#$starttime_12_1   "`t"   $endtime_6005_1   "`t"   $timediff_12_6005_1 > c:result.txt
#cat c:result.txt


$starttime_12_1=[datetime]::ParseExact($str1,"yyyy/M/d H:mm:ss",$null)
$starttime_12_1=$starttime_12_1.AddHours(8)
$endtime_6005_1=[datetime]::ParseExact($str2,"yyyy/M/d H:mm:ss",$null)
$endtime_6005_1=$endtime_6005_1.AddHours(8)
#$starttime_12_1 > c:result.txt;$endtime_6005_1 >> c:result.txt;$timediff_12_6005_1 >> c:result.txt;
#notepad c:result.txt


$instanceid=(Invoke-WebRequest 'http://169.254.0.23/latest/meta-data/instance-id' -UseBasicParsing).Content
$ip=(Invoke-WebRequest 'http://169.254.0.23/latest/meta-data/public-ipv4' -UseBasicParsing).Content
$uuid=(Invoke-WebRequest 'http://169.254.0.23/latest/meta-data/uuid' -UseBasicParsing).Content
(Invoke-WebRequest 'http://169.254.0.23/meta-data/volumes/' -UseBasicParsing).Content >  c:diskidtmp.txt
$disk0id=(Get-Content c:diskidtmp.txt | Select -Index 0).split("/")[0]
$disk1id=(Get-Content c:diskidtmp.txt | Select -Index 1).split("/")[0]
$instancetype=(Invoke-WebRequest 'http://169.254.0.23/meta-data/instance/instance-type' -UseBasicParsing).Content
$imageid=(Invoke-WebRequest 'http://169.254.0.23/meta-data/instance/image-id' -UseBasicParsing).Content
$appid=(Invoke-WebRequest 'http://169.254.0.23/meta-data/app-id' -UseBasicParsing).Content

$instanceid
$ip
$uuid
$disk0id
$disk1id
$instancetype
$imageid
$appid

$starttime_12_1
$endtime_6005_1
$timediff_12_6005_1
windowsserver 云服务器 windows

0 人点赞