问题描述
每当我拿出Win 10 BitLocker USB启动密钥(TSK)时,我都试图关闭设备。我已启用DriverFrameworks-usermode / Operational Logging来生成适当的日志,以便在其中捕获特定USB驱动器的InstanceID。
如果执行以下操作,它可以从所有已移除的USB中拉出所有2102事件:
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-usermode/Operational -FilterXPath '*[System[(EventID=2102)]]'
但是,当我尝试为一个特定的驱动器过滤时,它只会出错:
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-usermode/Operational -FilterXPath '*[System[(EventID=2102)]] and *[UserData[UMDFHostDeviceRequest[@instanceID="SWD\WPDBUSENUM\_??_USBSTOR#disK&VEN__USB&PROD__SANdisK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}"]]]'
无论我尝试将所有&更改为&还是上面发布的原始文档,都会出现以下错误:
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-usermode/Ope ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent],Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
任何帮助将不胜感激。
Forwarded a finished Pnp or Power operation (27,23) to the lower driver for device SWD\WPDBUSENUM\_??_USBSTOR#disK&VEN__USB&PROD__SANdisK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} with status 0x0
Logname: Microsoft-Windows-DriverFrameworks-usermode/Operational
Source: DriverFrameworks-usermode Logged: [Date]
Event ID: 2102 Task Category: Pnp or Power Management to a particular device
Level: information Keywords:
User : LOCAL SERVICE Computer: [Computername]
Op Code: (2)
2102 XML View 事件ID 2102详细信息标签(事件查看器)-XML视图
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DriverFrameworks-usermode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" />
<EventID>2102</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>37</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-09-28T22:54:17.6538118Z" />
<EventRecordID>1883</EventRecordID>
<Correlation />
<Execution ProcessID="6580" ThreadID="22636" />
<Channel>Microsoft-Windows-DriverFrameworks-usermode/Operational</Channel>
<Computer>Roswell</Computer>
<Security UserID="S-1-5-19" />
</System>
- <UserData>
- <UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/usermode/Event">
<LifetimeId>{c09c68ed-af3b-4e1a-b2dd-17e74f17dba3}</LifetimeId>
<InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#disK&VEN__USB&PROD__SANdisK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}</InstanceId>
<RequestMajorCode>27</RequestMajorCode>
<RequestMinorCode>23</RequestMinorCode>
<Argument1>0x0</Argument1>
<Argument2>0x0</Argument2>
<Argument3>0x0</Argument3>
<Argument4>0x0</Argument4>
<Status>0</Status>
</UMDFHostDeviceRequest>
</UserData>
</Event>
解决方法
尝试一下
$instance = 'SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}'
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath "*[System[EventID=2102]] and [UserData[UMDFHostDeviceRequest[@instanceID='$instance']]]"
将 @instanceID 更改为 InstanceId 和 XML 转义实例 ID 字符串对我来说很有效。在你的情况下,命令应该是这样的:
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath "*[System[(EventID=2102)]] and *[UserData[UMDFHostDeviceRequest[InstanceId='SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}']]]"