PowerShell 选择怪异
我这里有两个 select 语句。第一个(消息、用户名、生成时间)中的“标题”将用于第二个(用户名、生成时间)。
请查看 echo 语句以查看表\输出正在合并为一个。
谁能解释为什么?
这需要在 ps1 脚本中运行才能看到奇怪之处:
$before = get-date
$after = (get-date).AddDays(-1)
$a = Get-EventLog System -Before $before -After $after | ? {$_.Message -like "*start*"}
$a | select message, username,timegenerated
echo "----going through security----"
$b = Get-Eventlog security -Before $before -After $after |?{$_.category -match "Logon/Logoff" }
$b | select username,timegenerated
输出是这样的:
Message UserName TimeGenerated
------- -------- -------------
The Engine service was successfully sent a star... NT AUTHORITY\SYSTEM 22/09/2011 09:32:09
The Engine service was successfully sent a star... NT AUTHORITY\SYSTEM 21/09/2011 16:03:57
The Licensing Service service was successfu... DOMAIN\username 21/09/2011 15:58:12
----going through security----
DOMAIN\9876ABC$ 22/09/2011 14:05:41
DOMAIN\9876ABC$ 22/09/2011 14:04:58
DOMAIN\9876ABC$ 22/09/2011 14:03:40
DOMAIN\9876ABC$ 22/09/2011 14:02:57
NT AUTHORITY\LOCAL SERVICE 22/09/2011 14:01:59
I have two select statements here. The "headings" from the first (message, username,timegenerated) are being used for the second (username,timegenerated).
Please look at the echo statement to see that the tables\outputs are being merged into one.
Can anyone explain why?
This needs to be run in a ps1 script to see the weirdness:
$before = get-date
$after = (get-date).AddDays(-1)
$a = Get-EventLog System -Before $before -After $after | ? {$_.Message -like "*start*"}
$a | select message, username,timegenerated
echo "----going through security----"
$b = Get-Eventlog security -Before $before -After $after |?{$_.category -match "Logon/Logoff" }
$b | select username,timegenerated
The output is this:
Message UserName TimeGenerated
------- -------- -------------
The Engine service was successfully sent a star... NT AUTHORITY\SYSTEM 22/09/2011 09:32:09
The Engine service was successfully sent a star... NT AUTHORITY\SYSTEM 21/09/2011 16:03:57
The Licensing Service service was successfu... DOMAIN\username 21/09/2011 15:58:12
----going through security----
DOMAIN\9876ABC$ 22/09/2011 14:05:41
DOMAIN\9876ABC$ 22/09/2011 14:04:58
DOMAIN\9876ABC$ 22/09/2011 14:03:40
DOMAIN\9876ABC$ 22/09/2011 14:02:57
NT AUTHORITY\LOCAL SERVICE 22/09/2011 14:01:59
看起来像格式问题,但以下内容似乎按预期工作:
此外,这绝对看起来像是有关多个自定义 psobject 的输出的错误(上面由于执行选择而创建)。
以下代码显式地为每个查询结果创建一个单独的 PSObject,并返回与您的代码相同的结果(即仅一组标题):
在 PS_ISE 中运行此代码并执行:
您可以看到它们是具有不同属性的不同对象。如果您在对象之间不使用相同的键名称,事情会变得更加奇怪;如果我们将以下内容更改为:,请查看返回的结果
:
对于那些不愿意运行此命令的人,它会在安全结果集应在的位置返回空格。再次运行 Get-Member 将显示两个自定义对象,每个对象都有自己的属性。
尽管看起来 PSCustomObjects 可能会在 v3 中进行彻底修改,但可能值得使用 Microsoft Connect 记录这一点,请参阅 此处。
Looks like a formatting issue, the following seems to work as expected though:
Additionally, this definitely looks like a bug concerning the output of multiple custom psobjects (created above as a result of doing the selects).
The following code explicitly creates a separate PSObject for each query result and returns the same results as your code (i.e. only one set of headings):
Run this in PS_ISE and execute:
You can see that they are distinct objects with different properties. Things get even weirder if you don't use the same key names between objects; look at the results returned if we change:
to:
For those with no will to run this, it returns whitespace where the security result set should be. Running Get-Member again shows two custom objects, each with it's own properties.
It's probably worth logging this with Microsoft Connect although it looks like PSCustomObjects might be getting an overhaul in v3, see here.