批處理無占用監(jiān)控系統(tǒng)最后由 bluewing009 于 -3-22 09:30首先要感謝lxzzr的大力幫助~大家都知道,批處理自身要是監(jiān)控系統(tǒng)的話,根本就是....成功是沒有問題的,就是需要占用大量的系統(tǒng)資源。往往系統(tǒng)CPU會(huì)飆升80%以上所以,監(jiān)控是一個(gè)令人傷心的問題,這篇帖子主要是通過系統(tǒng)自帶的審核功能達(dá)到0占用監(jiān)控的目的。XP系統(tǒng)請(qǐng)路過...以注冊(cè)表為例:原有的監(jiān)控寫法
這是一個(gè)無條件的死循環(huán),占用資源...同樣如果加上延遲的大效果也不是很理想。以下是改進(jìn):第一步:首先是配置組策略,這個(gè)主要是允許系統(tǒng)將我們需要的“改變”以日志的形式記錄下來。nclick="copycode($('code0'));">復(fù)制代碼
- :loop
- reg query
- if xxx==yyy
- goto Loop
上面的inf文件是為secedit命令服務(wù)的,大家可以運(yùn)行g(shù)pedit.msc看看,先手動(dòng)設(shè)置一下,然后導(dǎo)出,就會(huì)獲得這個(gè)inf文件。現(xiàn)在我們把它再導(dǎo)入~遇到類似的問題,大家可以先手動(dòng)設(shè)置,然后導(dǎo)出看看,就明白我們?cè)撛趺磳懥藒MACHINESoftwareTest, 2, S:AI(AU;CISAFA;DCLC;;;WD) 這句話是配置注冊(cè)表的審核,如果發(fā)生變化就會(huì)在日志里看到...額~根據(jù)lxzzr的資料,這個(gè)是SSDL語言就是“安全描述符”...我手頭也沒資料...大家找他問去~呼呼~就照搬套過來就好~導(dǎo)入完成記得加一句nclick="copycode($('code1'));">復(fù)制代碼
- pushad %~dp0
- echo [version] >check.inf
- echo signature=$CHICAGO$ >>check.inf
- echo;>>check.inf
- echo [Event Audit] >>check.inf
- echo AuditObjectAccess = 1 >>check.inf
- echo;>>check.inf
- echo [Registry Keys] >>check.inf
- echo MACHINESoftwareTest, 2, S:AI(AU;CISAFA;DCLC;;;WD) >>check.inf
- echo ;HKEY_LOCAL_MACHINESoftwareTest >>check.inf
- secedit /configure /db check.sdb /cfg check.inf /log check.log /quite >nul
- del check.sdb check.inf check.log >nul
刷新一下組策略...這樣,系統(tǒng)配置就完成了,注冊(cè)表Test 鍵值發(fā)生變化就會(huì)在日志里看出來~第二步:配置觸發(fā)器,注冊(cè)表變化了,要運(yùn)行我們的程序~nclick="copycode($('code2'));">復(fù)制代碼
- gpupdate
核心是nclick="copycode($('code3'));">復(fù)制代碼
- echo wevtutil qe Security /rd:true /c:1 /f:text ^>%windir%AssistantSecurity_Monitor.txt >%windir%AssistantSecurity_Monitor.bat
- echo start %windir%AssistantSecurity_Monitor_.bat >>%windir%AssistantSecurity_Monitor.bat
- echo @echo off >%windir%AssistantSecurity_Monitor_.bat
- echo Setlocal enabledelayedexpansion>>%windir%AssistantSecurity_Monitor_.bat
- echo for /f tokens=3 %%%%i in ('findstr /i /c:Event ID: %%windir%%AssistantSecurity_Monitor.txt') do ( >>%windir%AssistantSecurity_Monitor_.bat
- echoif not %%%%i==4657 ( >>%windir%AssistantSecurity_Monitor_.bat
- echoecho;>>%windir%AssistantSecurity_Monitor_.bat
- echoecho您的啟動(dòng)項(xiàng)目已被修改 >>%windir%AssistantSecurity_Monitor_.bat
- echoecho;>>%windir%AssistantSecurity_Monitor_.bat
- echoecho但是由于異常情況無法獲得詳細(xì)信息 >>%windir%AssistantSecurity_Monitor_.bat
- echoecho;>>%windir%AssistantSecurity_Monitor_.bat
- echoecho建議您關(guān)注系統(tǒng)啟動(dòng)項(xiàng)目的情況 >>%windir%AssistantSecurity_Monitor_.bat
- echoecho;>>%windir%AssistantSecurity_Monitor_.bat
- echoping /n 4 127.1^>nul>>%windir%AssistantSecurity_Monitor_.bat
- echoexit >>%windir%AssistantSecurity_Monitor_.batecho)>>%windir%AssistantSecurity_Monitor_.batecho )>>%windir%AssistantSecurity_Monitor_.bat
- echo for /f tokens=1,* %%%%i in ('findstr /i /c:對(duì)象值名稱: %%windir%%AssistantSecurity_Monitor.txt') do set Change_Key=%%%%j >>%windir%AssistantSecurity_Monitor_.bat
- echo for /f tokens=1,* %%%%i in ('findstr /i /c:進(jìn)程名: %%windir%%AssistantSecurity_Monitor.txt') do set Change_Process=%%%%j >>%windir%AssistantSecurity_Monitor_.bat
- echo for /f tokens=1,* %%%%i in ('findstr /i /c:舊值: %%windir%%AssistantSecurity_Monitor.txt') do set Change_Key_Old=%%%%j >>%windir%AssistantSecurity_Monitor_.bat
- echo for /f tokens=1,* %%%%i in ('findstr /i /c:新值: %%windir%%AssistantSecurity_Monitor.txt') do set Change_Key_New=%%%%j >>%windir%AssistantSecurity_Monitor_.bat
- echo echo;>>%windir%AssistantSecurity_Monitor_.batecho echo請(qǐng)注意,您的啟動(dòng)項(xiàng)目已被修改 ★ >>%windir%AssistantSecurity_Monitor_.batecho echo;>>%windir%AssistantSecurity_Monitor_.bat
- echo echo 修改進(jìn)程:%%Change_Process%% >>%windir%AssistantSecurity_Monitor_.batecho echo;>>%windir%AssistantSecurity_Monitor_.batecho echo 被修改鍵值名稱:%%Change_Key%% >>%windir%AssistantSecurity_Monitor_.batecho echo;>>%windir%AssistantSecurity_Monitor_.batecho echo 被修改鍵值舊值:%%Change_Key_Old%% >>%windir%AssistantSecurity_Monitor_.batecho echo;>>%windir%AssistantSecurity_Monitor_.batecho echo 被修改鍵值舊值:%%Change_Key_New%% >>%windir%AssistantSecurity_Monitor_.bat
- echo echo ping /n 4 127.1>nul>>%windir%AssistantSecurity_Monitor_.bat
- echo exit >>%windir%AssistantSecurity_Monitor_.bat
- SCHTASKS /Create /TN Security_Monitor /RL Highest /TR %windir%AssistantSecurity_Monitor.bat /SC onEVENT /EC Security /MO *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4657]] >nul
這句話,它添加了一個(gè)計(jì)劃任務(wù),名稱Security_Monitor ,以Highest權(quán)限運(yùn)行,任務(wù)觸發(fā)運(yùn)行%windir%AssistantSecurity_Monitor.bat。/MO 后面是觸發(fā)條件,這就是我們上面說的注冊(cè)表變化導(dǎo)致日志新增的項(xiàng)目,事件ID4657。以上生成兩個(gè)文件。Security_Monitor.bat是讀取日志,并且start 另一個(gè)bat,當(dāng)然一個(gè)把倆個(gè)寫成一個(gè),不過考慮到注冊(cè)表變化可能比較快,所以用start啟動(dòng),避免任務(wù)掛起,導(dǎo)致漏記。Security_Monitor_.bat則是讀取日志顯示內(nèi)容。到此整個(gè)程序就完成了。不知道大家是不是明白nclick="copycode($('code4'));">復(fù)制代碼
- SCHTASKS /Create /TN Security_Monitor /RL Highest /TR %windir%AssistantSecurity_Monitor.bat /SC onEVENT /EC Security /MO *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4657]]
