use*_*719 6 powershell file-watcher
该脚本使用文件系统观察程序监视蜜罐文件夹,并报告任何更改(编辑,重命名,删除或创建),然后执行某些操作.
创建,重命名和删除时,操作可以正常工作.
但是在编辑时,我只能让脚本触发一次动作.因此,例如,如果测试设备尝试编辑honeypot文件夹上的文件,则会触发操作.但是同一设备尝试再次编辑同一个文件或不同的文件,编辑的观察者似乎无法工作,因为没有触发操作.
所以我尝试通过任务调度程序每5分钟重置一次脚本(每5分钟启动一次脚本),但结果仍然相同.
这是代码:
### SET FOLDER TO WATCH + FILES TO WATCH + SUBFOLDERS YES/NO
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "\\vmserver2\_Do_Not_Delete_Or_Rename"
$watcher.Filter = "*.*"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
### DEFINE ACTIONS AFTER AN EVENT IS DETECTED
$action = {
$path = $Event.SourceEventArgs.FullPath
$changeType = $Event.SourceEventArgs.ChangeType
$logline = "$(Get-Date), $changeType, $path"
#Add-content "D:\log.txt" -value $logline
#write-host $logline
$targetdevice = Get-SmbOpenFile |
select clientusername, clientcomputername, path |
where {$_.Path -like 'E:\Data\Archive\_Do_Not_Delete_Or_Rename' }
$targetIP = $targetdevice.clientcomputername
$targetUser = $targetdevice.clientusername
Send-ToEmail -email "edu.bit.es@gmail.com" $targetIP
$targetUser
}
### DECIDE WHICH EVENTS SHOULD BE WATCHED
Register-ObjectEvent $watcher "Created" -Action $action
Register-ObjectEvent $watcher "Changed" -Action $action
Register-ObjectEvent $watcher "Deleted" -Action $action
Register-ObjectEvent $watcher "Renamed" -Action $action
while ($true) {sleep 5}
我对powershell很新,所以我不明白,其余事件的观察者工作,只有编辑不起作用.
小智 3
要么你需要使用
Remove-Event $watcher "Changed"
在 $Action 脚本块的末尾或使用
Unregister-Event $watcher "Changed"
Register-ObjectEvent $watcher "Changed -Action $action
在 $Action 脚本块的末尾。