add Get-WinEvent exception warning output #48

Yamato-Security · Sep 20, 2021 · 5fffcea · 5fffcea
1 parent 63d0e79
commit 5fffcea
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 24 deletions.
diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1
@@ -326,6 +326,7 @@ $Create_LogonTimeline_TypeOther = "Other Type Logons:"
 $Create_LogonTimeline_localComputer = "LOCAL"
 $Detect_ProcessingDetectionMessage = "Processing rule-base detection...`n"
 
+$Warn_GetEvent = "Warning:Get-WinEvent error record skip. :"
 $Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis."
 $Error_InCompatible_LiveAnalysisAndLogFile = "Error: you cannot specify -LiveAnalysis and -LogFile at the same time."
 $Error_InCompatible_LogDirAndFile = "Error：you cannot specify -LogDirectory and -LogFile at the same time." 

diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1
@@ -329,6 +329,7 @@ $Create_LogonTimeline_Type13 = "タイプ 13 キャッシュされた認証情
 $Create_LogonTimeline_TypeOther = "その他のタイプのログオン:"
 $Create_LogonTimeline_localComputer = "ローカル"
 
+$Warn_GetEvent = "注意:Get-WinEventでエラーが発生しました。エラーが発生したイベントレコードは読み込まれません。 :"
 $Warn_DC_LiveAnalysis = "注意：ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。"
 $Error_InCompatible_LiveAnalysisAndLogFile = "エラー：「-LiveAnalysis」 と「-LogFile」を同時に指定できません。"
 $Error_InCompatible_LogDirAndFile = "エラー：「-LogDirectory」 と「-LogFile」を同時に指定できません。"

diff --git a/Config/util.ps1 b/Config/util.ps1
@@ -19,6 +19,18 @@ https://github.com/yamatosecurity
 
 
 #Functions:
+function Get-WinEventWithFilter {
+    param($WinEventFilter)
+    $logs = $null
+    try {
+        $logs = Get-WinEvent -FilterHashtable $WinEventFilter -Oldest
+    }
+    catch {
+        Write-Host $Warn_GetEvent $_.Exception.Message -ForegroundColor Black -BackgroundColor Yellow
+    }
+    return $logs
+}
+
 function Show-Contributors {
     Write-Host 
     Write-Host $Show_Contributors -ForegroundColor Cyan

diff --git a/WELA.ps1 b/WELA.ps1
@@ -362,28 +362,18 @@ function Create-EventIDStatistics {
     }
 
     $WineventFilter.Add( "Path", $LogFile ) 
-    $logs = Get-WinEvent -FilterHashtable $WineventFilter -Oldest
+    $logs = Get-WinEventWithFilter -WinEventFilter $WineventFilter
     $eventlist = @{}
-    $TotalNumberOfLogs = 0
+    $TotalNumberOfLogs = $logs.Count
 
     foreach ( $event in $logs ) {
-
         $id = $event.id.toString()
-
         if ( $eventlist[$id] -eq $null ) {
-
             $eventlist[$id] = 1
-
         } 
-
         else {
-
             $eventlist[$id] += 1
-
         }
-
-        $TotalNumberOfLogs++
-
     }
 
     #Print results        
@@ -495,7 +485,7 @@ function Create-LogonTimeline {
     Write-Host ( $Create_LogonTimeline_Filesize -f $filesize )          # "File Size: {0}"
     Write-Host ( $Create_LogonTimeline_Estimated_Processing_Time -f $RuntimeHours, $RuntimeMinutes, $RuntimeSeconds )   # "Estimated processing time: {0} hours {1} minutes {2} seconds"
 
-    $logs = Get-WinEvent -FilterHashtable $WineventFilter -Oldest
+    $logs = Get-WinEventWithFilter -WinEventFilter $WineventFilter 
     $eventlist = @{}
     $TotalNumberOfLogs = 0
 
@@ -1008,17 +998,7 @@ function Create-Timeline {
 
     Write-Host
 
-    try {
-        $logs = iex "Get-WinEvent $filter -Oldest -ErrorAction Stop"
-
-    }
-    catch {
-        Write-Host "Get-WinEvent $filter -ErrorAction Stop"
-        Write-Host "Get-WinEvent error: " $_.Exception.Message "`n"
-        Write-Host "Exiting...`n"
-        exit
-    }
-
+    $logs = Get-WinEventWithFilter $filter
 
     #Start reading in the logs.
     foreach ($event in $logs) {