89 replies to this topic

[ripdad]

There are a number of programs on the internet that will make a log of your system processes and
registry settings, so that you can submit the log to someone that can make heads or tails of the
information contained in it and thereby help someone to repair a computer.

I've always dreaded reading system logs. Not anymore, as this makes reading one a joy.

It's actually 2 programs.

_SysInfoLog.au3 - This program generates the log of a PC.
_SysInfoLogViewer.au3 - This program is the log viewer.

As you will notice, I used alot of the code thats in GetCommonstartups to make them.
But these are geared to collect the information on one PC and view it on another.

Because of redirection issues between 64bit Os's, the programs will have to be compiled
64bit if used on a 64bit machine and 32bit on a 32bit machine.
(I won't use "disable redirection" along with WMI in a script anymore -- been there, done that)

For the most part, the viewer looks just like GetCommonstartups, but without the teeth and not "live".
It has a few added things which I will update GCS with, when I get more time.

You will need a good understanding of registry values to interpret "Registry Settings".
The keys and values are enumerated whether they exist or not. This is because the program is
geared for trouble-shooting a PC.

Some keys are meant to be missing. Some values are meant to be blank. Some L@@K good, but are bad. And so on.
If you don't know, you can do a comparison on another machine of the "same OS" or find out from someone who does.

If a virus applied hidden attributes to a hard drive, you will be able to see "(HIDDEN)"
after the PID process in the "Running Programs" screen, and get an idea if it's system wide.

#RequireAdmin is needed to get "All" the info on a PC, although it will work without it, with "Less" info.

Comments and suggestions are welcome.

Change Log: Version 1

Spoiler

_SysInfoLog.au3 v1.01 - Revised a few functions and added 3 more keys to "Registry Settings" for Win7.
July 25, 2011 - v1.03 - Added GetSystemInfo, WMI_SystemInfo, NTLogs_GetEvents, DTConvert and revised both scripts.
July 27, 2011 - v1.04 - Added NTLog_ChkDsk and date that Updates were installed on. Revised both scripts.
July 29, 2011 - v1.05 - Fixed a few issues, one with NTLog_ChkDsk showing other events under the same identifier and the other with Quick Fixes in which all kinds of strange things would be in the fields - ie. version numbers, the word "File 1" and characters of all types - mostly with Vista. Linked the BHOs to their respective Dll file.
August 01, 2011 - v1.06 - Added "Flag" to the menu as per suggestion of storme at post #6.
This is a new feature and might not be 100%, so please report bugs if found.
There are 2 kinds of Flags:
1) User Flags are generated by using the right-click menu.
2) Internal Flags are generated in the GetCommonstartups function.
August 08, 2011 - v1.20 - Updates and Optimization of both scripts.
August 08, 2011 * Last minute change in NTLogs_GetEvents to limit the search depth to 1000 records instead of 20k-50k.
Should be a little faster now.
August 11, 2011 - v1.21 - Added: Export to HTML - Thanks goes to ricky03 for the idea.
August 18, 2011 - v1.22 - A Few Minor Changes.
August 24, 2011 - v1.23 - Added: ..PoliciesExplorerDisallowRun to Registry Settings and a few tweaks.
FYI: virus that targets "DisallowRun" - http://www.bleepingcomputer.com/virus-removal/remove-home-safety-essentials

Change Log: Version 2

Spoiler

May 22, 2012 - v2.00 - Added: ATAPISmartData. Thanks to ricky03 for the idea.

A good portion of SysInfoLog has either been rewritten, improved or new functions added.

With the knowledge gained from WMI_Query, I have been able to provide better information to the script.
A new function called _WMI_InstancesOf() is the one that makes this possible.

ProcessList_Extended() and NTLogs_GetEvents() have been completely rewritten for optimum speed.
Instead of individual querries, they now obtain that information all in one call to their functions.

May 24, 2012 - v2.01 - Fixed a few problem areas, some generated characters clashing with _WMI_InstancesOf() and added a QuickFix function.

May 26, 2012 - v2.02 - Changed value translation logic in _WMI_InstancesOf(). Added a few more WMI calls, ie: Win32_Keyboard. Added Loaded Misc

June 01, 2012 - v2.03 - Added _GetDisplayEDID(), optimized some functions and made a few improvements.

June 07, 2012 - v2.04 - Added Win32_PnPEntity, MfgYear in _GetDisplayEDID() and a few adjustments to _WMI_InstancesOf() and _WMI_GetATAPISmartData().

October 02, 2012 - v2.05 - Changed Error Handling for Objects and Various Improvements.

October 03, 2012 - v2.06 - Fixed a few problems with object errors in _WMI_InstancesOf().
1) If a device is not found (like a sound card), it will return a blank string when the "object count" is zero.
2) If a "property name" returns an error of "not found" at the "qualifier loop", then the function will continue without it.
Thanks goes to ricky03 for posting the errors and testing.

October 04, 2012 - v2.07 - Updated GUI in SysInfoLogViewer with newer code.

November 05, 2012 - v2.08 - Updated _WMI_GetATAPISmartData() with v1.00

December 14, 2012 - v2.09
SysInfoLog
* Upgraded _WMI_InstancesOf() to v1.00 -- Getting a "bit" more from WMI.
* Updated _WMI_GetATAPISmartData() with v1.01
* Updated _Array_RemoveDuplicates() to v1.01 -- Speed is much better now.
* Added _WMI_GetErrorDescription() for when the Error Handler fails to give one.
* Updated various other functions. ie: Reg_Debuggers(), GetCommonstartups(), _ObjErrorHandler(), etc.
SysInfoLogViewer
* Moved QuickFixEngineering to it's own window.
* Rewrote IsFlagged(), _FlagThisEntry() and _RemoveThisFlag() -- Should work better now.
* Updated a few functions.

Download Version 2.09
 SysInfoLog_v2.09.zip   29.91K   180 downloads
Last updated December 14, 2012

Both scripts are in the zipfile above. Please let me know if any problems. Thanks.

Edited by ripdad, 14 December 2012 - 08:37 AM.

[guinness]

When I ran _SysInfoLog.au3 it returned an error, so I just removed the bracket ')' and it worked fine, I don't know if that bracket was important?!

I then checked the log file & it was blank, no idea why! I'm using Windows 7 x64.

Edited by guinness, 21 July 2011 - 07:23 AM.

[ripdad]

Thanks, removed bracket ... must have been one too many Ctrl-Z's or something. Hmmm, I'm sure I Tidy'd it.

I ran this on Win7 x64 without problems. Anyone else having troubles?

-edit-

I tested that bracket on Tidy and it didn't catch it, which is unusual.

Here was code line, in case someone is interested:

$s &= $i & '=' & $s1 & ':' & $aItems[$i][1] & ' (HIDDEN)|' & $s2) & $cr

Edited by ripdad, 21 July 2011 - 07:54 AM.

[Nunos]

Very nice thank you for taking your time to make such a great utility. I tested on Windows 7 both 32 and 64 bit and it works great. Would be interesting if there was a way to add the ability to gather the windows mini dump with a viewer as well because the MiniDump is very valuable information when troubleshooting as well.

[Chimaera]

Works fine for me m8

Win 7 Ultimate SP1

I can see the similarities to your other one

Good work

Chimaera

[storme]

G'day ripdad

Brilliant idea!
I’ve been looking for something like this for a while. But each time I decide to write one myself I get bogged down in “WHAT do I NEED to know from the computer” I think your program handles almost everything I can think of. THANKS!

Now for suggestions... (well YOU did ask)
Collector

• Add some command line options so sysinforlog can be run from batch or another program without user intervention. (eg /Silent – No Gui, /Quiet – No Prompts)
• Don’t add sending (email/ftp/etc) functions to your program it will just clutter it up and you’ll never be able to add everything.

Viewer

• Add ability to easily tag items as good or bad (and/or add a comment) by right clicking then store the comment/info in an INI or SQLite file. As the viewer program is used (at the office or from USB drive) it would be easier to spot new/bad items as more items are tagged.

Apart from those few suggestions I think it’s a great program.
MANY thanks for sharing it!
John Morrison

[ripdad]

@All - Thanks and you're welcome. I am just a hobby coder. A Pro would have done much better.
It works ... thats the important thing.

Nunos - I'll check into it, when I find minidumps of various OS's.

Chimaera - Nice to know it works on that version of Vista.

storme -
"command line options": I'll give it some thought. One could disable the prompts by commenting them.
"Don’t add sending (email/ftp/etc)": It did cross my mind, for about 10 seconds. <grin>
"ability to easily tag items": I'm not sure how I would go about that and be solid. I'll give it some thought.

Updated First Post to v1.03

[Chimaera]

Win 7 Ultimate SP1

Chimaera - Nice to know it works on that version of Vista.

Ill have to lend you my glasses m8 lol

[ripdad]

What? I thought Win7 was a version of Vista! They look the same! <grin>

[ripdad]

another update

[Chimaera]

Working fine

Win 7 Ultimate x64 SP 1
otherwise known as vista...

Edited by Chimaera, 27 July 2011 - 02:59 PM.

[ripdad]

Nunos - about the minidumps ..... I doubt I will mess with that.

1) The size of those dumps can be anywhere between 100k and 1MB or more.
2) I've never needed to look at one to find out whats wrong with a PC.
Mainly, because I use other methods to obtain such information.

The BSOD code usually tells me all I need to know in that situation anyway.

If I were to incorporate it to the program, I would most likely just append
it to the end of the log. The same would go for the bootlog: ntbtlog.txt
or any other such files.

Thanks for the suggestion anyways, and ... I'm still entertaining others.

[engjcowi]

V Nice and informative. Ive been writing something similar but using a html method for output.

I would like to see the minidumo stuff there too but use a BSOD viewer anyway so no major

thanks

[ripdad]

engjcowi,

I miss the WinX-ME days -- NOT.

It's rare to see a BSOD these days. It's usually hardware related if "I" see one.
Others may have a different story.

This is another log that can be useful at times: (not sure about Vista_7 (need to see))
"C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log"

Not fully tested, but you might be interested in this. It outputs WMI Console to htm, csv or list(ini type).

AutoIt        expandcollapse  popup

Local $s
$s &= 'BASEBOARD|';                - Base board (also known as a motherboard or system board) management.
$s &= 'BIOS|';                     - Basic input/output services (BIOS) management.
$s &= 'BOOTCONFIG|';               - Boot configuration management.
$s &= 'CDROM|';                    - CD-ROM management.
$s &= 'COMPUTERSYSTEM|';           - Computer system management.
$s &= 'CPU|';                      - CPU management.
$s &= 'CSPRODUCT|';                - Computer system product information from SMBIOS.
$s &= 'DESKTOPMONITOR|';           - Desktop Monitor management.
$s &= 'DISKDRIVE|';                - Physical disk drive management.
$s &= 'IDECONTROLLER|';            - IDE Controller management.
$s &= 'JOB|';                      - Provides  access to the jobs scheduled using the schedule service.
$s &= 'LOGICALDISK|';              - Local storage device management.
$s &= 'MEMCACHE|';                 - Cache memory management.
$s &= 'MEMLOGICAL|';               - System memory management (configuration layout and availability of memory).
$s &= 'MEMPHYSICAL|';              - Computer system's physical memory management.
$s &= 'NETPROTOCOL|';              - Protocols (and their network characteristics) management.
$s &= 'NETUSE|';                   - Active network connection management.
$s &= 'NIC|';                      - Network Interface Controller (NIC) management.
$s &= 'NICCONFIG|';                - Network adapter management.
;$s &= 'NTEVENT|'; <-- CAN MAKE A HUGE FILE! - Entries in the NT Event Log.
$s &= 'NTEVENTLOG|';               - NT eventlog file management.
$s &= 'ONBOARDDEVICE|';            - Management of common adapter devices built into the motherboard (system board).
$s &= 'OS|';                       - Installed Operating System/s management.
$s &= 'PAGEFILE|';                 - Virtual memory file swapping management.
$s &= 'PARTITION|';                - Management of partitioned areas of a physical disk.
$s &= 'PRINTER|';                  - Printer device management.
$s &= 'PROCESS|';                  - Process management.
$s &= 'PRODUCT|';                  - Installation package task management.
$s &= 'QFE|';                      - Quick Fix Engineering.
$s &= 'RECOVEROS|';                - Information that will be gathered from memory when the operating system fails.
$s &= 'REGISTRY|';                 - Computer system registry management.
$s &= 'SCSICONTROLLER|';           - SCSI Controller management.
;$s &= 'SERVICE|';                  - Service application management.
$s &= 'SOFTWAREELEMENT|';          - Management of the  elements of a software product installed on a system.
$s &= 'SOFTWAREFEATURE|';          - Management of software product subsets of SoftwareElement.
$s &= 'SOUNDDEV|';                 - Sound Device management.
$s &= 'STARTUP|';                  - Management of commands that run automatically when users log onto the computer system.
$s &= 'SYSACCOUNT|';               - System account management.
;$s &= 'SYSDRIVER|';                - Management of the system driver for a base service.
$s &= 'SYSTEMENCLOSURE|';          - Physical system enclosure management.
$s &= 'TEMPERATURE|';              - Data management of a temperature sensor (electronic thermometer).
$s &= 'TIMEZONE';                  - Time zone data management.
;
Local $ar = StringSplit($s, '|')
Local $as, $dt, $pd, $so, $st, $hf = FileOpen(@ScriptDir & '\SystemDump.htm', 1)
Local $ui = GUICreate('WMI Console SystemDump', 300, 100, -1, -1, 0x00C00000)
GUICtrlCreateLabel('Collecting Information...', 20, 20, 260, 20, 1)
Local $pb = GUICtrlCreateProgress(20, 50, 260, 20, 1)
GUISetState(@SW_DISABLE, $ui)
GUISetState(@SW_SHOW, $ui)
;
For $i = 1 To $ar[0]
    GUICtrlSetData($pb, ($i / $ar[0]) * 100)
    ; FileWriteLine($hf, @CRLF & '[' & $ar[$i] & ']' & @CRLF); <-- For: /FORMAT:LIST
    $pd = Run('WMIC ' & $ar[$i] & ' LIST FULL /FORMAT:HTABLE', '', @SW_HIDE, 2)
    ;                              (LIST FULL, LIST BRIEF), (/FORMAT:HTABLE, /FORMAT:LIST, /FORMAT:CSV)
    If Not $pd Then Exit
    ;
    While 1
        $so &= StdoutRead($pd, 0, 0)
        If @error Then ExitLoop
        Sleep(10)
    WEnd
    $so = StringStripWS($so, 3)
    If StringInStr($so, @LF) Then
        $as = StringSplit($so, @LF, 1)
        For $j = 1 To $as[0]
            $st = StringStripWS($as[$j], 3)
            If $st Then
                $dt = StringRegExp($st, '\.(.*?)-', 3)
                If IsArray($dt) And StringLen($dt[0]) = 6 Then
                    $dt = StringTrimLeft(StringLeft($st, StringInStr($st, '.' & $dt[0] & '-', 0, 1) + 10), 4)
                    $st = StringReplace($st, $dt, WMI_DTC($dt))
                EndIf
                If StringInStr($st, 'Instances of') Then
                    $st = '<H3>' & StringTrimLeft($st, StringInStr($st, 'Instances', 0, 1) + 12)
                    $as[$j + 3] = StringReplace($as[$j + 3], 'Node', $st)
                    $st = '<br>'
                EndIf
                $st = StringReplace($st, '<span style="height:1px;overflow-y:hidden">.</span>', '<font color="#FFFFFF">.</font>')
                FileWriteLine($hf, $st)
            EndIf
        Next
    EndIf
    $so = ''
Next
GUIDelete($ui)
FileClose($hf)
MsgBox(8256, 'Finished', @ScriptDir & '\SystemDump.htm')
Exit
;
Func WMI_DTC($x)
    If Not StringIsDigit(StringLeft($x, 14)) Then Return 'Unknown Date'
    Local $a = StringRegExp($x, '(\d{2})', 3)
    Return ($a[2] & '/' & $a[3] & '/' & $a[0] & $a[1] & ' ' & $a[4] & ':' & $a[5] & ':' & $a[6])
EndFunc

[ripdad]

-Edit-

Update v1.20

Edited by ripdad, 08 August 2011 - 11:51 AM.

[ricky03]

Hello,

thanks for this very useful software. Very interesting and a very nice job.

I have some questions :

• Could you please send me the version 1.06?
• Why you don't replace SysInfoLog v1.xx in all of your script by a Global var?

In the viewer I need to replace a string how can I do that?

Example, in the log I have this :
10=DigitalKey:|6A982F8ECC80
In the viewer I want to decode the string and replace the screened info (not modify the log) by:
SoftKey: 123-456-789

Edit : insert in the Switch $idText (after line 134)

Edited by ricky03, 10 August 2011 - 12:43 PM.

[ripdad]

ricky03,

Thanks for the comments.

1) Unfortunately, v1.06 is water under the bridge on my PC. Someone on the forums may still have a copy of it.
The only thing missing from v1.06 is the HotKey "space", which was causing too much trouble for me globally.

2) I think I did that in v1.20 -- previous scripts were "diamonds in the rough" -- sorry about that.

Have a nice day.

[ricky03]

Hello,

thanks for your reply.

2) I think I did that in v1.20 -- previous scripts were "diamonds in the rough" -- sorry about that.

Yes in the Viewer, but not in the SysInfoLog.

With the right click I want to export all the section (example : System Information or Common Startups). How can I take all the listview to an Array?

Edited by ricky03, 11 August 2011 - 06:47 AM.

[ripdad]

It's fairly easy to get any section from the log array.

It's just a matter of setting up the menu and event and then write the function for it.

Example in the script:

Func MyFunctionName()
    Local $aItems = SysInfoLog_ReadSection($aSIL, 'System Information')
    _ArrayDisplay($aItems, 'System Information')
EndFunc

With the example above, you would need to insert #include <array.au3> at top of script.

Edited by ripdad, 11 August 2011 - 10:09 AM.

[ricky03]

Thanks for your Help.

I create a function like this :

AutoIt        expandcollapse  popup

Func _Copy2File()

    Local $ColumnHeader, $iItems, $FileName, $TitleFile, $Zf, $data
    Local $aValues[1][6]

    For $i = 1 To 5
        $ColumnHeader = _GUICtrlListView_GetColumn($hLv, $i - 1)
        If StringRight($ColumnHeader[5], 1) = " " Then $ColumnHeader[5] = StringTrimRight($ColumnHeader[5], 1)
        $aValues[0][$i] = $ColumnHeader[5]
    Next

    $FileName = "Export_" & $aValues[0][1] & ".html"
    If FileExists($FileName) Then FileDelete($FileName)

    $TitleFile = "Export_" & $aValues[0][1]

    $iItems = _GUICtrlListView_GetItemCount($hLv)
    For $iItem = 0 To $iItems - 1
        $Zf = _GUICtrlListView_GetItemTextString($hLv, $iItem)

        $Zf = StringSplit($Zf, "|", 1)
        _ArrayAdd2D($aValues, $Zf, 0)
        $aValues[0][0] = $iItem
    Next
    _Array2DToHtml($aValues, $FileName, $TitleFile, 1)

    $data = "Export finished"

    If @error Then $data &= " with an error"

    MsgBox(64, $Title & " - Export", $data & ".", 5)

EndFunc   ;==>_Copy2File

Thanks for your help

Edited by ricky03, 11 August 2011 - 01:50 PM.