Export Particular Entry from Event Viewer

mtmartis · September 25, 2009

Hello,

I am trying to create a script that will output a particular event in the Windows Event Viewer, though I am at a loss still.

From what I can tell, I need to use the _Event__Read function. The example provided by AutoIT shows how to output the most recent record, however, I need to output a record where the Source is Winlogon.

#include <GuiConstantsEx.au3>
#include <EventLog.au3>

Global $iMemo

_Main()

Func _Main()
    Local $hEventLog, $hGUI, $aEvent

    ; Create GUI
    $hGUI = GUICreate("EventLog", 400, 300)
    $iMemo = GUICtrlCreateEdit("", 2, 2, 396, 300, 0)
    GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
    GUISetState()

    ; Read most current event record
    $hEventLog = _EventLog__Open("", "Application")
;~  $hEventLog = _EventLog__Open("", "System")
    $aEvent = _EventLog__Read($hEventLog)
    ;~  $aEvent = _EventLog__Read($hEventLog, True, False)
;~  $aEvent = _EventLog__Read($hEventLog, True, False)
    MemoWrite("Result ............: " & $aEvent[ 0])
    MemoWrite("Record number .....: " & $aEvent[ 1])
    MemoWrite("Submitted .........: " & $aEvent[ 2] & " " & $aEvent[ 3])
    MemoWrite("Generated .........: " & $aEvent[ 4] & " " & $aEvent[ 5])
    MemoWrite("Event ID ..........: " & $aEvent[ 6])
    MemoWrite("Type ..............: " & $aEvent[ 8])
    MemoWrite("Category ..........: " & $aEvent[ 9])
    MemoWrite("Source ............: " & $aEvent[10])
    MemoWrite("Computer ..........: " & $aEvent[11])
    MemoWrite("Username ..........: " & $aEvent[12])
    MemoWrite("Description .......: " & $aEvent[13])
    _EventLog__Close($hEventLog)


    ; Loop until user exits
    Do
    Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc   ;==>_Main

; Write a line to the memo control
Func MemoWrite($sMessage)
    GUICtrlSetData($iMemo, $sMessage & @CRLF, 1)
EndFunc   ;==>MemoWrite

I would think placing the following code after the _Eventlog__Read function would read the log up to that entry then output the results, but I just get an empty box.

Do
    Until $aEvent[10] = "Winlogon"

Any help to steer me in the right direction would be greatly appreciated.

Thanks!

Edited September 25, 2009 by mtmartis

water · September 25, 2009

Replace line

$aEvent = _EventLog__Read($hEventLog)

with

Do      
  $aEvent = _EventLog__Read($hEventLog)
Until $aEvent[10] = "Winlogon"

and you get the first Eventlog entry with Source "Winlogon".

I think you misinterpred the function of _EventLog__Read. It only reads one single record. When you call the function again with the same handle then the next record is returned.

Edited September 25, 2009 by water

mtmartis · September 25, 2009

Replace line
$aEvent = _EventLog__Read($hEventLog)
with
Do      
  $aEvent = _EventLog__Read($hEventLog)
Until $aEvent[10] = "Winlogon"
and you get the first Eventlog entry with Source "Winlogon".
I think you misinterpred the function of _EventLog__Read. It only reads one single record. When you call the function again with the same handle then the next record is returned.

Ugh, you make it seem so simple. I think I am beginning to understand it. I am new to scripting,so, it's repeating the Read until it finds the Winlogon entry.

It looks like I just did not know how/where to properly implement the loop. I'll have to get back to basics and learn when and where to use what.

Thank You very much Water!

water · September 25, 2009

Glad to be of service

Sign In

Export Particular Entry from Event Viewer

Recommended Posts

mtmartis

Link to comment

Share on other sites

water

Link to comment

Share on other sites

mtmartis

Link to comment

Share on other sites

water

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta