Jump to content
Sign in to follow this  
idbirch

Reading from additional Vista/Win7 Event Logs

Recommended Posts

idbirch

I'm having trouble reading from the extra event logs found in Vista and particularly, Windows 7, I want to parse the boot performace information from the "Applications and Services Logs" section (Microsoft -> Windows -> Diagnostics-Performace) but _EventLog__Open keeps just reverting to the standard Application log. Here's what I thought would work:

#include <EventLog.au3>
#include <Array.au3>

$hEventLog = _EventLog__Open ("", "Microsoft-Windows-Diagnostics-Performance/Operational")

While 1
    $arrEvt = _EventLog__Read($hEventLog, True, False)
    _ArrayDisplay($arrEvt)
WEnd

But this just starts reeling off stuff from the Application log. I tried just "Microsoft-Windows-Diagnostics-Performance" as well with the same result. Is this supposed to work or not currently supported?

Share this post


Link to post
Share on other sites
PsaltyDS

I'm having trouble reading from the extra event logs found in Vista and particularly, Windows 7, I want to parse the boot performace information from the "Applications and Services Logs" section (Microsoft -> Windows -> Diagnostics-Performace) but _EventLog__Open keeps just reverting to the standard Application log. Here's what I thought would work:

#include <EventLog.au3>
#include <Array.au3>

$hEventLog = _EventLog__Open ("", "Microsoft-Windows-Diagnostics-Performance/Operational")

While 1
    $arrEvt = _EventLog__Read($hEventLog, True, False)
    _ArrayDisplay($arrEvt)
WEnd

But this just starts reeling off stuff from the Application log. I tried just "Microsoft-Windows-Diagnostics-Performance" as well with the same result. Is this supposed to work or not currently supported?

Are you using 64-bit?

That's the default behavior of the Windows 32-bit API being used (advapi32.dll, "OpenEventLogA"). Quoting MSDN:

lpSourceName [in]

The name of the log.

If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file.

The only thing that stands out is that there is an "OpenEventLogW" in the 32-bit, and you might try it with that.

A lazy Google check didn't turn up a different API for 64-bit, but smarter people may know better.

:)


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites
idbirch

I'm on 32-bit Windows 7 Enterprise (RTM). Yes, I saw in the AutoIt help file that the function will go for Application if the log specified can't be found but how can I get the AutoIt function to find the log? Or how do I get it to use the alternate function OpenEventLogW you mention?

Share this post


Link to post
Share on other sites
PsaltyDS

I'm on 32-bit Windows 7 Enterprise (RTM). Yes, I saw in the AutoIt help file that the function will go for Application if the log specified can't be found but how can I get the AutoIt function to find the log? Or how do I get it to use the alternate function OpenEventLogW you mention?

Edit the function inside your copy of the UDF.

Or better, copy/paste it as a function in your script, change the name and edit it there.

:)


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites
idbirch

Hm, well I switched out the function but am getting exactly the same behaviour. Anyone know of a way to reference event logs other than the standard Application, System and Security logs? There must be a way.....

Share this post


Link to post
Share on other sites
Smitro

Did you find an answer to this? I'm trying to use one of these logs and can't figure it out.

Share this post


Link to post
Share on other sites
memnon

Would be really interested in this - have nearly same problem

i want to get events out of "Microsoft-Windows-Backup" , it does not depend if i try it on 32 or 64 bit, it always shows me events from the "normal" application log


das beste Windows Support Forum: Windows 2000 Helpline und tschüss den WindowsfehlernProgrammieren: Autoit 3 - wer braucht noch VBS ?!Programmieren: Autoit 3 Forum?

Share this post


Link to post
Share on other sites
water

There is already a (still open) feature request in Trac: #2119


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
JLogan3o13

In the meantime, you can always use the wevtutil.exe built into Windows7. Something like this (just pulled a log at random):

wevtutil.exe qe "OAlerts"


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites
Wolfteeth
On 10/13/2009 at 10:32 PM, idbirch said:

I'm having trouble reading from the extra event logs found in Vista and particularly, Windows 7, I want to parse the boot performace information from the "Applications and Services Logs" section (Microsoft -> Windows -> Diagnostics-Performace) but _EventLog__Open keeps just reverting to the standard Application log. Here's what I thought would work:

 

 

#include <EventLog.au3>
#include <Array.au3>

$hEventLog = _EventLog__Open ("", "Microsoft-Windows-Diagnostics-Performance/Operational")

While 1
    $arrEvt = _EventLog__Read($hEventLog, True, False)
    _ArrayDisplay($arrEvt)
WEnd

 

But this just starts reeling off stuff from the Application log. I tried just "Microsoft-Windows-Diagnostics-Performance" as well with the same result. Is this supposed to work or not currently supported?

 

anyone know if the problem fixed? that I found the ticket was closed (#2119), however, it seems the problem is still not getting resolved.

Share this post


Link to post
Share on other sites
AutoBert

Look in

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×