Sign in to follow this  
Followers 0
davezub

WMI Query Using NOT Like

5 posts in this topic

So I have this utility that scrapes the security logs looking for certain eventids, etc... and returns the most prominent logged in user name. I recently added a new eventcode 540 to track network logons (mapped drives etc....) However, this returns a lot of machine based junk and user names I want to exclude (e.g., any user name with a $ in the name computername$, etc...) Well the query is driving me crazy since the query does not seem to work correctly within Autoit but does work outside of Autoit. I used this tool to test the query outside of Autoit and it works fine. Here is the Query I'm running in the Event Log Query Tool that works:

EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= '20091212'

The AutoitCode that does not work. Well it does work but returns all usernames is:

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2")       ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= " &  $Stopdate , "WQL",$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I tried different groupings with parentheses and such but it still refuses to use/interpret the NOT LIKE portion.

I'm running XP SP3 and AutoIt v3.3.2.0.

Anybody have any ideas.

Share this post


Link to post
Share on other sites



Assuming you want all 528 events this might even be better (hard to tell without testing environment ;) )...

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2") ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventCode = 528 OR (EventCode = 540 AND User NOT LIKE '%$%' AND TimeWritten >= " & $Stopdate & "))", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

Share this post


Link to post
Share on other sites

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2")       ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= " & $Stopdate , "WQL",$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I tried different groupings with parentheses and such but it still refuses to use/interpret the NOT LIKE portion.

In this query, notice that $Stopdate is not quoted, so it may be interpreted as a number instead of a string (as it is in the working query.)

This gives no error, but is clearly incomplete.

#include <array.au3>

Local Const $wbemFlagForwardOnly = 0x20
Local Const $wbemFlagReturnImmediately = 0x10

Local $strComputer = 'my_computer_name'     ;; put yours!
Local $Stopdate = '20091212'

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2")   ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= '" & $Stopdate & "'", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

Could you post a complete but _short_ toy example that we can play with?


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Kafu,

The grouping was good but you need Not User Like. It is still NOT ignoring usernames with $ in them.

$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventCode = 528 OR (EventCode = 540 AND NOT User LIKE '%$%' AND TimeWritten >= " & $Stopdate & "))", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I think this may be a bug or something since it works outside of Autoit. To test you can use any not user like statement. I'm wondering if it is having problems with the like statement or the % Char.

Share this post


Link to post
Share on other sites

The bug is inside my head. I was getting confused between User and User Name.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0