WMI Query Using NOT Like

[davezub]

So I have this utility that scrapes the security logs looking for certain eventids, etc... and returns the most prominent logged in user name. I recently added a new eventcode 540 to track network logons (mapped drives etc....) However, this returns a lot of machine based junk and user names I want to exclude (e.g., any user name with a $ in the name computername$, etc...) Well the query is driving me crazy since the query does not seem to work correctly within Autoit but does work outside of Autoit. I used this tool to test the query outside of Autoit and it works fine. Here is the Query I'm running in the Event Log Query Tool that works:

EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= '20091212'

The AutoitCode that does not work. Well it does work but returns all usernames is:

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2")       ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= " &  $Stopdate , "WQL",$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I tried different groupings with parentheses and such but it still refuses to use/interpret the NOT LIKE portion.

I'm running XP SP3 and AutoIt v3.3.2.0.

Anybody have any ideas.

[KaFu]

Assuming you want all 528 events this might even be better (hard to tell without testing environment )...

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2") ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventCode = 528 OR (EventCode = 540 AND User NOT LIKE '%$%' AND TimeWritten >= " & $Stopdate & "))", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

[jchd]

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2")       ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= " & $Stopdate , "WQL",$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I tried different groupings with parentheses and such but it still refuses to use/interpret the NOT LIKE portion.

In this query, notice that $Stopdate is not quoted, so it may be interpreted as a number instead of a string (as it is in the working query.)

This gives no error, but is clearly incomplete.

#include <array.au3>

Local Const $wbemFlagForwardOnly = 0x20
Local Const $wbemFlagReturnImmediately = 0x10

Local $strComputer = 'my_computer_name'     ;; put yours!
Local $Stopdate = '20091212'

$objWMIService = ObjGet("winmgmts:{(Security)}\\" & $strComputer & "\root\CIMV2")   ; WMI Autoit Note must use {(Security)} for Security logs
$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = 528 OR EventCode = 540 AND NOT User like '%$%' AND TimeWritten >= '" & $Stopdate & "'", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

Could you post a complete but _short_ toy example that we can play with?

[davezub]

Kafu,

The grouping was good but you need Not User Like. It is still NOT ignoring usernames with $ in them.

$colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventCode = 528 OR (EventCode = 540 AND NOT User LIKE '%$%' AND TimeWritten >= " & $Stopdate & "))", "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

I think this may be a bug or something since it works outside of Autoit. To test you can use any not user like statement. I'm wondering if it is having problems with the like statement or the % Char.

[davezub]

The bug is inside my head. I was getting confused between User and User Name.