Sign in to follow this  
Followers 0
readmedottxt

Reading backup 'Applications and Services' event logs - Vista/Win7

4 posts in this topic

#1 ·  Posted (edited)

I'm having trouble reading the Applications and Services event logs in Vista and Windows 7

I referenced this thread:

and got nowhere too.

I found I can easily copy the event log then open and process the copied file, eg:

#Include <array.au3>
#Include <eventlog.au3>

$objEventLog = _EventLog__OpenBackup("", @ScriptDir & "\Microsoft-Windows-Dhcp-Client%4Admin.evtx")

$varEventsTotal = _EventLog__Count($objEventLog)
ConsoleWrite($varEventsTotal & @CRLF)

for $i = 0 to $varEventsTotal - 1
    $arrEvt = _EventLog__Read($objEventLog, True, False)
    _ArrayDisplay($arrEvt)
Next

However,

[13] - Event description is always corrupted or in another encoding, here's the result:

[0]|True

[1]|117

[2]|04/18/2011

[3]|09:12:04 AM

[4]|04/18/2011

[5]|09:12:04 AM

[6]|1001

[7]|1

[8]|Error

[9]|3

[10]|Microsoft-Windows-Dhcp-Client

[11]|icrosoft-Windows-Dhcp-Client

[12]|NT AUTHORITY

[13]|6 㠀  ㈀㜀  㤀㠀䄀㐀

[14]|

This is the case for all files opened with _EventLog__OpenBackup

Does anyone have any suggestions how to programmatically read the text in array[13] ?

Thanks

Edited by readmedottxt

Share this post


Link to post
Share on other sites



It's UTF-8 encoded. Try it this way and run it under the current Beta (3.3.7.9 or later):

For $i = 0 To $varEventsTotal - 1
    $arrEvt = _EventLog__Read($objEventLog, True, False)
    _ArrayDisplay($arrEvt)
    ConsoleWrite($i & ":  " & BinaryToString($arrEvt[13], 4) & @LF)
Next

:huh2:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

It's UTF-8 encoded. Try it this way and run it under the current Beta (3.3.7.9 or later):

For $i = 0 To $varEventsTotal - 1
    $arrEvt = _EventLog__Read($objEventLog, True, False)
    _ArrayDisplay($arrEvt)
    ConsoleWrite($i & ":  " & BinaryToString($arrEvt[13], 4) & @LF)
Next

:huh2:

Thanks PsaltyDS,

Its working better under 3.3.7.9 however it still isn't capturing all the data,

Here's the XML in $arrEvt[13]:

{E36621E1-3676-8115-E22C-318F76CA63B0}014\\192.168.0.1\ShareTest32011-06-03T11:00:39.208519900Z0
    <VolumeInfo>
        <VolumeInfoItem Name="C:" OriginalAccessPath="C:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="13750319612" NumUnreadableBytes="0" TotalSize="13750319612" TotalNoOfFiles="0" Flags="1578" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" />
        <VolumeInfoItem Name="D:" OriginalAccessPath="D:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="117477581831" NumUnreadableBytes="0" TotalSize="117477581831" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" />
        <VolumeInfoItem Name="E:" OriginalAccessPath="E:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="166828116621" NumUnreadableBytes="0" TotalSize="166828116621" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" />
    </VolumeInfo>
    02011-06-03T11:00:39.192919200Z2011-06-03T11:04:32.829002400Z
    <TimesList>
        <Time Time="2011-06-03T11:04:54.123Z" />
        <Time Time="2011-06-03T11:10:02.362Z" />
        <Time Time="2011-06-03T12:00:44.077Z" />
    </TimesList>
    <TimesList>
        <Time Time="2011-06-03T11:04:54.233Z" />
        <Time Time="2011-06-03T11:10:02.378Z" />
        <Time Time="2011-06-03T12:00:44.093Z" />
    </TimesList>
    <TimesList>
        <Time Time="2011-06-03T11:04:54.248Z" />
        <Time Time="2011-06-03T11:10:02.409Z" />
        <Time Time="2011-06-03T12:00:44.218Z" />
    </TimesList>
    <TimesList>
        <Time Time="2011-06-03T11:10:02.362Z" />
        <Time Time="2011-06-03T12:00:44.077Z" />
        <Time Time="2011-06-03T13:51:35.545Z" />
    </TimesList>
    1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z
    <TimesList> </TimesList>
    <TimesList> </TimesList>
    <TimesList> </TimesList>
    <TimesList> </TimesList>
    9
    <ComponentStatus>   </ComponentStatus>
    1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z
    <SystemState IsPresent="1" HResult="0" DetailedHResult="0" />
    truefalsefalsetrue
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>

And here's the XML from the event viewer - should the <EventData> tag match $arrEvt[13] however it seems only a small portion of it is there.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Backup" Guid="{3EFA0331-5156-1155-8C30-E33000101F2E}" /> 
  <EventID>14</EventID> 
  <Version>2</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>2</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2011-06-03T13:51:38.915270700Z" /> 
  <EventRecordID>40</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="2736" ThreadID="5104" /> 
  <Channel>Microsoft-Windows-Backup</Channel> 
  <Computer>zDevDC1</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="BackupTemplateID">{E36621E1-3676-8115-E22C-318F76CA63B0}</Data> 
  <Data Name="HRESULT">0</Data> 
  <Data Name="BackupState">14</Data> 
  <Data Name="BackupTarget">\\192.168.0.1\ShareTest</Data> 
  <Data Name="NumOfVolumes">3</Data> 
  <Data Name="BackupTime">2011-06-03T11:00:39.208519900Z</Data> 
  <Data Name="HRESULT2">0</Data> 
  <Data Name="VolumesInfo"><VolumeInfo><VolumeInfoItem Name="C:" OriginalAccessPath="C:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="13750319612" NumUnreadableBytes="0" TotalSize="13750319612" TotalNoOfFiles="0" Flags="1578" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="D:" OriginalAccessPath="D:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="117477581831" NumUnreadableBytes="0" TotalSize="117477581831" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="E:" OriginalAccessPath="E:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="166828116621" NumUnreadableBytes="0" TotalSize="166828116621" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /></VolumeInfo></Data> 
  <Data Name="DetailedHRESULT">0</Data> 
  <Data Name="SourceSnapStartTime">2011-06-03T11:00:39.192919200Z</Data> 
  <Data Name="SourceSnapEndTime">2011-06-03T11:04:32.829002400Z</Data> 
  <Data Name="PrepareBackupStartTime"><TimesList><Time Time="2011-06-03T11:04:54.123Z" /><Time Time="2011-06-03T11:10:02.362Z" /><Time Time="2011-06-03T12:00:44.077Z" /></TimesList></Data> 
  <Data Name="PrepareBackupEndTime"><TimesList><Time Time="2011-06-03T11:04:54.233Z" /><Time Time="2011-06-03T11:10:02.378Z" /><Time Time="2011-06-03T12:00:44.093Z" /></TimesList></Data> 
  <Data Name="BackupWriteStartTime"><TimesList><Time Time="2011-06-03T11:04:54.248Z" /><Time Time="2011-06-03T11:10:02.409Z" /><Time Time="2011-06-03T12:00:44.218Z" /></TimesList></Data> 
  <Data Name="BackupWriteEndTime"><TimesList><Time Time="2011-06-03T11:10:02.362Z" /><Time Time="2011-06-03T12:00:44.077Z" /><Time Time="2011-06-03T13:51:35.545Z" /></TimesList></Data> 
  <Data Name="TargetSnapStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="TargetSnapEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="DVDFormatStartTime"><TimesList></TimesList></Data> 
  <Data Name="DVDFormatEndTime"><TimesList></TimesList></Data> 
  <Data Name="MediaVerifyStartTime"><TimesList></TimesList></Data> 
  <Data Name="MediaVerifyEndTime"><TimesList></TimesList></Data> 
  <Data Name="BackupPreviousState">9</Data> 
  <Data Name="ComponentStatus"><ComponentStatus></ComponentStatus></Data> 
  <Data Name="SSBEnumerateStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBEnumerateEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBVhdCreationStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBVhdCreationEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBBackupStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBBackupEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SystemStateBackup"><SystemState IsPresent="1" HResult="0" DetailedHResult="0" /></Data> 
  <Data Name="BMR">true</Data> 
  <Data Name="VssFullBackup">false</Data> 
  <Data Name="UserInputBMR">false</Data> 
  <Data Name="UserInputSSB">true</Data> 
  <Data Name="BackupSuccessLogPath" /> 
  <Data Name="BackupFailureLogPath" /> 
  <Data Name="EnumerateBackupStartTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  <Data Name="EnumerateBackupEndTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  <Data Name="PruneBackupStartTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  <Data Name="PruneBackupEndTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  </EventData>
  </Event>

Any thoughts of retrieving the complete XML from each event?

Thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0