Jump to content
Sign in to follow this  

Weird problem with WMI event log monitoring and Windows 7

Recommended Posts


The following vbscript works - lists source of event log entries as made  :

Set objSink = WSCript.CreateObject("WbemScripting.SWbemSink","SINK_")
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!.rootcimv2")
objWMI.ExecNotificationQueryAsync objSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"

Sub SINK_OnObjectReady(objObject, objAsyncContext)
    WScript.Echo (objObject.TargetInstance.SourceName)
End Sub

do while true

Whilst the following autoit code does not - doesn't see event log updates when made :

$objSink = ObjCreate("WbemScripting.SWbemSink","SINK_")
$objWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!.rootcimv2")
$objWMI.ExecNotificationQueryAsync($objSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'")

Func SINK_OnObjectReady($objObject, $objAsyncContext)

while true

No errors when run and no event log source when event log updated....

Anyone suggest why ?

Share this post

Link to post
Share on other sites

You have a function, but are never calling it in your code. All your code is doing is sleeping. Additionally, your params for the function use variables you haven't declared ($objObject, $objAsyncContext), so you couldn't call it if you wanted. I would suggest you search out scriptomatic on the forum, and use the example scripts to modify your vbscript code.


Edit: '?do=embed' frameborder='0' data-embedContent>>

Edited by JLogan3o13

√-1 2^3 ∑ π, and it was delicious!

How to get your question answered on this forum!

Share this post

Link to post
Share on other sites

Hmmm it works under Windows XP.

The function isn't called in the normal way its linked to via the first line of the script when a new event log entry is created it fires off a call to the function.

I have recently upgraded to Windows 7 and noticed a lack of events in my event log monitor program I have been running - tried run "as administrator" no change. Tried a VBS version of a cut down version of my script as above - ok the au3 not so good.....

Share this post

Link to post
Share on other sites

ObjCreate line is wrong. Btw, I don't see how could that line work on your XP when the code is simply wrong.

Try ObjEvent.




Share this post

Link to post
Share on other sites


Take a look >here.


OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control


Share this post

Link to post
Share on other sites

Thanks for everyone's patience. Spotted my mistake after looking at the link above - I had missed a line in the above :

ObjEvent($objSink, "SINK_")

That was what was wrong above at least.

The real cause of my confusion (not by rubbish example above : ) was good old UAC that started off this thread and me cutting out a section of my bigger program.

Now the sample above is working I have found watching for event log updates is only seen when running the program "as administrator" in Windows 7. Thought I tried that with my original program - I was an admin at the command prompt when I started my program but not elevated admin.....

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this