Sign in to follow this  
Followers 0
mark999

Weird problem with WMI event log monitoring and Windows 7

6 posts in this topic

The following vbscript works - lists source of event log entries as made  :

Set objSink = WSCript.CreateObject("WbemScripting.SWbemSink","SINK_")
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!.rootcimv2")
objWMI.ExecNotificationQueryAsync objSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"

Sub SINK_OnObjectReady(objObject, objAsyncContext)
    WScript.Echo (objObject.TargetInstance.SourceName)
End Sub

do while true
wscript.sleep(1000)
loop

Whilst the following autoit code does not - doesn't see event log updates when made :

$objSink = ObjCreate("WbemScripting.SWbemSink","SINK_")
$objWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!.rootcimv2")
$objWMI.ExecNotificationQueryAsync($objSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'")

Func SINK_OnObjectReady($objObject, $objAsyncContext)
    msgbox(0,"",$objObject.TargetInstance.SourceName)
EndFunc

while true
sleep(1000)
wend

No errors when run and no event log source when event log updated....

Anyone suggest why ?

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

You have a function, but are never calling it in your code. All your code is doing is sleeping. Additionally, your params for the function use variables you haven't declared ($objObject, $objAsyncContext), so you couldn't call it if you wanted. I would suggest you search out scriptomatic on the forum, and use the example scripts to modify your vbscript code.

 

Edit: '?do=embed' frameborder='0' data-embedContent>>

Edited by JLogan3o13

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Hmmm it works under Windows XP.

The function isn't called in the normal way its linked to via the first line of the script when a new event log entry is created it fires off a call to the function.

I have recently upgraded to Windows 7 and noticed a lack of events in my event log monitor program I have been running - tried run "as administrator" no change. Tried a VBS version of a cut down version of my script as above - ok the au3 not so good.....

Share this post


Link to post
Share on other sites

ObjCreate line is wrong. Btw, I don't see how could that line work on your XP when the code is simply wrong.

Try ObjEvent.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

mark999,

Take a look >here.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Thanks for everyone's patience. Spotted my mistake after looking at the link above - I had missed a line in the above :

ObjEvent($objSink, "SINK_")

That was what was wrong above at least.

The real cause of my confusion (not by rubbish example above : ) was good old UAC that started off this thread and me cutting out a section of my bigger program.

Now the sample above is working I have found watching for event log updates is only seen when running the program "as administrator" in Windows 7. Thought I tried that with my original program - I was an admin at the command prompt when I started my program but not elevated admin.....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0