Jump to content

Weird problem with WMI event log monitoring and Windows 7

mark999
 Share
Go to solution Solved by mark999,

Recommended Posts

mark999 Seeker

mark999

Posted
Posted

The following vbscript works - lists source of event log entries as made  :

Set objSink = WSCript.CreateObject("WbemScripting.SWbemSink","SINK_")
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!.rootcimv2")
objWMI.ExecNotificationQueryAsync objSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"

Sub SINK_OnObjectReady(objObject, objAsyncContext)
    WScript.Echo (objObject.TargetInstance.SourceName)
End Sub

do while true
wscript.sleep(1000)
loop

Whilst the following autoit code does not - doesn't see event log updates when made :

$objSink = ObjCreate("WbemScripting.SWbemSink","SINK_")
$objWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!.rootcimv2")
$objWMI.ExecNotificationQueryAsync($objSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'")

Func SINK_OnObjectReady($objObject, $objAsyncContext)
    msgbox(0,"",$objObject.TargetInstance.SourceName)
EndFunc

while true
sleep(1000)
wend

No errors when run and no event log source when event log updated....

Anyone suggest why ?

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted (edited)

You have a function, but are never calling it in your code. All your code is doing is sleeping. Additionally, your params for the function use variables you haven't declared ($objObject, $objAsyncContext), so you couldn't call it if you wanted. I would suggest you search out scriptomatic on the forum, and use the example scripts to modify your vbscript code.

 

Edit: '?do=embed' frameborder='0' data-embedContent>>

Edited by JLogan3o13

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • 2 weeks later...
mark999 Seeker

mark999

Posted
  • Author
Posted

Hmmm it works under Windows XP.

The function isn't called in the normal way its linked to via the first line of the script when a new event log entry is created it fires off a call to the function.

I have recently upgraded to Windows 7 and noticed a lack of events in my event log monitor program I have been running - tried run "as administrator" no change. Tried a VBS version of a cut down version of my script as above - ok the au3 not so good.....

Link to comment
Share on other sites
  • Solution
mark999 Seeker

mark999

Posted
  • Author
  • Solution
Posted

Thanks for everyone's patience. Spotted my mistake after looking at the link above - I had missed a line in the above :

ObjEvent($objSink, "SINK_")

That was what was wrong above at least.

The real cause of my confusion (not by rubbish example above : ) was good old UAC that started off this thread and me cutting out a section of my bigger program.

Now the sample above is working I have found watching for event log updates is only seen when running the program "as administrator" in Windows 7. Thought I tried that with my original program - I was an admin at the command prompt when I started my program but not elevated admin.....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...