antmar904 Posted August 6, 2014 Share Posted August 6, 2014 Hi All, I would like to search the "System" event log for any event that contains "PowerBroker for Windows detected a UAC prompt" in the "Gerneral" tab and show it in a gui or msgbox window. Can someone help me out getting started? Link to comment Share on other sites More sharing options...
Moderators Solution JLogan3o13 Posted August 6, 2014 Moderators Solution Share Posted August 6, 2014 (edited) Help file - begin with _EventLog__Open Edit: Bored. Try something like this: #include <EventLog.au3> $hLog = _EventLog__Open("", "System") $sCount = _EventLog__Count($hLog) For $i = $sCount To 1 Step -1 $aEvent = _EventLog__Read($hLog, True, False, $i) If StringInStr($aEvent[13], "PowerBroker for Windows detected ") Then MsgBox(0, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13]) EndIf Next Edited August 6, 2014 by JLogan3o13 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
antmar904 Posted August 6, 2014 Author Share Posted August 6, 2014 @JLogan, That worked great, thank you. Can you please help me understand this part: For $i = $sCount To 1 Step -1 $aEvent = _EventLog__Read($hLog, True, False, $i) If StringInStr($aEvent[13], "PowerBroker for Windows detected ") Then Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted August 6, 2014 Moderators Share Posted August 6, 2014 It is in the help file, but you begin by opening the log. You are then reading from the last (most recent) entry to the first (oldest). For each entry you read, if part of the description includes the text you're looking for, then do something with that entry. "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
antmar904 Posted August 6, 2014 Author Share Posted August 6, 2014 Thank you. Link to comment Share on other sites More sharing options...
antmar904 Posted August 6, 2014 Author Share Posted August 6, 2014 Is there a way to display all its findings is a easier to read gui instead of a msgbox? I ask because sometimes there can be hundreds of events and having to click "OK" to see the next one can be a lot of work. Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted August 6, 2014 Moderators Share Posted August 6, 2014 Yes. Look at the example for _EventLog__Read in the help file. It shows you how to do it with a GUI. "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
antmar904 Posted August 7, 2014 Author Share Posted August 7, 2014 Im trying to write all the events that are found with all the arrays mentioned but im not getting any output: #include <EventLog.au3> #include <GUIConstantsEx.au3> $sFilePath = "C:\test.log" $hFileOpen = FileOpen($sFilePath) $hLog = _EventLog__Open("", "System") $sCount = _EventLog__Count($hLog) For $i = $sCount To 1 Step -1 $aEvent = _EventLog__Read($hLog, True, False, $i) If StringInStr($aEvent[13], "PowerBroker for Windows detected a UAC prompt") Then ;MsgBox(0, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13]) FileWrite($hFileOpen, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13]) EndIf Next Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted August 7, 2014 Moderators Share Posted August 7, 2014 (edited) A couple of things: The default mode for FileOpen, since you don't specify it, is Read Only. Check the help file for the parameter you need to fix this. You also had some syntactical errors in your FileWrite line, see below (extra comma, missing &) FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13]) Edited August 7, 2014 by JLogan3o13 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
antmar904 Posted August 7, 2014 Author Share Posted August 7, 2014 @JLogan, Thank you This is what i have so far and is working: #include <EventLog.au3> $sFilePath = "C:\temp\PB_UAC_Prompt.log" $hFileOpen = FileOpen($sFilePath, 1) $hLog = _EventLog__Open("", "System") $sCount = _EventLog__Count($hLog) For $i = $sCount To 1 Step -1 $aEvent = _EventLog__Read($hLog, True, False, $i) If StringInStr($aEvent[13], "PowerBroker for Windows detected a UAC prompt") Then ;MsgBox(0, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13]) FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & @CRLF & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13] & @CRLF & @CRLF) EndIf Next FileClose($hFileOpen) However the output is not very nice. How can i make the "Description" array easier to read in the text file? Right now it is all one line. PB_UAC_Prompt.txt Link to comment Share on other sites More sharing options...
kylomas Posted August 8, 2014 Share Posted August 8, 2014 (edited) antmar, Right now it is all one line. The output text for Description is not one line, however, each line is terminated by a CR (as oppossed to a CRLF). You can change that by changing all CR's to CRLF's. Somehting like this... $aEvent[13] = stringreplace($aEvent[13],@CR,@CRLF) I can't test anything as I don't have UAC on. edit: Note, in this case it works because the string you are changing only contains CR's. This will NOT work for strings containing a mix of CR's and CRLF's. Edited August 8, 2014 by kylomas Forum Rules Procedure for posting code "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals." - Sir Winston Churchill Link to comment Share on other sites More sharing options...
antmar904 Posted August 8, 2014 Author Share Posted August 8, 2014 im not sure i understand what @CR and @CRLF does. now the output file looks like this: False False False False False False False False False FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & @CRLF & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13] = stringreplace($aEvent[13],@CR,@CRLF)) Link to comment Share on other sites More sharing options...
antmar904 Posted August 8, 2014 Author Share Posted August 8, 2014 anyone? Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted August 8, 2014 Moderators Share Posted August 8, 2014 antmar, the forum etiquette is to wait 24 hours before bumping your thread. We are all volunteers here, and there are several forums through which we scan for questions. Waiting 24 hours gives us enough time to review the issue and offer suggestions "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
kylomas Posted August 8, 2014 Share Posted August 8, 2014 CR and CRLF are line terminators. I might have the syntax wrong, you definately have the placement wrong. You alter the text before you write the file. Forum Rules Procedure for posting code "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals." - Sir Winston Churchill Link to comment Share on other sites More sharing options...
antmar904 Posted August 8, 2014 Author Share Posted August 8, 2014 @JLogan You are right, sorry about that. Just anxious to get my script working. @kylomas I made the change and altered the text before writing to the file however the format is not right yet. I would like the "Record Number" to be the first line written and all the rest with "Authorization" being the last line written before the next record is written. Here is the current output file: PBUACEvents.txt Link to comment Share on other sites More sharing options...
antmar904 Posted August 8, 2014 Author Share Posted August 8, 2014 I got it, i just added a couple of line breaks at the end: FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & @CRLF & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13] & @CRLF & "-------------------------------" & @CRLF & @CRLF & @CRLF) Link to comment Share on other sites More sharing options...
kylomas Posted August 8, 2014 Share Posted August 8, 2014 (edited) Glad you got it working...note - "Authorization" is not always the last line of a record (see the first record of the file you posted) Edited August 8, 2014 by kylomas Forum Rules Procedure for posting code "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals." - Sir Winston Churchill Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now