_EventLog__Open not working as expected

[VeeDub]

Hello,

I'm trying to write a script to read an EventLog and then look for some specific events.

I've realised that I'm having problems opening the "correct" EventLog.

The EventLog that I want to work with is: Hyper-V-Worker/Admin

I believe that the EventLog name should be either:

Microsoft-Windows-Hyper-V-Worker/Admin (refer screenshot) or

Microsoft-Windows-Hyper-V-Worker-Admin (refer 2nd screenshot)

I've tried both.

The problem is, that the script is opening the Software Protection Platform Service EventLog (it's getting a handle) and is then retrieving events from that EventLog.

So, it seems that I am not specifying the EventLog name correctly.

#include <EventLog.au3>
    Local $Event[15]

    Local $hEventLog = _EventLog__Open("","Microsoft-Windows-Hyper-V-Worker-Admin")
    ConsoleWrite("EventLog__Open: " & $hEventLog & @CRLF)

    Local $Found_HyperV_Event = False

    Do
        $Event = _EventLog__Read($hEventLog, True, False)
        ConsoleWrite("Record Number: " & $Event[1] & @CRLF)
        ConsoleWrite("Submitted:     " & $Event[2] & " " & $Event[3] & @CRLF)
        ConsoleWrite("Event ID:      " & $Event[6] & @CRLF)
        ConsoleWrite("Type:          " & $Event[8] & @CRLF)
        ConsoleWrite("Category:      " & $Event[9] & @CRLF)
        ConsoleWrite("Source:        " & $Event[10] & @CRLF)
        ConsoleWrite("Description:   " & $Event[13] & @CRLF)
        ConsoleWrite("" & @CRLF)
        Sleep(1000)
    Until $Found_HyperV_Event

Output:

EventLog__Open: 0x042C000C
Record Number: 110171
Submitted:     09/25/2023 08:59:12 AM
Event ID:      16384
Type:          Information
Category:      0
Source:        Software Protection Platform Service
Description:   2023-10-06T02:49:12ZRulesEngine

Record Number: 110170
Submitted:     09/25/2023 08:58:39 AM
Event ID:      16394
Type:          Information
Category:      0
Source:        Software Protection Platform Service
Description:   

Record Number: 110169
Submitted:     09/25/2023 08:49:12 AM
Event ID:      16384
Type:          Information
Category:      0
Source:        Software Protection Platform Service
Description:   2023-10-06T02:49:12ZRulesEngine

Wondering how to troubleshoot this?

 

[VeeDub]

Hello,

It seems that others have discovered that the EventLog UDF is behaving the way that I have discovered.

I'd suggest that the UDF either be removed or ideally fixed.

Leaving the UDF in, when it is broken, just creates unnecessary problems.

[VeeDub]

Here is a snippet of the code that I ended up using to replace the EventLog UDF

This is just meant to provide a starting point.

wevtutil has a number of switches and what will be best in your situation probably won't be the same as what I am using here.

This snippet is just meant to provide a starting point

Local $Virtual_Machine_Name = "viBoot - " & $FILES[0][0]
        Local $Found_HyperV_Event = False

        Do
            $cmd = 'wevtutil qe Microsoft-Windows-Hyper-V-Worker-Admin /Count:3 /rd:true /format:text /f:xml>' & @ScriptDir & '\wevtutil.xml'
            FileDelete ( @ScriptDir & "\wevtutil.xml" )
            Local $QueryEventLog = RunWait(@ComSpec & ' /c '& $cmd, @SystemDir, @SW_HIDE)
            Local $Event = FileRead(@ScriptDir & "\wevtutil.xml")
;           Successfully Shutdown
            If StringInStr($Event,"18504") Then
                If StringInStr($Event,$Virtual_Machine_Name) Then
                    $Found_HyperV_Event = True
                    ConsoleWrite("Event: " & $Event & @CRLF)
                EndIf
            EndIf
            Sleep(1000)
        Until $Found_HyperV_Event