Sign in to follow this  
Followers 0
John117

Pull system event log to gui

14 posts in this topic

I would like to pull all System Event viewer popups to a gui scroll box. (Just the first 4 lines of each popup event)

Path =

Contol panel - Admin Tools - Event Viewer - System - Source = Application popup

Can this be done with autoit?

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

The Event viewer logs are stored in your WINDOWS\system32\config directory where there is a seperate .evt file for each type fo log avilable on your system (eg AppEvent.Evt). But the data contains some binary information that you'd have to parse though (like the event viewer does) if you wanted to make use of it. Alterntively I beleive there is the option to save the event viewers current events as a .csv file which is a bit more readable.

Edited by evilertoaster

Share this post


Link to post
Share on other sites

yeah, was just looking for a way to display messages recieved from messenger in a messenger gui I am building. -would only be useful if it could get the info automatically :whistle: Thanks

Share this post


Link to post
Share on other sites

You can access the Event Logs using COM objects and query them for whatever you want.

For instance, this post, by a rakishly good looking bird in another topic...

:whistle:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

You can access the Event Logs using COM objects and query them for whatever you want.

For instance, this post, by a rakishly good looking bird in another topic...

:whistle:

Excellent! Thanks for the step in the right direction!

How might one modify this code to produce a list of only $output $= message . . . . . . Showing all messages

Code below

CODE
#include <GuiConstants.au3>

#include <date.au3>

$Query_Clause = "Select * FROM Win32_NTLogEvent WHERE Logfile = 'System' AND SourceName = 'Application Popup' AND EventCode = 26"

$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & @ComputerName & "\root\cimv2")

If IsObj($objWMIService) Then

$colItems = $objWMIService.ExecQuery ($Query_Clause)

If IsObj($colItems) Then

For $objEvent In $colItems

$Output = ""

;$Output &= "Category: " & $objEvent.Category & @CRLF

;$Output &= "Computer Name: " & $objEvent.ComputerName & @CRLF

;$Output &= "Event Code: " & $objEvent.EventCode & @CRLF

$Output &= "Message: " & $objEvent.Message & @CRLF

;$Output &= "Record Number: " & $objEvent.RecordNumber & @CRLF

;$Output &= "Source Name: " & $objEvent.SourceName & @CRLF

;$Output &= "Time Written: " & $objEvent.TimeWritten & @CRLF

;$Output &= "Event Type: " & $objEvent.Type & @CRLF

;$Output &= "User: " & $objEvent.User & @CRLF

If MsgBox(64 + 4, "Entry Found:", $Output & @CRLF & @CRLF & "Continue?") = 7 Then Exit

Next

Else

MsgBox(16, "Error", "$colItems is not an object.")

EndIf

Else

MsgBox(16, "Error", "$objWMIService is not an object.")

EndIf

Share this post


Link to post
Share on other sites

Just move the $Output = "" line to just above the For/Next loop, and move the MsgBox() that displays the results to just after the For/Next loop.

:whistle:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

Excellent! Thanks!

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

To take this a step futher.

How would one only include message discriptions that start with

Application Popup: Messenger Service : "All the rest of the message goes here"

A wildcard on the query? (and discription = Application Popup: Messenger Service : *)

???

Edited by Hatcheda

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

trying this . . .

CODE
$Query_Clause = "Select * FROM Win32_NTLogEvent WHERE Logfile = 'System' AND SourceName = 'Application Popup' AND EventCode = '26' AND Discription = 'Application popup: Messenger Service :*'"

Getting nowhere yet . . . swaped Discription for message -No go

Edited by Hatcheda

Share this post


Link to post
Share on other sites

To take this a step futher.

How would one only include message discriptions that start with

Application Popup: Messenger Service : "All the rest of the message goes here"

A wildcard on the query? (and discription = Application Popup: Messenger Service : *)

???

The $Query_Clause variable is formatted in WQL (SQL for WMI).

:whistle:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

The $Query_Clause variable is formatted in WQL (SQL for WMI).

:lmao:

Ok, done a quick read. I don't follow how to referance the Message value.

For example, where does it tell you to use SourceName instead of Source . . .

Event Code instead of EventID . . . . :whistle:

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

Ok, done a quick read. I don't follow how to referance the Message value.

For example, where does it tell you to use SourceName instead of Source . . .

Event Code instead of EventID . . . . :whistle:

From the link in the original script posting to Win32_NTLogEvent, SourceName plus EventIdentifier is the preferred way to reference a unique message. You can use EventCode, but it's just the lower 16-bit half of the 32-bit EventIdentifier, and may ignore some unique bits in the upper half (the smaller EventCode is the one shown in the EventView GUI).

There is no property called "Discription" (especially not spelled that way). Use "Message" instead.

I don't know that you can use '=' for a partial match or with wild cards in WQL, you might need the 'LIKE' operator.

$Query_Clause = "Select * FROM Win32_NTLogEvent WHERE Logfile = 'System' AND SourceName = 'Application Popup' AND EventCode = '26' AND Message LIKE 'Application popup: Messenger Service%'"

:lmao:

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

Thanks! Your post works and gives me a source for future changes! BTW, yes, my spelling is awesome! :whistle:

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

@all

Have a look at the MS LogParser

MS LogParser

This will solve the WQL syntax problem, because it uses SQL statements.

See example here : Event Log Examples

Syntax is this :

C:\>LogParser "SELECT TimeGenerated, SourceName, 
EventCategoryName, Message INTO report.txt FROM Security WHERE 
EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON

Enjoy !!

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0