Sign in to follow this  
Followers 0
avery

Broken: Write to an EventLog ?

24 posts in this topic

#1 ·  Posted (edited)

Hi.

Windows 2000 has an issue where it doesn't (always) record logoff events.

I currently have the following script our government rep supplied. I am trying to do the same thing but use au3 as the language of choice. I would also like to write this to the Security Log and not the Application Log. The built-in Eventlog UDF doesn't seem to allow for the creation of Events. Does someone know a good way to do this? I'll give you full credit on the 2400+ machines this gets deployed on :)

Much thanks in Advance for any help or advice.

Original Script below that I'd like to have a au3.exe perform.

Installing WSH for Windows Logon/offs

Making the logon.vbs and logoff.vbs files

logoff.vbs

1) Click the Start button then Run... and in the box type notepad

2) Paste the following text (in blue) into the notepad

set wshshell=wscript.createobject("wscript.shell")

set wsh2=wscript.createobject("wscript.network")

wshshell.logevent 0,wsh2.userdomain & "\" & wsh2.username & " log off the computer"

3) Click File then Save As... and save it as the following: C:\WINNT\system32\GroupPolicy\User\Scripts\Logoff\logoff.vbs

4) Exit notepad

logon.vbs

5) Click the Start button then Run... and in the box type notepad

6) Paste the following text (in blue) into the notepad

set wshshell=wscript.createobject("wscript.shell")

set wsh2=wscript.createobject("wscript.network")

wshshell.logevent 0,wsh2.userdomain & "\" & wsh2.username & " log on the computer"

7) Click File then Save As... and save it as the following: C:\WINNT\system32\GroupPolicy\User\Scripts\Logon\logon.vbs

8) Exit notepad

Integration

WSH

1) Login as member of the Administrator's group

2) Start --> Run --> "gpedit.msc"

3) Double Click: User Configuration

4) Double Click: Windows Settings

5) Double Click: Script (Logon - Logoff)

6) Double Click: Logon (you get Logon Properties window)

7) Click: Show Files

8) At Logon Properties window Click: Add

9) Double Click: Browse (You should get a window for C:\WINNT\system32GroupPolicy\User\Scripts\Logon\logon.vbs)

10) Highlight the file "logon.vbs"

11) Click Open <OK>

12) Click OK

a. The logon.vbs file should be visible in the "Logon properties window"

13) Click Apply/OK (this should close the Logon Properties window)

14) Double Click: Logoff

15) Click: Show Files

16) At Logon Properties window Click: Add

17) Click: Browse (You should get a window for C:\WINNT\system32\GroupPolicy\User\Scripts\Logoff\logoff.vbs)

18) Highlight the file "logoff.vbs"

19) Click Open <OK>

20) Click Apply <OK>

21) This should complete updating the Scripting for Logon and Log Off.

Notes

To review the logons/logoffs; <Event Viewer><Application Log><View/Filter> "Event Source" <WSH>

If you use this process -- Then you should have a similar statement in the Vulnerabilities Portion and Auditing portions of your SSP:

Edited by avery

www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites



Tryied _EventLog__Report?

I made a terrible Monday morning mistake. I apologize for my obvious lack of observation.

...Writes an entry at the end of the specified event log -> _EventLog__Report()

www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

I made a terrible Monday morning mistake. I apologize for my obvious lack of observation.

...Writes an entry at the end of the specified event log -> _EventLog__Report()

I am still writing the script but I did notice something in the help file that was of concern.

Maybe I understand it wrong -- Does anyone know?

"$hEventLog A handle to the event log. As of Windows XP SP2, this cannot be a handle to the Security log."

The example out of the help file does not write anything to my Security log (the example uses Application log, that also fails).

I do not know how to make it any more simple. I am using WXPSP2 to test this but the target OS is W2K.

Any help would be great.

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main
Edited by avery

www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites

I am still writing the script but I did notice something in the help file that was of concern.

Maybe I understand it wrong -- Does anyone know?

"$hEventLog A handle to the event log. As of Windows XP SP2, this cannot be a handle to the Security log."

The example out of the help file does not write anything to my Security log (the example uses Application log, that also fails).

I do not know how to make it any more simple. I am using WXPSP2 to test this but the target OS is W2K.

Any help would be great.

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites

Hi,

When I run the code below I get the text below in quotes. Can anyone help me understand what this means and how to make it work?

Respectfully,

Avery

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "avery", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc  ;==>_Main

The description for Event ID ( 2 ) in Source ( Application ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: AutoIt3 generated event.


www.abox.orgAvery HowellVisit My AutoIt Websitehttp://www.abox.org

Share this post


Link to post
Share on other sites

Hi,

When I run the code below I get the text below in quotes. Can anyone help me understand what this means and how to make it work?

Respectfully,

Avery

Hi Avery

It's working fine, what's missing is that you need to do a little further tweaking to the computers it is running on...

I found this thread and it made me go out digging since I was getting the exact same thing, in the end I came up with the following solution...

Solution:

EventMessages.zip

  • Download and extract the attached DLL file, save it somewhere useful (such as c:\program files\app_name)
  • Open Regedit and create the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\NAMEOFAPPLICATION
  • Add the following items:

    CategoryCount (Reg_DWORD) -> contains the number of categories you have (not sure how 'optional' this is)

    CategoryMessageFile (Reg_String) -> Path to the DLL file

    EventMessageFile (Reg_String) -> Path to the DLL file

  • Get Resource Hacker and use it to open the DLL file
  • Edit MessageTable with the first list (1 - x) being the names of your categories, the next bit being your messages

So from the following:

Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Flintstones")
    _EventLog__Report($EVENTLOG, 0, 2, 100, @UserName, "YabbaDabbaDoo", $adata)
    _EventLog__Close ($hEventLog)

Will give you something like:

Date: 03/03/03

Time: 15:27:44

Source: Flintstones

Category: Category 2

Type: None

EventID: 100

User: WindowsDomain\SomeUser

Computer: WindowsPC

Description:

The following things have happened within the program

-> YabbaDabbaDoo

Note that this DLL file will become registered as it is referenced every time EventVwr needs to read it... Now you know why it can take a long time to open the EventLog.

Hope this helps...

Mallie (The Techie)


Are you telling me something I need to know or something I want to know?

Share this post


Link to post
Share on other sites

I'm getting the exact same error and I shouldn't have to do this crazy DLL resource hacker nonsense. Why don't the EventLog functions just work?

Share this post


Link to post
Share on other sites

kor,

Why don't the EventLog functions just work?

Because MS changed the way their OS operated from XP SP2 onwards as explained in the Help file. :)

Please remember that AutoIt is developed by volunteers who give up their free time to work on it - just like those of us who help out here on the forum. Are you offering your services to amend the UDF? :)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

I see nothing in the helpfile for _EventLog_Report that makes any mention of no longer workign with XP XP3 or beyond. Where are you seeing this information so I can read up on it?

Edited by kor

Share this post


Link to post
Share on other sites

From the Help file:

Parameters

$hEventLog A handle to the event log. As of Windows XP SP2, this cannot be a handle to the Security log.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

From the Help file:

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

I'm not attempting to write to the security log. I'm trying to write to the application log.

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Works for me on Win7.

Log Name: Application

Source: Application

Date: 3/28/2011 4:59:44 PM

Event ID: 2

Task Category: None

Level: Information

Keywords: Classic

User: 030-303-02\Administrator

Computer: 030-303-02

Description:

The description for Event ID 2 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

AutoIt3 generated event

the message resource is present but the message is not found in the string/message table

From the research I just did, that's a normal output from the event viewer when it doesn't understand what the Event ID is supposed to be connecting to.

Edited by BrewManNH

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Works for me on Win7.

From the research I just did, that's a normal output from the event viewer when it doesn't understand what the Event ID is supposed to be connecting to.

What would be your suggested fix then? What should the event ID be to not get the error?

I could care less about event ID, I honestly just want to write informational items to the event log for debugging later. A bonus if I can specify my application name in the "source" column.

Share this post


Link to post
Share on other sites

Change this line

$hEventLog = _EventLog__Open("", "Application")

To something like this:

$hEventLog = _EventLog__Open("", <Your Application Name here>)

This will write to the application event log with whatever you put between the "<>" listed as the source. I'm not exactly sure why it does it that way, but it seems to use the Application log if you don't specify a different log to save to using what you put inside the "<>". I've tried this on Windows XP SP3 and Windows 7 and I got the same results.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

Hey guys, reading thread and I'm new to scripting, but could you use the wsh method within an autoit

something like:

$WshShell = ObjCreate("WScript.Shell")
$WshShell.LogEvent (4, $data_here)

Off the top of my head, I know that wsh writes default to application log, but I'm not sure about any other event log area's.

edit: I had a look at the udf for eventlog.au3 and that has much more functionality to it.

Edited by danrche

Share this post


Link to post
Share on other sites

Change this line

$hEventLog = _EventLog__Open("", "Application")

To something like this:

$hEventLog = _EventLog__Open("", <Your Application Name here>)

This will write to the application event log with whatever you put between the "<>" listed as the source. I'm not exactly sure why it does it that way, but it seems to use the Application log if you don't specify a different log to save to using what you put inside the "<>". I've tried this on Windows XP SP3 and Windows 7 and I got the same results.

Same error as before. It's not working.

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "testing")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

The description for Event ID ( 2 ) in Source ( testing ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: AutoIt3 generated event.

Share this post


Link to post
Share on other sites

That's not an error message. That's just Windows telling you that it has no idea what event id 2 is. If you google event log event id you'll see examples that MS has on their website that show the same text for a Windows program used to write to the applications log.

http://support.microsoft.com/kb/315410


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

That's not an error message. That's just Windows telling you that it has no idea what event id 2 is. If you google event log event id you'll see examples that MS has on their website that show the same text for a Windows program used to write to the applications log.

http://support.microsoft.com/kb/315410

So what event ID do I need to use to just get the text of "AutoIt3 generated event" and only that text written to the log?

Share this post


Link to post
Share on other sites

There is none, here is another link that explains why you get that when you write to the Application log, this knowledge base article explains why you would get that when you use the MS product LogEvent.exe but it applies here as well. The application has to be built to correctly set the information in the event logs and AutoIt scripts aren't created that way.

As it states on that page, "The Event IDs logged will really only have meaning for the user or app that will be monitoring the Event Log." so plan accordingly. It is the same as the return codes used in a UDF, the return codes only make sense because the writer of the UDF made them make sense to the people that use the function.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0