Query for string INSIDE Windows Event Log

TheMSsForum.com: The Microsoft Software Forum

Gentlemen,
New to the list so please be gentle. Need to achieve the following and have
been banging my head against the wall:
- In the process of deploying a full-disk encryption product that requires
checkdisk to run prior to installation. If any bad sectors are found, I need
to run check disk again and try to fix them. Unfortunately, check disk has no
logging mechanism other then Event Viewer: upon completion Event ID 1001 with
source of Winlogon is logged in Application log. Inside, it will have a
string that looks like this:
0 KB in bad sectors
This is the string I need to search for INSIDE the Event ID 1001 and if it's
not 0 KB, I need to stop installation and run another check disk on reboot. I
have figured out a way how to do all of the above with the exception of
searcing INSIDE events in Event Viewer.
If anyone has an idea or a pointer, I'd be forever greatful.
Thanks in advance!
Top

RE: Query for string INSIDE Windows Event Log by AlexB

AlexB
Thu May 01 23:04:00 CDT 2008

This script which I just ran was generated by an API called WMI Code Creator
1.0. It is downloadable from a MS website. You can find the link in the
thread I started down below: How to extend timeout for WScripts.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_NTLogEvent",,48)
For Each objItem in colItems
Wscript.Echo "-----------------------------------"
Wscript.Echo "Win32_NTLogEvent instance"
Wscript.Echo "-----------------------------------"
Wscript.Echo "Message: " & objItem.Message
Next

I suggest you download it and try. the namespace I used was root\CIMV2, the
method: Win32_NTLogEvent and the property: Message. You can pull many other
properties from the Event log entries, 16 in all.

I don't know if you want to run it from a code like VB or C#. This would be
a wise move since the output is tremendous. Most of it will be lost in the
Console, unless somebody will help you to modify the script to limit it to
the most recent events, like 25 or so.

If you run it from an executable .NET code then you can redirect the output
to a stream and to a string eventually. You can search the string with a
Regular Expression (Regex pattern) and print out what you want.

It is also possible to run this script thru a batch file and redirect the
output to a text file.


--
AlexB


"Dimitri" wrote:

> Gentlemen,
> New to the list so please be gentle. Need to achieve the following and have
> been banging my head against the wall:
> - In the process of deploying a full-disk encryption product that requires
> checkdisk to run prior to installation. If any bad sectors are found, I need
> to run check disk again and try to fix them. Unfortunately, check disk has no
> logging mechanism other then Event Viewer: upon completion Event ID 1001 with
> source of Winlogon is logged in Application log. Inside, it will have a
> string that looks like this:
> 0 KB in bad sectors
> This is the string I need to search for INSIDE the Event ID 1001 and if it's
> not 0 KB, I need to stop installation and run another check disk on reboot. I
> have figured out a way how to do all of the above with the exception of
> searcing INSIDE events in Event Viewer.
> If anyone has an idea or a pointer, I'd be forever greatful.
> Thanks in advance!
Top

Re: Query for string INSIDE Windows Event Log by Dominic

Dominic
Fri May 02 11:08:15 CDT 2008

> I suggest you download it and try. the namespace I used was root\CIMV2, the
> method: Win32_NTLogEvent and the property: Message. You can pull many other
> properties from the Event log entries, 16 in all.
>
> I don't know if you want to run it from a code like VB or C#. This would be
> a wise move since the output is tremendous. Most of it will be lost in the
> Console, unless somebody will help you to modify the script to limit it to
> the most recent events, like 25 or so.


You can see some more details of the Win32_NTLogEvent class here:

http://msdn.microsoft.com/en-us/library/aa394226(VS.85).aspx

and the Message property will give you the text of the message that
you're looking for.

The output of the query from AlexB will be 'tremendous' because the
query is asking for everything in all the event logs on that computer.
The more specific your query the more efficient it will be and less
data will be returned to your application or script to deal with.

You can start by being specific about the event log that you want the
events from with:

WHERE LogFile = 'Application'

and then further by the event code and the source, with:

AND EventCode = 1001 AND SourceName='Winlogon'

Your query should then look something like:

"SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'Application' AND
EventCode = 1001 AND SourceName='Winlogon' "

That should keep the data returned to a minimum.

Dominic






Top