Jump to content

Reading backup 'Applications and Services' event logs - Vista/Win7

readmedottxt
 Share

Recommended Posts

readmedottxt Wayfarer

readmedottxt

Posted
Posted (edited)

I'm having trouble reading the Applications and Services event logs in Vista and Windows 7

I referenced this thread:

and got nowhere too.

I found I can easily copy the event log then open and process the copied file, eg:

#Include <array.au3>
#Include <eventlog.au3>

$objEventLog = _EventLog__OpenBackup("", @ScriptDir & "\Microsoft-Windows-Dhcp-Client%4Admin.evtx")

$varEventsTotal = _EventLog__Count($objEventLog)
ConsoleWrite($varEventsTotal & @CRLF)

for $i = 0 to $varEventsTotal - 1
    $arrEvt = _EventLog__Read($objEventLog, True, False)
    _ArrayDisplay($arrEvt)
Next

However,

[13] - Event description is always corrupted or in another encoding, here's the result:

[0]|True

[1]|117

[2]|04/18/2011

[3]|09:12:04 AM

[4]|04/18/2011

[5]|09:12:04 AM

[6]|1001

[7]|1

[8]|Error

[9]|3

[10]|Microsoft-Windows-Dhcp-Client

[11]|icrosoft-Windows-Dhcp-Client

[12]|NT AUTHORITY

[13]|6 㠀  ㈀㜀  㤀㠀䄀㐀

[14]|

This is the case for all files opened with _EventLog__OpenBackup

Does anyone have any suggestions how to programmatically read the text in array[13] ?

Thanks

Edited by readmedottxt
PsaltyDS Universalist

PsaltyDS

Posted
Posted

It's UTF-8 encoded. Try it this way and run it under the current Beta (3.3.7.9 or later): 

For $i = 0 To $varEventsTotal - 1
    $arrEvt = _EventLog__Read($objEventLog, True, False)
    _ArrayDisplay($arrEvt)
    ConsoleWrite($i & ":  " & BinaryToString($arrEvt[13], 4) & @LF)
Next

:huh2:

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
readmedottxt Wayfarer

readmedottxt

Posted
  • Author
Posted

It's UTF-8 encoded. Try it this way and run it under the current Beta (3.3.7.9 or later): 

For $i = 0 To $varEventsTotal - 1
    $arrEvt = _EventLog__Read($objEventLog, True, False)
    _ArrayDisplay($arrEvt)
    ConsoleWrite($i & ":  " & BinaryToString($arrEvt[13], 4) & @LF)
Next

:huh2:

Thanks PsaltyDS,

Its working better under 3.3.7.9 however it still isn't capturing all the data,

Here's the XML in $arrEvt[13]:

{E36621E1-3676-8115-E22C-318F76CA63B0}014\\192.168.0.1\ShareTest32011-06-03T11:00:39.208519900Z0
    <VolumeInfo>
        <VolumeInfoItem Name="C:" OriginalAccessPath="C:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="13750319612" NumUnreadableBytes="0" TotalSize="13750319612" TotalNoOfFiles="0" Flags="1578" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" />
        <VolumeInfoItem Name="D:" OriginalAccessPath="D:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="117477581831" NumUnreadableBytes="0" TotalSize="117477581831" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" />
        <VolumeInfoItem Name="E:" OriginalAccessPath="E:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="166828116621" NumUnreadableBytes="0" TotalSize="166828116621" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" />
    </VolumeInfo>
    02011-06-03T11:00:39.192919200Z2011-06-03T11:04:32.829002400Z
    <TimesList>
        <Time Time="2011-06-03T11:04:54.123Z" />
        <Time Time="2011-06-03T11:10:02.362Z" />
        <Time Time="2011-06-03T12:00:44.077Z" />
    </TimesList>
    <TimesList>
        <Time Time="2011-06-03T11:04:54.233Z" />
        <Time Time="2011-06-03T11:10:02.378Z" />
        <Time Time="2011-06-03T12:00:44.093Z" />
    </TimesList>
    <TimesList>
        <Time Time="2011-06-03T11:04:54.248Z" />
        <Time Time="2011-06-03T11:10:02.409Z" />
        <Time Time="2011-06-03T12:00:44.218Z" />
    </TimesList>
    <TimesList>
        <Time Time="2011-06-03T11:10:02.362Z" />
        <Time Time="2011-06-03T12:00:44.077Z" />
        <Time Time="2011-06-03T13:51:35.545Z" />
    </TimesList>
    1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z
    <TimesList> </TimesList>
    <TimesList> </TimesList>
    <TimesList> </TimesList>
    <TimesList> </TimesList>
    9
    <ComponentStatus>   </ComponentStatus>
    1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z1601-01-01T00:00:00.000000000Z
    <SystemState IsPresent="1" HResult="0" DetailedHResult="0" />
    truefalsefalsetrue
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>
    <TimesList>
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
        <Time Time="1601-01-01T00:00:00.000Z" />
    </TimesList>

And here's the XML from the event viewer - should the <EventData> tag match $arrEvt[13] however it seems only a small portion of it is there.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Backup" Guid="{3EFA0331-5156-1155-8C30-E33000101F2E}" /> 
  <EventID>14</EventID> 
  <Version>2</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>2</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2011-06-03T13:51:38.915270700Z" /> 
  <EventRecordID>40</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="2736" ThreadID="5104" /> 
  <Channel>Microsoft-Windows-Backup</Channel> 
  <Computer>zDevDC1</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="BackupTemplateID">{E36621E1-3676-8115-E22C-318F76CA63B0}</Data> 
  <Data Name="HRESULT">0</Data> 
  <Data Name="BackupState">14</Data> 
  <Data Name="BackupTarget">\\192.168.0.1\ShareTest</Data> 
  <Data Name="NumOfVolumes">3</Data> 
  <Data Name="BackupTime">2011-06-03T11:00:39.208519900Z</Data> 
  <Data Name="HRESULT2">0</Data> 
  <Data Name="VolumesInfo"><VolumeInfo><VolumeInfoItem Name="C:" OriginalAccessPath="C:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="13750319612" NumUnreadableBytes="0" TotalSize="13750319612" TotalNoOfFiles="0" Flags="1578" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="D:" OriginalAccessPath="D:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="117477581831" NumUnreadableBytes="0" TotalSize="117477581831" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="E:" OriginalAccessPath="E:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="166828116621" NumUnreadableBytes="0" TotalSize="166828116621" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /></VolumeInfo></Data> 
  <Data Name="DetailedHRESULT">0</Data> 
  <Data Name="SourceSnapStartTime">2011-06-03T11:00:39.192919200Z</Data> 
  <Data Name="SourceSnapEndTime">2011-06-03T11:04:32.829002400Z</Data> 
  <Data Name="PrepareBackupStartTime"><TimesList><Time Time="2011-06-03T11:04:54.123Z" /><Time Time="2011-06-03T11:10:02.362Z" /><Time Time="2011-06-03T12:00:44.077Z" /></TimesList></Data> 
  <Data Name="PrepareBackupEndTime"><TimesList><Time Time="2011-06-03T11:04:54.233Z" /><Time Time="2011-06-03T11:10:02.378Z" /><Time Time="2011-06-03T12:00:44.093Z" /></TimesList></Data> 
  <Data Name="BackupWriteStartTime"><TimesList><Time Time="2011-06-03T11:04:54.248Z" /><Time Time="2011-06-03T11:10:02.409Z" /><Time Time="2011-06-03T12:00:44.218Z" /></TimesList></Data> 
  <Data Name="BackupWriteEndTime"><TimesList><Time Time="2011-06-03T11:10:02.362Z" /><Time Time="2011-06-03T12:00:44.077Z" /><Time Time="2011-06-03T13:51:35.545Z" /></TimesList></Data> 
  <Data Name="TargetSnapStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="TargetSnapEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="DVDFormatStartTime"><TimesList></TimesList></Data> 
  <Data Name="DVDFormatEndTime"><TimesList></TimesList></Data> 
  <Data Name="MediaVerifyStartTime"><TimesList></TimesList></Data> 
  <Data Name="MediaVerifyEndTime"><TimesList></TimesList></Data> 
  <Data Name="BackupPreviousState">9</Data> 
  <Data Name="ComponentStatus"><ComponentStatus></ComponentStatus></Data> 
  <Data Name="SSBEnumerateStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBEnumerateEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBVhdCreationStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBVhdCreationEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBBackupStartTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SSBBackupEndTime">1601-01-01T00:00:00.000000000Z</Data> 
  <Data Name="SystemStateBackup"><SystemState IsPresent="1" HResult="0" DetailedHResult="0" /></Data> 
  <Data Name="BMR">true</Data> 
  <Data Name="VssFullBackup">false</Data> 
  <Data Name="UserInputBMR">false</Data> 
  <Data Name="UserInputSSB">true</Data> 
  <Data Name="BackupSuccessLogPath" /> 
  <Data Name="BackupFailureLogPath" /> 
  <Data Name="EnumerateBackupStartTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  <Data Name="EnumerateBackupEndTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  <Data Name="PruneBackupStartTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  <Data Name="PruneBackupEndTime"><TimesList><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /><Time Time="1601-01-01T00:00:00.000Z" /></TimesList></Data> 
  </EventData>
  </Event>

Any thoughts of retrieving the complete XML from each event?

Thanks

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...