Microsoft Security Essentials

[RedneckTech]

Yea, i know, dont trust M$, but its not for me. its for general purpose. All of the logs for this application are in the event viewer. Im sorry if ive just missed this, but I need to find a way to poll the event viewer log for any events from MSE and then record that to a file somehow. I've been looking and cant find anything that seems helpful. I may just be seeing what i need and not noticing it. Any help would be greatly appreciated

[hannes08]

Hi RedneckTech,

I've never used it but I think a good start would be to use the "_EventLog__Read" function.

[JLogan3o13]

Hi, RedneckTeck. Have you looked at the example in the Help file for _EventLog_Read? Just using the provided example, you could output to a MsgBox or some other notification if the Source matches MSE.

Edit: Too slow

Edited August 14, 2012 by JLogan3o13

[RedneckTech]

Right, i looked at that, but thats just opening a gui for the last event in the log. Im looking to poll it. so do i just want do an:

If $aEvent[10] = "Security Essentials" Then

FileWriteLine( $File, $aEvent[13] )

EndIf

inside of a loop that continues until "$aEvent[4] & $aEvent[5]" is older than 23 hours (running a scan every day, so allowing ~hour to scan)? Just seems like im missing something

[RedneckTech]

ok. so after a day and a half of trial and error i can get a working example, but only reads the first/last (most recent) event in the "System" log. I was wondering if you guys had a good way to set this to scroll through and read the logs, or if there was a faster way (2d array?) to ready through every event that's less than 24 hours old.

I know that it's got a lot of steps that can be combined into a single step, but while im creating it im leaving it step by step, but heres what I've got so far.

#include <EventLog.au3>
#include <date.au3>

While $timediff < 24
   $hEventLog = _EventLog__Open("", "System")
   $aEvent = _EventLog__Read($hEventLog, True, False)
   $timearray = StringSplit( $aEvent[3], ":")
   If StringInStr ( $aEvent[3], "PM" ) Then
      $24hour = $timearray[1] + 12
      $hours = @HOUR + 24
      $timediff = $hours - $24hour
      If $timediff < 24 Then
         _Analyze()
      EndIf
   EndIf
WEnd

Func Analyze()
   If $aEvent [10] = "Windows AntiMalware" Then
      If $aEvent[8] <> "information" Then
         FileOpen (@WorkingDir & "WinAMLog.txt", 1)
         FileWriteLine ( @WorkingDir & "WinAMLog.txt", $aEvent[2] & " " & $aEvent[3] & " - " & $aEvent[13] )
      EndIf
   EndIf
EndFunc

Im thinking something along the lines of this for the scrolling, but not sure how to position it

$n = 1
While $timediff < 24
   $hEventLog = EventLog_Open("", "System")
   $aEvent = _EventLog_Read ($hEventLog, True, False, $n)
   If $timediff < 24 Then
      $n = $n + 1
   EndIf
WEnd

thats not how the final script would look, just how im trying to position it. problem is that when i do it, it doesnt work. any advice?

[RedneckTech]

been working and turns out i was looking at the script with dry eyes. came back to it yesterday after ignoring it monday and did some major editing. Here's what I have, but i still cant get it to work.

#include <EventLog.au3>
#include <date.au3>

$n = 0
$hEventLog = _EventLog__Open("", "System")
$timediff = 0
While $timediff < 24
   $aEvent = _EventLog__Read($hEventLog, False, False, $n)
   $timearray = StringSplit( $aEvent[5], ":")
   $datearray = StringSplit( $aEvent[4], "/")
   $24hour = $timearray[1]
   If StringInStr ( $aEvent[5], "PM" ) Then
      $24hour = $timearray[1] + 12
   EndIf
   If $datearray[2] <> @MDAY Then
      $24hour = $24hour + 24
   EndIf
   $hours = @HOUR
   $timediff = $hours - $24hour
   If $timediff < 24 Then
      _Analyze()
      $n = $n + 1
   EndIf
WEnd

Func Analyze()
   If $aEvent [10] = "Windows AntiMalware" Then
      If $aEvent[8] <> "information" Then
         FileOpen (@WorkingDir & "WinAMLog.txt", 1)
         FileWriteLine ( @WorkingDir & "WinAMLog.txt", $aEvent[2] & " " & $aEvent[3] & " - " & $aEvent[13] )
      EndIf
   EndIf
EndFunc