(imported comment written by BenKus)
Hey Nicky,
There is some trickiness here… The event log inspectors will usually return a number that is a different from what the event viewer shows…
To illustrate this, if you run this query to get all events in the last day (I get something like this):
q: (event id of it, source of it, time generated of it) of records whose (now - time generated of it < 1*day) of application event log
A: 1073743631, SecurityCenter, ( Wed, 21 Feb 2007 22:30:51 -0800 )
A: 0, iPod Service, ( Wed, 21 Feb 2007 22:30:56 -0800 )
A: 1073741850, Outlook, ( Thu, 22 Feb 2007 04:34:21 -0800 )
A: 1073741850, Outlook, ( Thu, 22 Feb 2007 04:34:30 -0800 )
A: 3221225487, AutoEnrollment, ( Thu, 22 Feb 2007 06:31:57 -0800 )
A: 1073743528, SceCli, ( Thu, 22 Feb 2007 11:29:27 -0800 )
Now if I compare this to my application event log, the event IDs just look wrong. Instead of 1073743528 for the last event, I have 1704… A quick trip to the calculator show that:
1073743528 - 2^30 = 1704
So basically the event viewer in Windows throws away the “high bits” of the event, but the event ID inspector doesn’t do this. According to the Microsoft technical documentation, the bits of the “EventID” looks like this: http://msdn2.microsoft.com/en-us/library/aa363651.aspx . As far as we can tell, you aren’t technically supposed to throw away the high bits of the event id so we are having a hard time calling this a full bug, but it seems to me that we should allow you to get the Event Viewer’s concept of the ID that doesn’t include the high-bits.
While we figure that out, you can use the mathematical “mod” operator to “knock off” the top bits to get the event viewer’s concept of eventid. For instance, I can rewrite my above expression as:
q: (event id of it mod 2147483648 mod 1073741824 , source of it, time generated of it) of records whose (now - time generated of it < 1*day) of application event log
A: 1807, SecurityCenter, ( Wed, 21 Feb 2007 20:27:34 -0800 )
A: 1807, SecurityCenter, ( Wed, 21 Feb 2007 22:30:51 -0800 )
A: 0, iPod Service, ( Wed, 21 Feb 2007 22:30:56 -0800 )
A: 26, Outlook, ( Thu, 22 Feb 2007 04:34:21 -0800 )
A: 26, Outlook, ( Thu, 22 Feb 2007 04:34:30 -0800 )
A: 15, AutoEnrollment, ( Thu, 22 Feb 2007 06:31:57 -0800 )
A: 1704, SceCli, ( Thu, 22 Feb 2007 11:29:27 -0800 )
Which looks just like my event viewer…
Hope that helps,
Ben