Looking for CHKDSK

(imported topic written by SystemAdmin)

Hey guys,

I’m trying to pull out info from the event viewer that shows me when CHKDSK has been run. What I have so far is this…

q: (event id of it mod 2147483648 mod 1073741824, time written of it) of records whose (description of it contains “CHKDSK” and source of it = “Winlogon”) of application event log

A: 1001, ( Thu, 28 Jun 2012 14:22:03 -0500 )

T: 21862.117 ms

This is bringing back exactly what I want but I’m about to run this against 150k endpoints and the run time is higher that I’d like. Does anyone have suggestions for reducing this evaluation time? Maybe a better way to write this or another method to pull this off?

Thanks,

Baraq

Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597

(imported comment written by MattBoyd)

If you’re putting it into an analysis, change the evaluation period to every 12 hours (or more) for this property. Querying the event log through BigFix has always been slow. There’s new(er) Windows APIs to query the log that are much faster (from the limited testing I did myself), but I didn’t get much feedback from the developers when I suggested them…

Unmanaged code: http://msdn.microsoft.com/en-us/library/aa385650(v=vs.85).aspx

Managed code (.NET): http://msdn.microsoft.com/en-us/library/aa385466(v=vs.85).aspx