Hopefully someone will be able to help me. I’d like to build a new property that extracts information from a specific Event ID. This event is on a Windows 7 machine and is part of the Windows Diagnostic and Performance logs. I’m trying to gather the boot time information so that I can build reporting for specific sites with and without local DCs.
The event information is below. I also attached a screen capture.
Querying the windows event manager is usually fairly painful… but this may get you started:
q: (event id of it, time written of it, description of it) of records whose (exists description of it and source of it = “Winlogon”) of application event log
A: 1073745925, ( Thu, 06 Jan 2011 12:30:59 -0700 ), Windows license validated.
A: 1073745925, ( Thu, 06 Jan 2011 12:32:55 -0700 ), Windows license validated.
A: 1073745925, ( Thu, 06 Jan 2011 12:35:13 -0700 ), Windows license validated.
Also, here is how to find which sources are available to you:
q: unique values of sources of records of application event log
A: .NET Runtime Optimization Service
A: AtBroker
A: COM+
A: Desktop Window Manager
A: EventSystem
A: LoadPerf
A: MSDTC
A: MSDTC 2
A: MSDTC Client 2
A: MSSQLSERVER
My machine has no records for the service you mention, so I can’t easily create a more specific example.
This is a cool idea, and i just spent a lot of time investigating it.
Unfortunately, it seems there is currently a bug that prevent’s us from getting exactly what we want. The expression we want starts something like this:
Q:descriptions of records whose(event id of it = 100 ) of event log “Microsoft-Windows-Diagnostics-Performance/Operational”
However there is a bug that looking up this event log returns incorrect results (ends up referencing the application event log, and strips those events of their descriptions for some reason). I am trying to see if there is a work around, but if not, we will have to wait for a platform release to fix this.
Don’t wait for an update, I would look for a workaround such as boyd’s suggestion to use WMI.
When Zak refers to a “platform release” he is not saying the fix is coming anytime soon, he stating the fact that 1) it is a bug and 2) it would require a new release to fix it. No date is implied.
I assume you referring to the Win32_NTLogEvent Class. If so those events are not available via this class. If I’m off on which class to be looking at please let me know. Thanks again for all the help.