Hi everyone.
I have backup eventlogs named savelog1 , savlog2 ,etc... they are automatically generated.
I could not find a way to read them and the only vbscript that i could find reading
a saved eventlog is this:
' ----- start of the script-------
Const NO_VALUE = Empty
Const OverwriteExisting = TRUE
Const DeleteReadOnly = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile "c:\back\savedlog1" , "c:\windows\system32\config\ETFORMS.Evt", OverwriteExisting
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\", NO_VALUE
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'ETORMFS'")
For Each objEvent in colLoggedEvents
txt = "Date: " & objEvent.TimeWritten & vbCrLf
txt = txt & "Source: " & objEvent.SourceName & vbCrLf
txt = txt & "Category: " & objEvent.Category & vbCrLf
txt = txt & "Type: " & objEvent.Type & vbCrLf
txt = txt & "Event Code: " & objEvent.EventCode & vbCrLf
txt = txt & "User: " & objEvent.User & vbCrLf
txt = txt & "Computer: " & objEvent.ComputerName & vbCrLf
txt = txt & "RecordNumber: " & objEvent.RecordNumber & vbCrLf
txt = txt & "Message: " & objEvent.Message & vbCrLf
txt = txt & "-------------------" & vbCrLf
txt = txt & vbCrLf
w_status = msgBox(txt, vbOKCancel, "Archive EventLog")
if w_status = VBCancel then
WScript.Echo "EventView aborted by user ...exiting"
exit for
end if
Next
WshShell.RegDelete "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\"
objFSO.DeleteFile("C:\windows\system32\config\ETORMFS.evt"), DeleteReadOnly
' ---- End of Script ----
My script end with an error whenit tries to DeleteFile ETORMFS.Evt file.
I found that this file can't be removed because it is being used by process services.exe
Any help
Thank you!
I have backup eventlogs named savelog1 , savlog2 ,etc... they are automatically generated.
I could not find a way to read them and the only vbscript that i could find reading
a saved eventlog is this:
' ----- start of the script-------
Const NO_VALUE = Empty
Const OverwriteExisting = TRUE
Const DeleteReadOnly = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile "c:\back\savedlog1" , "c:\windows\system32\config\ETFORMS.Evt", OverwriteExisting
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\", NO_VALUE
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'ETORMFS'")
For Each objEvent in colLoggedEvents
txt = "Date: " & objEvent.TimeWritten & vbCrLf
txt = txt & "Source: " & objEvent.SourceName & vbCrLf
txt = txt & "Category: " & objEvent.Category & vbCrLf
txt = txt & "Type: " & objEvent.Type & vbCrLf
txt = txt & "Event Code: " & objEvent.EventCode & vbCrLf
txt = txt & "User: " & objEvent.User & vbCrLf
txt = txt & "Computer: " & objEvent.ComputerName & vbCrLf
txt = txt & "RecordNumber: " & objEvent.RecordNumber & vbCrLf
txt = txt & "Message: " & objEvent.Message & vbCrLf
txt = txt & "-------------------" & vbCrLf
txt = txt & vbCrLf
w_status = msgBox(txt, vbOKCancel, "Archive EventLog")
if w_status = VBCancel then
WScript.Echo "EventView aborted by user ...exiting"
exit for
end if
Next
WshShell.RegDelete "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\"
objFSO.DeleteFile("C:\windows\system32\config\ETORMFS.evt"), DeleteReadOnly
' ---- End of Script ----
My script end with an error whenit tries to DeleteFile ETORMFS.Evt file.
I found that this file can't be removed because it is being used by process services.exe
Any help
Thank you!