Discussion:
Anything wrong with this WQL?
(too old to reply)
pantagruel
2007-08-21 13:58:00 UTC
Permalink
Anyone see any reason why this WQL should not return any instances if
there are instances matching the following rules:

The time range to check is today to yesterday at this time.
The event code for the Security NTLogEvent is 528 or 551.

---------------------------
Windows Script Host
---------------------------
Select * from Win32_NTLogEvent Where Logfile = 'Security' And
(EventCode = '528' Or EventCode ='551') And TimeWritten >=
'20070820000000.000000+120' and TimeWritten <
'20070821000000.000000+120'
---------------------------
OK
---------------------------

Cheers,
Bryan Rasmussen
Bruno
2007-08-31 13:26:04 UTC
Permalink
Hi
Here is some code that works for me (you must change query values )
I split the query for simplicity
Also note the double quotes around the wmi times.
Also check that the logs are not empty and that you have proper rights with
wmi explorer

On Error Resume Next
Dim strComputer
Dim objWMIService
Dim propValue
Dim colItems

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent where
Logfile = 'System' And EventCode = '7036' OR EventCode = '2511'")

For Each objItem in colItems

If objItem.Timewritten >= "20070820103252.000000+120" and
objItem.Timewritten < "20070823103252.000000+120" then



WScript.Echo "EventCode: " & objItem.EventCode
WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
WScript.Echo "EventType: " & objItem.EventType
WScript.Echo "Message: " & objItem.Message
WScript.Echo "RecordNumber: " & objItem.RecordNumber
WScript.Echo "TimeWritten: " & objItem.TimeWritten

End if
Next
Post by pantagruel
Anyone see any reason why this WQL should not return any instances if
The time range to check is today to yesterday at this time.
The event code for the Security NTLogEvent is 528 or 551.
---------------------------
Windows Script Host
---------------------------
Select * from Win32_NTLogEvent Where Logfile = 'Security' And
(EventCode = '528' Or EventCode ='551') And TimeWritten >=
'20070820000000.000000+120' and TimeWritten <
'20070821000000.000000+120'
---------------------------
OK
---------------------------
Cheers,
Bryan Rasmussen
florencia spinella
2010-10-15 16:26:58 UTC
Permalink
try something like this (set the enable privileges)

ManagementScope scope =
new ManagementScope();
scope.Options.EnablePrivileges = true;
System.Management.ObjectQuery login_query = new System.Management.ObjectQuery(" SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' and (EventCode = '528') ");
ManagementObjectSearcher oSearcher_login = new ManagementObjectSearcher(scope, login_query);
ManagementObjectCollection oReturnCollection_login = oSearcher_login.Get();

before I got no results, now I have many.
Hope it?ll work
Post by pantagruel
Anyone see any reason why this WQL should not return any instances if
The time range to check is today to yesterday at this time.
The event code for the Security NTLogEvent is 528 or 551.
---------------------------
Windows Script Host
---------------------------
Select * from Win32_NTLogEvent Where Logfile = 'Security' And
(EventCode = '528' Or EventCode ='551') And TimeWritten >=
'20070820000000.000000+120' and TimeWritten <
'20070821000000.000000+120'
---------------------------
OK
---------------------------
Cheers,
Bryan Rasmussen
Post by Bruno
Hi
Here is some code that works for me (you must change query values )
I split the query for simplicity
Also note the double quotes around the wmi times.
Also check that the logs are not empty and that you have proper rights with
wmi explorer
On Error Resume Next
Dim strComputer
Dim objWMIService
Dim propValue
Dim colItems
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent where
Logfile = 'System' And EventCode = '7036' OR EventCode = '2511'")
For Each objItem in colItems
If objItem.Timewritten >= "20070820103252.000000+120" and
objItem.Timewritten < "20070823103252.000000+120" then
WScript.Echo "EventCode: " & objItem.EventCode
WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
WScript.Echo "EventType: " & objItem.EventType
WScript.Echo "Message: " & objItem.Message
WScript.Echo "RecordNumber: " & objItem.RecordNumber
WScript.Echo "TimeWritten: " & objItem.TimeWritten
End if
Next
Submitted via EggHeadCafe - Software Developer Portal of Choice
JustCode Visual Studio Development Add-In by Telerik
http://www.eggheadcafe.com/tutorials/aspnet/d174b33a-d86e-48e7-b381-fcd1938b6775/justcode-visual-studio-development-addin-by-telerik.aspx
florencia spinella
2010-10-15 16:29:33 UTC
Permalink
try enabling provileges, before i had no results now i have many. Hope it?ll work.

ManagementScope scope =
new ManagementScope();
scope.Options.EnablePrivileges = true;
System.Management.ObjectQuery login_query = new System.Management.ObjectQuery(" SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' and (EventCode = '528') ");
ManagementObjectSearcher oSearcher_login = new ManagementObjectSearcher(scope, login_query);
ManagementObjectCollection oReturnCollection_login = oSearcher_login.Get();
Post by pantagruel
Anyone see any reason why this WQL should not return any instances if
The time range to check is today to yesterday at this time.
The event code for the Security NTLogEvent is 528 or 551.
---------------------------
Windows Script Host
---------------------------
Select * from Win32_NTLogEvent Where Logfile = 'Security' And
(EventCode = '528' Or EventCode ='551') And TimeWritten >=
'20070820000000.000000+120' and TimeWritten <
'20070821000000.000000+120'
---------------------------
OK
---------------------------
Cheers,
Bryan Rasmussen
Post by Bruno
Hi
Here is some code that works for me (you must change query values )
I split the query for simplicity
Also note the double quotes around the wmi times.
Also check that the logs are not empty and that you have proper rights with
wmi explorer
On Error Resume Next
Dim strComputer
Dim objWMIService
Dim propValue
Dim colItems
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent where
Logfile = 'System' And EventCode = '7036' OR EventCode = '2511'")
For Each objItem in colItems
If objItem.Timewritten >= "20070820103252.000000+120" and
objItem.Timewritten < "20070823103252.000000+120" then
WScript.Echo "EventCode: " & objItem.EventCode
WScript.Echo "EventIdentifier: " & objItem.EventIdentifier
WScript.Echo "EventType: " & objItem.EventType
WScript.Echo "Message: " & objItem.Message
WScript.Echo "RecordNumber: " & objItem.RecordNumber
WScript.Echo "TimeWritten: " & objItem.TimeWritten
End if
Next
Post by florencia spinella
try something like this (set the enable privileges)
ManagementScope scope =
new ManagementScope();
scope.Options.EnablePrivileges = true;
System.Management.ObjectQuery login_query = new System.Management.ObjectQuery(" SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' and (EventCode = '528') ");
ManagementObjectSearcher oSearcher_login = new ManagementObjectSearcher(scope, login_query);
ManagementObjectCollection oReturnCollection_login = oSearcher_login.Get();
before I got no results, now I have many.
Hope it?ll work
Submitted via EggHeadCafe - Software Developer Portal of Choice
Nested IF Statement ? Excel 2007
http://www.eggheadcafe.com/tutorials/aspnet/195df521-46a8-4b2f-a6aa-dad1fb2c63d5/nested-if-statement--excel-2007.aspx
Loading...