none
Need help with extracting info from the Application Event Log using WMI

    Question

  • I have implemented Microsoft EMET but the EMET notification "tooltips" don't pop up. So I needed to create a script that would monitor the Application Event log in such a way that as events get created in that log, it would monitor those events and if it saw any event get created that had a Source name of EMET and an event type of 1 (Error), it would pop a notification up on the screen telling the user that EMET had just detection possible malicious activity, for the user to remember what they were just doing, and to call the IT department immediately. Using the Winbatch programming language (combined with WQL; WMI Query Language), I created the script shown below. Now as far is the syntax of the Winbatch scripting language goes,  everything is good. The script runs without errors. In order to test whether the script is actually doing what it is supposed to be doing, as far as its interaction with WMI goes, I commented out the main line and inserted a slightly modified line (to pop up a notification any time any EMET event is created in the logs, not just an Error event, that way I can make an EMEt configuration change and when it creates a log event, I should get the pop up message from my script). Problem is, when I ran such a test, I got no pop up message. So, there has to be something wrong with the WMI portion of my script. For someone familiar with WMI, this should be fairly simple, so I'm hoping that someone can take a look at the WMI portion of the script and tell me what's wrong?

    strComputer = "." 
    objWMIService = GetObject("winmgmts:" : "{impersonationLevel=impersonate, (Security)}!\\" : strComputer : "\root\cimv2") 
     
    ;colMonitoredEvents = objWMIService.ExecNotificationQuery("Select * from __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.EventSource = 'EMET' and TargetInstance.EventType = '1'") 
    colMonitoredEvents = objWMIService.ExecNotificationQuery("Select * from __instancecreationevent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.EventSource = 'EMET'")
    
    While @TRUE
        objLatestEvent = colMonitoredEvents.NextEvent 
        strAlertToSend = objLatestEvent.TargetInstance.User : "EMET detected an application behaving improperly and terminated it. Remember what you were doing when this happened and contact IT" 
        Pause("",strAlertToSend) 
    Endwhile 



    Monday, February 18, 2013 7:16 PM

Answers

  • WMI is a supported language. I suggest you read my previous reply (my last reply to jrv). The answer to the problem turned out to be a very simple WMI coding error. But you people were just to intent on fixating on anything other than the actual problem.

    WMI is not a scripting language.  If  you had asked an intelligent question like "How do I capture and event?" we might have been abkel to understand whaat you were asking.  At best your question was ambiguous. 

    We do not support WinBatch.  Your script is not vbscript or any other language that any of us recognize.

    The  following is the only WQL in your script and it is correct for VBScript and JavaScript.

    Select * from __instancecreationevent
         where TargetInstance isa 'Win32_NTLogEvent'
         and TargetInstance.EventSource = 'EMET'
         and TargetInstance.EventType = '1'"

    So now you can see that nothing you posted was of any use to under standing your issue.  None of the rest of your code has anything to do with WQL.  It is purely an issue with how to use your scripting language with Windows COM objects.  We do not support that here.

    I suggest spending a bit more time with the WMI documentation and trying to get a better understanding of the terminology.  Perhaps you could also attempt to listen to those here  who have many more years of experience with WMI and script than you do.

    Please - please  - try to focus your questions on Windows scripting languages or post in a forum for the language you are using.

    There is also a forum for WMI which might be useful for non-Windows scripting.


    ¯\_(ツ)_/¯

    Wednesday, February 20, 2013 8:32 PM

All replies

  • In Windows Vista and later you can do this by adding a task to the event log. 

    See: http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx


    ¯\_(ツ)_/¯

    Monday, February 18, 2013 7:32 PM
  • That does not help. First, that is not the question that I asked. I asked for help with my WMI code. Second, these systems are not Windows 2008 R2 servers and don't have an option to allow adding a task to an event in the event log. Right-clicking on an event item in the event log only allows you to pull up the properties of the event (on my system). Also, "tasks" are usually run by the Task Scheduler, which I keep disabled. So, none of this is helpful.
    Monday, February 18, 2013 9:08 PM
  • That does not help. First, that is not the question that I asked. I asked for help with my WMI code. Second, these systems are not Windows 2008 R2 servers and don't have an option to allow adding a task to an event in the event log. Right-clicking on an event item in the event log only allows you to pull up the properties of the event (on my system). Also, "tasks" are usually run by the Task Scheduler, which I keep disabled. So, none of this is helpful.

    You need to specify that you are using an older system.  This capability has been in Windows since Vista. What system?  W2K, Xp ???

    Have you looked in the repository for a solution?

    I have never heard of anyone disabling the task scheduler. Too many fundamental parts off Windows require the task scheduler so there is no way anyone could guess that you are doing non-standard things.

    Have you tried the Microsoft documentation?

    Start here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa393013(v=vs.85).aspx

    This will show you the basics of eventing on an event log event.


    ¯\_(ツ)_/¯

    Monday, February 18, 2013 9:48 PM
  • It appears to be WinBatch which is pretty much obsolete.  It was popular before VBScript and WSH were created.


    ¯\_(ツ)_/¯

    Monday, February 18, 2013 10:32 PM
  • For anyone scratching their head about EMET HERE IS THE BLURLB; http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

    EMT provides dynamic notification via the tray icon.  On detections it sets a display message.  There is really no need to monitor the Event Log.  The old EMET 2.1 did not have notification.  EMET 3.0 does and has been the current version for about a year.  I installed it about 1 year ago.

    EMET 3.0 can be customized.  See the included user manual.


    ¯\_(ツ)_/¯

    Monday, February 18, 2013 10:46 PM
  • The best place for WinBatch support would be at their support site:

    http://webboard.winbatch.com/

    WinBatch isn't supported in this forum.

    Bill

    Monday, February 18, 2013 11:07 PM
  • First, I'm an information security professional with 31 years of IT experience and 17 years of information security-specific experience. You never run unnecessary services; you shut all unnecessary services off. And use of the Task Scheduler is a big risk that infosec experts will tell you not to use. You can believe that or not, I really don't care. But disabling the Task Scheduler is not non-standard or non-supported, regardless of what you might think. But all of that is irrelevant; I asked for help with my WMI (Windows Management Instrumentation) query language code. That is all I asked for. I did NOT ask for people to try to provide alternative solutions that they think are "cool" but which I have no interest in using.

    If you can't answer my specific question, then just stay out of the conversation.

    Tuesday, February 19, 2013 1:39 AM
  • This question has absolutely nothing whatsoever to do with Winbatch. The scripting language that I use is irrelevant. I'm looking for scripting assistance with the WMI query language. So, unless you are familiar with WMI language, then stay out of the conversation.
    Tuesday, February 19, 2013 1:41 AM
  • What is with you? I said in my post that the EMET notifications are not working, thus I have to create my own notification application. I really think you need to stay out of this conversation because your posts are not helping anything.
    Tuesday, February 19, 2013 1:42 AM
  • As I told the other guy, you obviously paid no real attention to my post. It has nothing whatsoever to do with Winbatch. It has to do with scripting Microsoft WMI (Windows Management Instrumentation) query language. If you are not able to assist with issues relating to WMI query language (WQL), then just stay out of the conversation.
    Tuesday, February 19, 2013 1:46 AM
  • As I told the other guy, you obviously paid no real attention to my post. It has nothing whatsoever to do with Winbatch. It has to do with scripting Microsoft WMI (Windows Management Instrumentation) query language. If you are not able to assist with issues relating to WMI query language (WQL), then just stay out of the conversation.

    The link I posted is the exact answer.  It shows exactly how to set up a WMI query to capture an event.

    I am sorry but we will not write your script for you and what you posted is not any scripting language that we use here  It is not WQL, VBScript or any otgher language..

    If you do not understand WQL or VBScript then you need to look at the 'Learn' link above.  It will help you with the basics of scripting and WMI.

    Sorry but we cannot write custom scripts for you.


    ¯\_(ツ)_/¯

    • Proposed as answer by jrv Tuesday, February 19, 2013 2:41 AM
    Tuesday, February 19, 2013 1:55 AM
  • What is with you? I said in my post that the EMET notifications are not working, thus I have to create my own notification application. I really think you need to stay out of this conversation because your posts are not helping anything.

    If your  EMET notifications are not working then you are using the wrong version of EMET or yu need to contact MS support and fix them.

    Being angry and belligerent is not going to solve your problem.

    The solution to the WMI event query was posted a long time ago and you seem to not understand how it works.  THe 'Learn' link above will help yu get a background in scripting, VScript and WMI scripting.  We cannot teach you this incrementally.

    I would take another look at the link I posted.


    ¯\_(ツ)_/¯

    Tuesday, February 19, 2013 2:40 AM
  • As I told the other guy, you obviously paid no real attention to my post. It has nothing whatsoever to do with Winbatch. It has to do with scripting Microsoft WMI (Windows Management Instrumentation) query language. If you are not able to assist with issues relating to WMI query language (WQL), then just stay out of the conversation.

    Your original post uses WinBatch or something that looks like it. It is not any scripting language used here or by Microsoft.  It is is not WQL OR WMI if it Is not VBScript.

    Maybe you should take some time to rethink your original question  and ask it using VBScript or just plain English to explain what you are  trying to do.  Clarification might be helpful.


    ¯\_(ツ)_/¯

    Tuesday, February 19, 2013 2:45 AM
  • This question has absolutely nothing whatsoever to do with Winbatch. The scripting language that I use is irrelevant. I'm looking for scripting assistance with the WMI query language.

    I respectfully disagree with this blanket assertion. In theory, the language of choice doesn't affect your desired solution, but in practice, it does. If you want the best help, you should translate your code fragment into a supported language. (In other words, you should make it as easy as possible for others to help you.)

    Bill

    Tuesday, February 19, 2013 4:24 AM
  • No, you should just stay out of the conversation. It is WQL, regardless of the scripting language submitting the WQL code. And luckily I fixed it myself. The only problem was that I had the property name wrong for one of the properties of the WMI Win32_NTLogEvent class. Once I corrected the property name, that took care of the problem. Now, if someone had stuck to the actual question I posted instead of going off on a bunch of tangents, I could have had the problem resolved much sooner. Thank god I didn't need the assistance of you people.
    Wednesday, February 20, 2013 8:00 PM
  • WMI is a supported language. I suggest you read my previous reply (my last reply to jrv). The answer to the problem turned out to be a very simple WMI coding error. But you people were just to intent on fixating on anything other than the actual problem.
    Wednesday, February 20, 2013 8:02 PM
  • All of that was over a typo?

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Wednesday, February 20, 2013 8:18 PM
  • WMI is a supported language. I suggest you read my previous reply (my last reply to jrv). The answer to the problem turned out to be a very simple WMI coding error. But you people were just to intent on fixating on anything other than the actual problem.

    WMI is not a scripting language.  If  you had asked an intelligent question like "How do I capture and event?" we might have been abkel to understand whaat you were asking.  At best your question was ambiguous. 

    We do not support WinBatch.  Your script is not vbscript or any other language that any of us recognize.

    The  following is the only WQL in your script and it is correct for VBScript and JavaScript.

    Select * from __instancecreationevent
         where TargetInstance isa 'Win32_NTLogEvent'
         and TargetInstance.EventSource = 'EMET'
         and TargetInstance.EventType = '1'"

    So now you can see that nothing you posted was of any use to under standing your issue.  None of the rest of your code has anything to do with WQL.  It is purely an issue with how to use your scripting language with Windows COM objects.  We do not support that here.

    I suggest spending a bit more time with the WMI documentation and trying to get a better understanding of the terminology.  Perhaps you could also attempt to listen to those here  who have many more years of experience with WMI and script than you do.

    Please - please  - try to focus your questions on Windows scripting languages or post in a forum for the language you are using.

    There is also a forum for WMI which might be useful for non-Windows scripting.


    ¯\_(ツ)_/¯

    Wednesday, February 20, 2013 8:32 PM
  • Hi MrDisabledVet,

    Sorry you were unhappy, but I would point out that

    1. This is a peer-to-peer discussion group and does not come with a service level agreement
    2. Politeness is far more likely to elicit helpful responses

    Bill

    Wednesday, February 20, 2013 8:43 PM