locked
WMI for Microsoft-Windows-Backup RRS feed

  • Question

  • Hi all,

    I'm tying to retrieve the event logs in Microsoft-Windows-Backup via WMI. I have 6 events in there (14,4,1,14,4,1) and when I run the following query I get 5 events (753,754,753,754,753). Am I missing something? I'm using AutoIT but the mark is basically the same as VB.

    $wbemFlagReturnImmediately = 0x10
    $wbemFlagForwardOnly = 0x20
    $colItems = ""
    $strComputer = "localhost"

    $Output=""
    $Output = $Output & "Computer: " & $strComputer  & @CRLF
    $Output = $Output & "==========================================" & @CRLF
    $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
    $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where SourceName='Microsoft-Windows-Backup'", "WQL", _
                                              $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

    If IsObj($colItems) then
       For $objItem In $colItems
          $Output = $Output & "Category: " & $objItem.Category & @CRLF
          $Output = $Output & "CategoryString: " & $objItem.CategoryString & @CRLF
          $Output = $Output & "ComputerName: " & $objItem.ComputerName & @CRLF
          $strData = $objItem.Data(0)
          $Output = $Output & "Data: " & $strData & @CRLF
          $Output = $Output & "EventCode: " & $objItem.EventCode & @CRLF
          $Output = $Output & "EventIdentifier: " & $objItem.EventIdentifier & @CRLF
          $Output = $Output & "EventType: " & $objItem.EventType & @CRLF
          $strInsertionStrings = $objItem.InsertionStrings(0)
          $Output = $Output & "InsertionStrings: " & $strInsertionStrings & @CRLF
          $Output = $Output & "Logfile: " & $objItem.Logfile & @CRLF
          $Output = $Output & "Message: " & $objItem.Message & @CRLF
          $Output = $Output & "RecordNumber: " & $objItem.RecordNumber & @CRLF
          $Output = $Output & "SourceName: " & $objItem.SourceName & @CRLF
          $Output = $Output & "TimeGenerated: " & WMIDateStringToDate($objItem.TimeGenerated) & @CRLF
          $Output = $Output & "TimeWritten: " & WMIDateStringToDate($objItem.TimeWritten) & @CRLF
          $Output = $Output & "Type: " & $objItem.Type & @CRLF
          $Output = $Output & "User: " & $objItem.User & @CRLF
          if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop
          $Output=""
       Next
    Else
       Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NTLogEvent" )
    Endif

    Func WMIDateStringToDate($dtmDate)

    Return (StringMid($dtmDate, 5, 2) & "/" & _
    StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
    & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
    EndFunc


    Sunday, May 29, 2016 1:59 PM

Answers