Edit

WMI Tasks: Event Logs

  • Article

WMI tasks for event logs obtain event data from event log files and perform operations like backing up or clearing log files. For other examples, see the TechNet ScriptCenter at https://www.microsoft.com/technet.

The script examples shown in this topic obtain data only from the local computer. For more information about how to use the script to obtain data from remote computers, see Connecting to WMI on a Remote Computer.

The following procedure describes how to run a script.

To run a script

  1. Copy the code and save it in a file with a .vbs extension, such as filename.vbs. Ensure that your text editor does not add a .txt extension to the file.
  2. Open a command prompt window and navigate to the directory where you saved the file.
  3. Type cscript filename.vbs at the command prompt.
  4. If you cannot access an event log, check to see if you are running from an Elevated command prompt. Some Event Log, such as the Security Event Log, may be protected by User Access Controls (UAC).

Note

By default, cscript displays the output of a script in the command prompt window. Because WMI scripts can produce large amounts of output, you might want to redirect the output to a file. Type cscript filename.vbs > outfile.txt at the command prompt to redirect the output of the filename.vbs script to outfile.txt.

The following table lists script examples that can be used to obtain various types of data from the local computer.

How do I... WMI classes or methods
...retrieve information about the Security event log? Include the Security privilege when connecting to the Win32_NTEventlogFile class. For more information, see Executing Privileged Operations Using VBScript.
VB 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" & _
        strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile " _
        & "Where LogFileName='Security'")
For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
    Wscript.Echo "Maximum Size: " _
    &  objLogfile.MaxFileSize 
Next
PowerShell 
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'security'}
foreach ($objLogFile in $colLogFiles) 
{ 
    "Record Number: " + $objLogFile.NumberOfRecords
    "Maximum Size: " + $objLogFile.MaxFileSize
}
...back up an event log?

Use the Win32_NTEventlogFile class and the BackupEventLog method. You may need to include the Backup privilege when connecting to WMI. For more information, see Executing Privileged Operations Using VBScript.

VB 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
    WScript.Echo "File saved as c:\scripts\applications.evt"
Next

PowerShell 
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'}

foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.BackupEventlog("c:\scripts\applications.evt")
"File saved as c:\scripts\applications.evt"
}
...back up an event log more than once?

Ensure that the backup file has a unique name before using the Win32_NTEventlogFile and the BackupEventLog method. The operating system does not allow you to overwrite an existing backup file; you must either move the backup file or rename it before you can run the script again. You may need to include the Backup privilege when connecting to WMI. For more information, see Executing Privileged Operations Using VBScript.

VB 
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    objLogFile.BackupEventLog("c:\scripts\" & strBackupName & "_application.evt")
    objLogFile.ClearEventLog()
    WScript.Echo "File saved: " & strBackupName & "_application.evt"
Next

PowerShell 
$CurDate = Get-Date
$strBackupName = $curDate.Year.ToString() + "_" + $curDate.Month.ToString() + "_" + $CurDate.Day.ToString()

$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'}
foreach ($objLogFile in $colLogFiles)
{
$BackupFile = $objLogFile.BackupEventlog("c:\scripts" + $strBackupName + "_application.evt")
"File saved: c:\scripts" + $strBackupName + "_application.evt"
}
...determine the number of records in an event log?

Use the Win32_NTEventlogFile class and check the value of the NumberOfRecords property.

VB 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='System'")
For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
Next

PowerShell 
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'System'}

foreach ($objLogFile in $colLogFiles)
{
$objLogFile.NumberOfRecords
}
...clear my event logs?

Use the Win32_NTEventlogFile class and the ClearEventLog method.

VB 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    objLogFile.ClearEventLog()
    WScript.Echo "Cleared application event log file"
Next

PowerShell 
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'System'}

foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.ClearEventlog()
"Cleared application event log file"
}
...read events from the event logs?

Use the Win32_NTLogEvent class.

VB 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent " _
        & "Where Logfile = 'System'")
For Each objEvent in colLoggedEvents
    Wscript.Echo "Category: " & objEvent.Category & VBNewLine _
    & "Computer Name: " & objEvent.ComputerName & VBNewLine _
    & "Event Code: " & objEvent.EventCode & VBNewLine _
    & "Message: " & objEvent.Message & VBNewLine _
    & "Record Number: " & objEvent.RecordNumber & VBNewLine _
    & "Source Name: " & objEvent.SourceName & VBNewLine _
    & "Time Written: " & objEvent.TimeWritten & VBNewLine _
    & "Event Type: " & objEvent.Type & VBNewLine _
    & "User: " & objEvent.User
Next

PowerShell 
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTLogEvent -ComputerName $strComputer | Where-Object {$_.LogFile -eq 'System'}

foreach ($objEvent in $colLoggedEvents)
{
"Category: " + $objEvent.Category
"Computer Name: " + $objEvent.ComputerName
"Event Code: " + $objEvent.EventCode
"Message: " + $objEvent.Message
"Record Number: " + $objEvent.RecordNumber
"Source Name: " + $objEvent.SourceName
"Time Written: " + $objEvent.TimeWritten
"Event Type: " + $objEvent.Type
"User: " + $objEvent.Use
}

WMI Tasks for Scripts and Applications

WMI C++ Application Examples

TechNet ScriptCenter