Home
Guy’s Scripting Ezine 6 – Event Viewer

Guy’s Scripting Ezine 6 – Event Viewer

April 23, 2001 No Comments Ezine

Welcome to Guy’s Scripting Ezine 6 – Event Viewer

This was the first week of the HTML version of the Ezine.

Contents for Ezine Week 6 :-

I will let you into a secret

Most people born before 1950 think there is only one type of script – the .bat logon script. However, the more enlightened, realize that there are other (better) ways of creating logon scripts.  Probably the best method for Windows networks is the combination of VBScripts and WSH (Windows scripting host).

Guy Recommends: The Free IP Address Tracker (IPAT) IP Tracker

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

The Rise of WSH and VBScript

In the old NT 4.0 days, batch files ran in what some called a DOS window and others called a command shell.  Windows 2000 and Server 2003 have replaced that DOS shell with Windows Scripting Host.  The concept is similar to the way your Internet Explorer is a host to HTML files.  In this case WSH is the host and provides everything VBScript files need to run their lines of code.  Whilst I will concentrate on VBScript, WSH is versatile and interprets other languages, for example: Jscript, Perl, Python or Rexx.

What makes WSH and VBScripting so powerful is the ability to query WMI (Windows Management Instrumentation). For instance, my first script this week will interrogate the Event Log to find out how many times the server has been shut down unexpectedly. As with most of my scripts, my desire is to show you a method and then for you to adapt the technique to your own purposes. So think of an Event and modify the script to query how often it occurred.

Another use for the WSH and VBScript combination is to query objects in ADSI (Active Directory Systems Interface), but I will save that environment for another day. My message is: there is huge potential in WSH scripting.

WSH executables

Technically, the actual executables that perform all the WSH tasks are CScript and WScript. The latest version of CScript is 5.6; this is built-in to Windows Server 2003. Windows 2000 however, ships with version 2.0 but this is upgraded to the 5.6 version when you install Service Pack 3 or later.

You can check out your version of CScript or WScript by simply running either command at the CMD prompt.

Script to count and display the number of unexpected shutdowns.

Instructions

  1. Copy the entire script in the blue box below.
  2. Paste it into notepad.exe.
  3. File (menu), Save as Shutdown.vbs   Note: Omitting the .vbs extension, this is where people go wrong.
  4. Double click Shutdown.vbs
  5. Wait 30 seconds and check the Windows Scripting Host flashing in the navigation area.

‘VBScript
‘Purpose of script to query System log for Unexpected shutdowns

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = ‘System’ and " _
& "EventCode = ‘6008’")
Wscript.Echo "Unexpected shutdowns: " & colLoggedEvents.Count

Learning points

  1. strComputer = "." set the script to query the current machine
  2. Set ObjWMIService tell the script to use WMI as opposed the ADSI.
  3. Here is the crucial line Logfile = ‘System’ and " _& "EventCode = ‘6008’"
  4. Wscript.Echo calls for a message box to display the results.

Further ideas

Check out the Event Viewer, System logs for other events that you want to check.  Change the "Unexpected shutdowns: to what ever you are listing.

For more ideas on WSH / WMI scripts check here

Script to Check Logon Failures

Instructions

  1. Copy the entire script in the blue box below.
  2. Paste it into notepad.exe.
  3. File (menu), Save as logonfailure.vbs   Note: Omitting the .vbs extension, this is where people go wrong.
  4. Double click logonfailure.vbs
  5. Wait 60 seconds and check the Windows Scripting Host flashing in the navigation area.


‘VBScript
‘Purpose to check the Security log for Logon Failures
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = ‘Security’ and " _
& "EventCode = ‘673’")
Wscript.Echo "Logon Failures " & colLoggedEvents.Count

Learning points

  1. This script checks the Security Log not the System log.
  2. If you do not get any logon failures, then log off and deliberately create some errors.
  3. Check your actual Security log, and note the Event ID’s.  Substitute your ID’s for 673.  If you change the ID number change the Wscript.Echo "…." line.

See More Eventlog VBScripts

• WMI Eventlog  • Windows 8 Event Viewer  • Import Users From AD – CSVDE Tool

• PowerShell Eventlog  • Ezine 6 Eventlogs  • Ezine 39 Eventlog WMI  •Ezine 95 WMI Eventlog

VBScript Eventlog  • Ezines  • Free Log and Event Management Tool   • Tool Kit

About The Author

Guy Thomas

Related Posts