VBScript – Query the Event Log

VBScript to Query the Event Log

The purpose of the script is to look through the System Event Log.  This particular example will count how many EventCode entries there are for Unexpected shutdowns.

 ♦

Instructions

  1. Copy the entire script in the blue box below.
  2. Paste it into notepad.exe.
  3. File (menu), Save as Shutdown.vbs   Note: Omitting the .vbs extension, this is where people go wrong.
  4. Double click Shutdown.vbs
  5. Wait 30 seconds and check the Windows Scripting Host flashing in the navigation area.

‘VBScript
‘Purpose of script to query System log for Unexpected shutdowns

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = ‘System’ and " _
& "EventCode = ‘6008’")
Wscript.Echo "Unexpected shutdowns: " & colLoggedEvents.Count

Learning points

  1. strComputer = "." set the script to query the current machine
  2. Set ObjWMIService tell the script to use WMI as opposed the ADSI.
  3. Here is the crucial line Logfile = ‘System’ and " _& "EventCode = ‘6008’"
  4. Wscript.Echo calls for a message box to display the results.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

More ideas

Check out the Event Viewer, System logs for other Event IDs that you want to check.  Alter the EventCode=’6008′) to your event number.

Finally, change the WScript.echo "Unexpected shutdowns: to what reflect the error message.


See Also