VBScript Event Log Data Written to a File

VBScript Event Log Tutorial

My holy grail in writing these pages is to combine real world scenarios, with good examples of VBScript commands.  The purpose of this advanced script is to filter Event Log data then write the result into a text file.

On this page, I assume that you have mastered the basics of FSO (File System Object) and that you are looking for fresh examples to apply the .writeline techniques.  The usual VBScript commands will act as the cement which combines FSO and WMI to produce a powerful and adaptable script.

If you need a refresher on WMI – Check here

Topics for Writing Event Log Data to a File


Our Mission and GoalEvent ID 17 VBScript with WMI, and FSO to write data to file

Our real life mission is to filter events from the System Log and then output the results into a text file.   Let us pretend that we must review all W32Time errors on your server.  A quick research of the System (not Application) Log reveals that the data we are interested in held messages with an Event ID = 17.

My hidden agenda is that you will use this script as a template.  I hope that you will amend the Event ID number so that you can write significant events on your network to a text file.  Possible troubleshooting scenarios are, researching DNS connectivity, Netlogon problems, Active Directory replication.  Just investigate which Event ID records the data you are interested in and then amend the intNumberID in the example script.

Example – Writing Event Log Data to a File

By introducing variables, we can choose not only the type of log, for Example Security, Application or System, but also the Event ID number.

What ever problem you are troubleshooting with the Event Viewer, the chances are you only need to analyze one or two of the hundreds of Event IDs.  VBScript, with its ‘If …then.  End If’ loops is an ideal vehicle for filtering Event Log IDs.  You would not want to make life difficult by echoing the results to screen, it is much more convenient to write the details to a text file.


I recommend that you logon as administrator.  This is a script that will execute equally well on a Windows server or an XP machine.

Instructions for VBScript Event Log

  1. Copy and paste the example script below into notepad or a VBScript editor.
  2. Decide whether to change the value for the strxyz variables.
  3. Double click and check Windows Explorer for your filtered Event Log details.

Sample Script to Write Event Log Data to a File


‘ EventLogFSOvbs
‘ Example VBScript Event Log to create a file
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 1.8 – June 2010
‘ ———————————————————‘
Option Explicit

Dim objFso, objFolder, objWMI, objItem, objShell, strEventLog
Dim strFile, strComputer, strFolder, strFileName, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents

‘ ———————————————
‘ Set the folder and file name
‘ Set numbers
intNumberID = 17 ‘ Event ID Number
intRecordNum = 0

strComputer = "."
strFileName = "\Event" & intNumberID & ".txt"
strFolder = "e:\logs\eventlog"
strPath = strFolder & strFileName
strEventLog = "’System’ "

‘ ———————————————
‘ Section to create folder and hold file.
Set objFso = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Set objFolder = objFSO.CreateFolder(strFolder)
Wscript.Echo "Folder created " & strFolder
End If

Wscript.Echo " Press OK and Wait 30 seconds (ish)"
Set strFile = objFso.CreateTextFile(strPath, True)
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog)

‘ —————————————–
‘ Next section loops through ID properties

For Each objItem in colLoggedEvents
If objItem.EventCode = intNumberID Then

‘ Second Loop to filter only if they tried Administrator
strFile.WriteLine("Category: " & objItem.Category _
& " string " & objItem.CategoryString)
strFile.WriteLine("ComputerName: " & objItem.ComputerName)
strFile.WriteLine("Logfile: " & objItem.Logfile _
& " source " & objItem.SourceName)
strFile.WriteLine("EventCode: " & objItem.EventCode)
strFile.WriteLine("EventType: " & objItem.EventType)
strFile.WriteLine("Type: " & objItem.Type)
strFile.WriteLine("User: " & objItem.User)
strFile.WriteLine("Message: " & objItem.Message)
strFile.WriteLine (" ")
intRecordNum = intRecordNum +1
End If

‘ Confirms the script has completed and opens the file
Set objShell = CreateObject("WScript.Shell")
objShell.run ("Explorer" &" " & strPath & "\" )


‘ End of Guy’s Sample FSO VBScript

Guy Recommends:  SolarWinds’ Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

VBScript Event Log Tutorial – Learning Points

1) Once the script is working, you can have fun changing the values of the various variables, for example, selecting different Event IDs.  Take the time to investigate important events ids in other logs, for example the Application log.  Another suggestions is to investigate the system log, but on a different machine.

2) strEventLog = " ‘Security’ " nearly drove me mad.  You have to be precise with the speech marks and the spaces.  " ‘  Security  ‘" has too much space between the single quotes and the name Security.

3) In this example, I have employed objShell.run to help the reader by opening the text file ready to examine the entries.

4) You may wish to review my other FSO examples and try adding lines that append the data rather than over-write.

5) I have largely ignored the WMI element of the this script.  There is a fine line when too much information can be confusing, that is why I concentrate on only 2 or 3 elements.  However, WMI has its own section full of winmgmts and CIM examples.

Example VBScript Event Log – Interrogate the System Log


You want to extract a particular event ID from the system log.  Let us pretend that you have become paranoid about synchronizing the time on all servers.  Following a little research of the system log, you want a list of all records showing WinTime Event ID:12. 

Talking of dilemma’s.  I was torn between putting in an extra message box to show that something was happening, and just leaving you to wait for an eternity before your first file is created.  In the event I put in two message boxes.  Warning, remember that you must dismiss the FIRST message box so that the script will continue processing.  Suggestion, once you realise how long the script needs to process the logs, then ‘ Rem out the WScript.Echo " Press OK.."


  1. Pre-requisites.  For this script to work, you need any modern operating system Windows 2000, 2003 or XP.
  2. Copy and paste the script below into notepad. Important: Check the Variables section of the script, make alterations to strFolder.
  3. Save the file with .vbs extension e.g. Event12.vbs.
  4. Double click.  Press OK to dismiss the first Message Box.  I hope you didn’t get a ‘Path not found error’ if you did check 3.
  5. WARNING, Note well, nothing more will happen until you dismiss the First Message box.
  6. Use the second the message box to find your text file!

‘ EventID12.vbs
‘ VBScript Event Log example to check the Event ID.
‘ Version 1.9
‘ Guy Thomas 1st August 2010

Option Explicit

Dim objFso, objFolder, objWMI, objEvent ‘ Objects
Dim strFile, strComputer, strFolder, strFileName, strPath ‘ Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents

‘ ——————————————–
‘ Set your variables
intNumberID = 12 ‘ Event ID Number
intEvent = 1
intRecordNum = 1

strComputer = "."
strFileName = "\Event12.txt"
strFolder = "C:\GuyScripts"
strPath = strFolder & strFileName

‘ —————————————-
‘ Section to create folder to hold file.
Set objFso = CreateObject("Scripting.FileSystemObject")

If objFSO.FolderExists(strFolder) Then
    Set objFolder = objFSO.GetFolder(strFolder)
   Set objFolder = objFSO.CreateFolder(strFolder)
   Wscript.Echo "Folder created " & strFolder
End If
Set strFile = objFso.CreateTextFile(strPath, True)

‘ Next section creates the file to store Events
‘ Then creates WMI connector to the Logs

Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = ‘System’" )

Wscript.Echo " Press OK and Wait 30 seconds (ish)"
‘ —————————————–
‘ Next section loops through ID properties
intEvent = 1
For Each objEvent in colLoggedEvents
If objEvent.EventCode = intNumberID Then

strFile.WriteLine ("Record No: ")& intEvent
‘ strFile.WriteLine ("Category: " & objEvent.Category)
strFile.WriteLine ("Computer Name: " & objEvent.ComputerName)
strFile.WriteLine ("Event Code: " & objEvent.EventCode)
‘ strFile.WriteLine ("Message: " & objEvent.Message)
‘ strFile.WriteLine ("Record Number: " & objEvent.RecordNumber)
strFile.WriteLine ("Source Name: " & objEvent.SourceName)
‘ strFile.WriteLine ("Time Written: " & objEvent.TimeWritten)
strFile.WriteLine ("Event Type: " & objEvent.Type)
strFile.WriteLine ("User: " & objEvent.User)
strFile.WriteLine (" ")
intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Wscript.Echo "Check " & strPath & " for " &intRecordNum & " events"


‘ End of Guy’s example VBScript

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource.  Give this permissions monitor a try – it’s free!

Download SolarWinds’ Free Permissions Analyser – Active Directory Tool

Learning Points

Note 1:  ‘ Top Section

Here are ‘ Remarks.  Just for our reference.

Option Explicit – This forces me to declare my variables, which I do with Dim (dimension) statements.  Guy loosely follows the Hungarian convention where the ‘str’ prefix means a string variable where as ‘int’ means an integer or number.  Guess what obj means?  Yes object.

Note 2: ‘ Set your variables

If Guy wrote the script, then always check the script for variables.  Whilst I try to design scripts which run as automatically as possible, there are occasions – such as this script, where you need to adjust a variable.  It would be boring if I set the path to C:\, so change strPath to match a file in a folder on your machine.  In the case of this script, I hope that editing strPath will make you think, ‘Where should I look for the output?’

The variables beginning with ‘int’ are for numbers.

Note 3: FSO – Primer.

How can we output the information?  WScript.Echo has its place, but in this example it would swamp you with data and give you RSI from clicking the message boxes.  No, we need a different vehicle for the output.  This is where FSO comes in handy, use objFSO to create a file object corresponding to strFile.  We can then fill strFile with data from the event logs.  The idea is that we use notepad to read the events at our leisure.  As a matter of interest, ‘True’ in this context means over-write the file referenced by strPath.

Time to take a break from our long journey to find those events log IDs.  Please find the time to admire how the script creates the c:\GuyScripts folder. Once again, check how FSO uses those ‘Get’ and ‘Create’ statements, as in GetFolder and CreateFolder.

Note 4: Pure WMI.

WMI stands for Windows Management Interface, in practice this means the script’s direct line to the operating system’s information store.  In logon scripts, you may have seen CreateObject("wscript.network"), well here with WMI, the key object is winmgmts.   Windows, or to be precise – winmgmts, knows about WIN32_xyz objects, for example, printers, computers or disks.  In our case, the object that we are interested in is the event log – to be precise WIN32_NTLogEvent.  Incidentally a good scripting program like VBsEdit will show you all these WMI objects and assist you in interrogating them.

Note the tiny word ‘Set’.  So often in VBScript the ‘Set’ command is essential to create, form or hold the object you are working on.

‘Impersonate’ sets the security credentials, in this case just accept that we use the default security settings.

The operating system, and its front end – the registry are huge places.  "\root\cimv2" tells WMI where to connect, or where to begin, in its search for the winmgmts objects.

Col or ColLoggedEvents means collation rather like a collection.  This instruction makes sense for Event Logs which have zillions of properties.  Think of col as part of the mechanism to extract information and write it to a file.

With scripting, each and every word is important, here we see an SQL transact type statement:
"Select * from Win32_NTLogEvent Where Logfile = ‘System’.  I would like to draw your attention to the ‘Where’.  What is happening is that the script is searching through the System Log as opposed to the Application or Security log.  Useful information if you wanted to amend my script.

Guy Recommends: WMI Monitor and It’s Free!Solarwinds Free WMI Monitor

Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft’s operating systems.  Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.

Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try – it’s free.

Download your free copy of WMI Monitor

Note 5: strFile section.

The scripting work is practically finished, all that is left is a logic or business decision about which properties to record in strFile.  In cases where you are not interested in a particular property, simply comment out the lines, or be ruthless and just delete the offending line.

So much of the power of a script, any script, comes from the ability to mechanically cycle through data.  Here we employ not the simple For… Next loop, but the more advanced, For EACH …. Next loop.

In order to filter the data, we have one of the oldest. but most versatile commands, ‘If  Then… End If.  Remember that in our featured script we only want a specific Event ID, a number held by the intNumberID variable, perfect for an If statement.  (Just remember that End If.)

The final method featured by this script is:  .writeline.  Our script needs to be instructed what to do with the objEvent property; writeline provides that link and outputs the events to strFile.  If you remember, strFile is the variable that holds the filename for the script output.

Summary of Writing Event Log Data to a File

When you are researching Event Logs, you may find it easier to handle the data if you filter data for the Event ID under investigation.  The combination of FSO, WMI and VBScript is ideal for reading the Event Logs and refining the data into a text file.

If you like this page then please share it with your friends


See more VBScript file examples:

VBScript to create folders   • VBScript to create files    • VBScript write file    • VBScript file copy

PowerShell OutFile   • PowerShell Get-ChildItem   • PowerShell create folder • Event Log Administrator

VBScript Event Log   • WMI Event Log • Event Log Example   • SolarWinds Log Event Manager