none
How to: Query the Win32_NTLogEvent Class by User using WMI?

    Question

  • How to: Query the Win32_NTLogEvent Class by User using WMI?

    Problem: Getting 'Invalid Query' Message when query by User.

    Help Please!!!!!!  Below Code, and 2 good results when run 1 query.

    Code:

    Imports System

    Imports System.Management

    Public Class Form1

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click

    Dim scope As ManagementScope

    scope = New ManagementScope( _

    "\\s211097\root\cimv2")

    scope.Connect()

    'EventType

    '1 Error

    '2 Warning()

    '3 Information()

    '4 Security audit success

    '5 Security audit failure

    Dim query As ObjectQuery

    'Get good results when use the first Query

    query = New ObjectQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventType = '3'")

    'Get 'Invalid Query' Message when use below Queries --- WHY ??? ---

    'Is because the user has the slash \?

    'query = New ObjectQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventType = '3' and user = 'NT AUTHORITY\SYSTEM'")

    'query = New ObjectQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventType = '3' and user = 'BUILTIN\Administrators'")

    'query = New ObjectQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventType = '3' and user = 'XXXHQ\718330'")

    Dim searcher As ManagementObjectSearcher

    searcher = New ManagementObjectSearcher(scope, query)

    Dim queryCollection As ManagementObjectCollection

    queryCollection = searcher.Get()

    Dim m As ManagementObject

    For Each m In queryCollection

    ' Display the remote computer information

    Console.WriteLine("Category: " & m("Category") & vbNewLine _

    & "Category String: " & m("CategoryString") & vbNewLine _

    & "Computer Name: " & m("ComputerName") & vbNewLine _

    & "Event Code: " & m("EventCode") & vbNewLine _

    & "Message: " & m("Message") & vbNewLine _

    & "Record Number: " & m("RecordNumber") & vbNewLine _

    & "Source Name: " & m("SourceName") & vbNewLine _

    & "Time Written: " & m("TimeWritten") & vbNewLine _

    & "Time Generated: " & m("TimeGenerated") & vbNewLine _

    & "Event Type: " & m("Type") & vbNewLine _

    & "User: " & m("User") & vbNewLine)

    Next  '<------- Code stop here and said Invalid Query.

    End Sub

    End Class

     

    Good Results -- #1:

    Category: 0

    Category String:

    Computer Name: S211097

    Event Code: 7035

    Message: The Windows Installer service was successfully sent a start control.

    Record Number: 13570

    Source Name: Service Control Manager

    Time Written: 20051231233107.000000-300

    Time Generated: 20051231233107.000000-300

    Event Type: information

    User: NT AUTHORITY\SYSTEM

     

    Good Results -- #2:

    Category: 2

    Category String:

    Computer Name: S211097

    Event Code: 36

    Message: A user hit their quota threshold on volume C:.

    Record Number: 16847

    Source Name: Ntfs

    Time Written: 20060207142426.000000-300

    Time Generated: 20060207142426.000000-300

    Event Type: information

    User: BUILTIN\Administrators

     

    Tuesday, February 07, 2006 9:02 PM

All replies

  • Use
    WMI Code Creator v1.0
    http://www.microsoft.com/downloads/details.aspx?familyid=2CC30A64-EA15-4661-8DA4-55BBC145C30E&displaylang=en

    This tool generates working code (in VB or C#) for WMI queries

    Have fun with WMI;-)

    Bartek



    Wednesday, May 31, 2006 4:01 PM