none
How to fetch GPO logs displayed in Event viewer using WMI RRS feed

  • Question

  • Hello everybody!.

    Can anybody tell me which is the WMI query that I need to execute to retrieve the set of GPO logs being displayed in Event Viewer under "Application and Services Logs/Microsoft/Windows/GroupPolicy/Operational"?

    I cannot find a single thread opened with this information, and I need to find a way to recover these logs using a WMI query.

    I have tried with this query: SELECT * from Win32_NTLogEvent WHERE SourceName = 'Microsoft-Windows-GroupPolicy'

    However I'm only retrieving 2 rows, while I have 1,228 logs in the Operational section of the Event Viewer.

    Any help would be strongly appreciated.

    Thank you all!.

    Wednesday, August 29, 2018 11:22 AM

All replies

  • Hi Lucas.Alvarez.Lacasa,

    Thank you for posting here.

    For your question, I am not sure what is the different between the 2 rows which you get and the 1228 logs in the Operational section of the Event Viewer. But I make a simple code to test, I could get the 250 rows not only 2 rows. Please try the code. And if it could not solve your question, please check the difference between the 2 rows and 1228 logs, and provide more details about it. Maybe the 1228 logs is not only for Microsoft-Windows-GroupPolicy.

     ManagementObjectSearcher searcher =
                       new ManagementObjectSearcher("root\\CIMV2",
                       "SELECT * FROM Win32_NTLogEvent WHERE SourceName = 'Microsoft-Windows-GroupPolicy'");
    
                foreach (ManagementObject queryObj in searcher.Get())
                {
                  //get something you want
                }

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Thursday, August 30, 2018 2:52 AM
    Moderator
  • Hello Wendy!. Thanks for your reply.

    Sadly this is throwing the same results as the query I showed you before. I'm running these WMI queries through a program called SimpleWMIView, which allows you to see in a table format the result of your WMI query.

    I tried running a program with the same code that you pasted here and it's also returning only 2 results, while the event viewer displays 1.270 logs inside of GroupPolicy -> Operational. Honestly I don't know what's wrong.

    I tried pasting images here, but it's telling me that I cannot do that until they verify my account. I don't know how to do that.

    Thank you!

    Thursday, August 30, 2018 12:23 PM
  • Also, can you please verify that the amount of results that you get running this program matches the amount of logs that you have in the event log under GroupPolicy -> Operational.

    Thank you!.

    Thursday, August 30, 2018 12:34 PM
  • Hi Lucas.Alvarez.Lacasa,

    Thank you for feedback. I do the test again. The code below could solve your question. Please try it.

     public static void Main(string[] args)
            {
                string queryString = string.Format("*[System[TimeCreated[@SystemTime>='{0}' and @SystemTime<='{1}']]]",
                DateTime.Now.AddDays(-10).ToString("s"),
                DateTime.Now.ToString("s"));
                var q = new EventLogQuery("Microsoft-Windows-GroupPolicy/Operational", PathType.LogName, queryString);
                var r = new EventLogReader(q);
    
                var list = new List<EventRecord>();
    
                EventRecord er = r.ReadEvent();
                while (er != null)
                {
                    list.Add(er);
                    er = r.ReadEvent();
                }
                Console.ReadKey();
    
            }

    My event View of Microsoft-Windows-GroupPolicy/Operational has 6905 events.

    Here is the number of the list which I get from the code.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Stanly Fan Monday, September 3, 2018 7:55 AM
    Friday, August 31, 2018 8:03 AM
    Moderator
  • Hello Wendy!. Thank you one more time for replying.

    That code works perfectly, and it gives me back all the exact same number of logs that I can find in the event viewer inside of Operational. However, what I need to accomplish is to get this through WMI, and the query you pasted initially does not work properly, it does not provide me with the same number of logs that I have in the event viewer, it only gives me back two results.

    Here are a couple of screenshots:

    WMI results:

    Logs in the event viewer for GPO:

    Maybe there's something not properly configured on my PC, to be honest I don't have a clue.

    Thank you!

    Monday, September 3, 2018 11:54 AM