none
WMI query fails to find a security event by its record number (Windows 2008 R2) RRS feed

  • Question

  • Hi,

    I have a software that retrieves the new events in real time from eventlog every minute or so. To do so, I basically use the RecordNumber of the event to know how many events I do have to process (I know the recordnumber that I last read and I only have to get the last event-recordnumber of the eventlog to know until where I have to read). To retrieve the events I use a WMI query like this:

    Select * from win32_ntlogevent where logfile=”Security” and Recordnumber>=1000 and RecordNumber< 2000

    This software has always been working fine, but now it is not working because WMI querys are returning an empty result. This is happening in Windows 2008 / R2 Server and when the event recordnumber is bigger than 4294967296(2^32), for instance, in one server the last recordnumber is around 18.896.865.262! When I perform the following query (Select * from win32_ntlogevent where logfile=”Security”) I get the following result:

    Imágenes integradas 1

     

    This is telling me that the last event has the recordnumber 1.716.996.078 instead of 18.896.865.262. I figured out that this happens because WMI stores the recordnumber in an UINT32, so the max value is 2^32, so it returns the recordnumber truncated to 32 bits:

    18.896.865.262 mod 2^32 = 1.716.996.078

    My main problem is that if I want to retrieve event 18.896.865.262 I have no way to do so because the following queries are not working:

    Select * from win32_ntlogevent where logfile=”Security” and recordnumber=18896865262 This query returns a class error because recordnumber 18896865262 is not a valid value.

    Select * from win32_ntlogevent where logfile=”Security” and recordnumber=1716996078

    This query is the one that should work because WMI returned that the last event is 1716996078, the problem is that is returning that the event does not exist!! This is the query my software executes, but does not get any data!

    I found out that if I put quotes in the recordnumber the query returns the correct data, but the query takes VERY VERY LONG, which makes it impossible to use it. I assume that when using quotes there are some conversions to string which makes it work... but as I said it takes too long to use that query! (( Select * from win32_ntlogevent where logfile=”Security” and recordnumber="18896865262" ))

    I really need to use the RecordNumber on that query so I can be 100% sure that the events i'm processing will not be duplicates, and also, it's the best way know the exact last-processed event. I'm thinking that this is an error in WMI, is there any way to make those queries work?

    Thanks!

    • Edited by Cesc Sáncez Tuesday, September 18, 2012 11:08 AM
    Tuesday, September 18, 2012 10:30 AM