Hi all,
I seem to be missing something when I attempt to "convert" a VBS script to WMIC in
batch. Here's the properly executing VBS:dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "." & dtmThisMonth _ & "." & dtmThisDay strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Backup)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile " _ & "Where LogFileName='Application'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("d:\logs\EventViewer\" _ & strBackupName & _ ".application.evt") WScript.Echo "File saved: " & strBackupName & _ ".application.evt" NextHere's the batch file:
@ECHO OFF SETLOCAL :: Parse date FOR /F "tokens=2-4 delims=/ " %%A IN ("%DATE%") DO ( SET MM=%%A SET DD=%%B SET YY=%%C ) :: Ensure log directory exists IF NOT EXIST "D:\Logs\EventViewer" ( MKDIR "D:\Logs\EventViewer" ) :: Execute WMIC FOR %%A IN (Application Security System) DO ( WMIC /PRIVILEGES:ENABLE PATH Win32_NTEventlogFile WHERE LogfileName="%%A" ^ CALL BackupEventlog("D:\Logs\EventViewer\%YY%.%MM%.%DD%.%%A") ) :: Leave EXIT /BAnd here's the output relating to the Applications Event log:
Executing (\\D610-LAPTOP\root\cimv2:Win32_NTEventlogFile.Name="C:\\WINDOWS\\system32\\config\\AppEvent.Evt")->BackupEventlog() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 123; };I like that I'm getting "Method execution successful", but I don't like
"ReturnValue = 123". I think that it's the latter that is preventing any file
creation in my "D:\Logs\EventViewer" directory. Any clue what "ReturnValue = 123" is?When your only tool is a hammer, every problem looks like a nail.
Never mind. I was calling the method incorrectly. The parens are not needed. I
also didn't have an extension for the backup log file. My final batch file for those
interested:
@ECHO OFF SETLOCAL :: Parse date. FOR /F "tokens=2-4 delims=/ " %%A IN ("%DATE%") DO ( SET MM=%%A SET DD=%%B SET YY=%%C ) :: Ensure log directory exists. IF NOT EXIST "D:\Logs\EventViewer" ( MKDIR "D:\Logs\EventViewer" ) :: Execute WMIC to first backup events, then clear the log. FOR %%A IN (Application Security System) DO ( IF NOT EXIST "D:\Logs\EventViewer\%YY%.%MM%.%DD%.%%A.evt" ( WMIC PATH Win32_NTEventlogFile WHERE LogfileName="%%A" ^ CALL BackupEventlog "D:\Logs\EventViewer\%YY%.%MM%.%DD%.%%A.evt" WMIC PATH Win32_NTEventlogFile WHERE LogfileName="%%A" ^ CALL ClearEventLog ) ) :: Leave EXIT /BThis will backup and then clear the Application, Security, and System events in
Event Viewer, saving them to "D:\Logs\Event Viewer\".When your only tool is a hammer, every problem looks like a nail.
Ad Choices