Home/ Questions/Q 15103
Next
Answered
computing
  • 0
Asked: 2021-12-17T16:10:52+00:00 In:

VBS To WMIC – ReturnValue = 123

  • 0

Hi all,
I seem to be missing something when I attempt to “convert” a VBS script to WMIC in
batch. Here’s the properly executing VBS:

 

dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "." & dtmThisMonth _
    & "." & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Backup)}!\\" & _
        strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile " _
        & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    objLogFile.BackupEventLog("d:\logs\EventViewer\" _
        & strBackupName & _
        ".application.evt")
    WScript.Echo "File saved: " & strBackupName & _
        ".application.evt"
Next

Here’s the batch file:

 

@ECHO OFF 
SETLOCAL
:: Parse date
FOR /F "tokens=2-4 delims=/ " %%A IN ("%DATE%") DO (
    SET MM=%%A
    SET DD=%%B
    SET YY=%%C
)
:: Ensure log directory exists
IF NOT EXIST "D:\Logs\EventViewer" (
    MKDIR "D:\Logs\EventViewer"
)
:: Execute WMIC
FOR %%A IN (Application Security System) DO (
WMIC /PRIVILEGES:ENABLE PATH Win32_NTEventlogFile WHERE LogfileName="%%A" ^
    CALL BackupEventlog("D:\Logs\EventViewer\%YY%.%MM%.%DD%.%%A")
)
:: Leave
EXIT /B

And here’s the output relating to the Applications Event log:

 

Executing (\\D610-LAPTOP\root\cimv2:Win32_NTEventlogFile.Name="C:\\WINDOWS\\system32\\config\\AppEvent.Evt")->BackupEventlog()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 123;
};

I like that I’m getting “Method execution successful”, but I don’t like
“ReturnValue = 123”. I think that it’s the latter that is preventing any file
creation in my “D:\Logs\EventViewer” directory. Any clue what “ReturnValue = 123” is?

When your only tool is a hammer, every problem looks like a nail.

Share

    1 Answer

    1. Best Answer

      Never mind. I was calling the method incorrectly. The parens are not needed. I
      also didn’t have an extension for the backup log file. My final batch file for those
      interested:

      @ECHO OFF 
SETLOCAL
:: Parse date.
FOR /F "tokens=2-4 delims=/ " %%A IN ("%DATE%") DO (
    SET MM=%%A
    SET DD=%%B
    SET YY=%%C
)
:: Ensure log directory exists.
IF NOT EXIST "D:\Logs\EventViewer" (
    MKDIR "D:\Logs\EventViewer"
)
:: Execute WMIC to first backup events, then clear the log.
FOR %%A IN (Application Security System) DO (
    IF NOT EXIST "D:\Logs\EventViewer\%YY%.%MM%.%DD%.%%A.evt" (
        WMIC PATH Win32_NTEventlogFile WHERE LogfileName="%%A" ^
            CALL BackupEventlog "D:\Logs\EventViewer\%YY%.%MM%.%DD%.%%A.evt"
        WMIC PATH Win32_NTEventlogFile WHERE LogfileName="%%A" ^
            CALL ClearEventLog
    )
)
:: Leave
EXIT /B

      This will backup and then clear the Application, Security, and System events in
      Event Viewer, saving them to “D:\Logs\Event Viewer”.

      When your only tool is a hammer, every problem looks like a nail.

      • 0