Zoho Banner September 2011

Posts tagged ‘vista’

Some time ago I blogged about the Acctinfo2.dll tool and how unfortunate it was that a 64-bit version was not available.  Well, the good news is that you can now download a 64-bit version from here:


I have tested the DLL on both Windows Server 2008 and Windows Server 2008 R2 and it seems to work well.  However, please note this version is completely unsupported!  Download at use entirely at your own risk.


If you’ve spent some time with Vista or Windows Server 2008 you’ll have noticed that there are some fundamental changes to the event viewer.  One of the changes is in the way in which event logs can be filtered.  In addition to the point-and-click filter selection you can now also enter an xpath query by accessing the XML tab (see screenshots below).  This gives you the ability to filter using a much wider range of criteria.  Basically, you can search using anything that is presented in the list of XML values.




The xpath queries take a bit of getting used to and as yet there don’t appear to be many publicly available examples.  Here are a few to get you started. This query searches the Security Event log for 4624 events that include a TargetUsername of “User1″ and corresponding to a logon type of “2″ (interactive). 

  <Query Id=”0″ Path=”Security”>
    <Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='TargetUserName']=’User1′] and EventData[Data[@Name='LogonType']=’2′]]</Select>

The query below also looks for 4624 events, but this time for those that include a WorkstationName of “Workstation1″ and a logon type of “3″ (network). 

  <Query Id=”0″ Path=”Security”>
    <Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='WorkstationName']=’Workstation1′] and EventData[Data[@Name='LogonType']=’3′]]</Select>

Even though Xpath can appear a little daunting at first it is worth spending a bit of time with as it’s potentially quite powerful.  As with Powershell it is something that is likely to be here to stay.

Windows Server 2008 (and Vista) offer improved options for event log management.  For example, you now have the option to forward events to a central event collector server.  You also now have powerful filtering capabilities.  One of the features I like is the Wevtutil command-line tool that allows you to retrieve, query, archive, export and clear events.   It’s the best option you have if you use Server Core and don’t want to open the firewall to allow remote access using the Event Viewer UI.

Recently, I had to schedule the export of events using Wevtutil using a time-based query.  It took me a little while to get the query syntax right, so I thought I would share it with you here.

Let’s take a scenario in which you want to export all events from in the past 24 hours from the security log to a *.evtx file.  (Note. The default format for exported event log files in Vista and Windows Server 2008 is *.evtx.  For a good explanation of the differences between evt and evtx see this blog entry).   You can leverage the Windows Event Viewer (eventvwr) to assist you with obtaining the query required to filter the log to show only events from the past 24 hours.  To do this, click on your event log of choice (in this case Security).  In the right-hand action pane click Filter Current Log.  Within the Filter tab, select the drop-down list next to Logged and choose Last 24 hours.  Now click on the XML tab.   The query is embedded within the XML content, as follows:

 *[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]


The Wevtutil command to use the filter is shown below (may wrap).

wevtutil.exe epl Security C:\SecurityLog24hours.evtx “/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]” /ow:true

Note that you have to replace the “&lt;” escape sequence meaning “less than” from the XML original with the “<” character, otherwise the query does not work and you will receive the error:

Failed to export log Security. The specified query is invalid.

The time-based filter I have used in this example only scratches the surface of the query capabilities you have with Wevtutil.  The fact that you can leverage the capabilities within the Event Viewer UI to assist with building the queries takes a lot of the pain away.  For more information about Wevtutil, including all the available command line options, see this page on Microsoft Technet.