Managing `EventLog` using Visual Basic.

NET and VBScript
(Page 1 of 4 ) This article explains how to manage “EventLog” information dynamically using Visual Basic.NET and VBScript. You will learn how to list all events, how to make a backup of the "Eventlog" dynamically, and how to perform many other tasks as well. A downloadable file for this article is available here. The sample downloadable solution (zip) was entirely developed using Visual Studio.NET 2003 Enterprise Architect on Windows Server 2003 Standard Edition. But, I am confident that it would work with other versions of Windows (which support .NET 1.1) as well. I contributed several articles on WMI with VB.NET and VBScript (including the articles on introductory or basic topics of WMI). I even contributed a series (of about six articles) on “WMI Programming on VB.NET” covering several aspects of WMI. I strongly suggest you go through the series, before going through this article. How to list all events from “EventLog” using Visual Basic.NET Before getting the information out of “EventLog”, we need to create a wrapper to store the EvenLog information. Let us proceed to create a wrapper:
Public Function getEventLogStructure() As DataTable Dim dt As New DataTable dt.Columns.Add(New DataColumn("Category")) dt.Columns.Add(New DataColumn("ComputerName")) dt.Columns.Add(New DataColumn("EventCode")) dt.Columns.Add(New DataColumn("Message")) dt.Columns.Add(New DataColumn("TimeWritten")) dt.Columns.Add(New DataColumn("Type")) Return dt End Function

The following method “addEventLog” adds a single row based on the structure you create for the data table using the above method.
Public Sub addEventLog(ByRef dt As DataTable, ByVal Category As String, ByVal ComputerName As String, ByVal EventCode As String, ByVal Message As String, ByVal TimeWritten As String, ByVal Type As String) Dim dr As DataRow dr = dt.NewRow dr("Category") = Category dr("ComputerName") = ComputerName dr("EventCode") = EventCode dr("Message") = Message

dr("TimeWritten") = TimeWritten dr("Type") = Type dt.Rows.Add(dr) End Sub

Once you complete the creation of the wrapper, the following VB.NET code should support some minimum information about “SoundDevice” available on your system.
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Try Dim searcher As New ManagementObjectSearcher( _ "root\CIMV2", _ "SELECT * FROM Win32_NTLogEvent") Dim dt As DataTable = globals.getEventLogStructure For Each queryObj As ManagementObject In searcher.Get () globals.addEventLog(dt, Convert.ToString(queryObj ("Category")), queryObj("ComputerName"), Convert.ToString (queryObj("EventCode")), queryObj("Message"), Convert.ToString (queryObj("TimeWritten")), Convert.ToString(queryObj("Type"))) Next Me.DataGrid1.DataSource = dt Catch err As ManagementException MessageBox.Show("An error occurred while querying for WMI data: " & err.Message) End Try End Sub

You can achieve the same result with VBScript as follows:
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set colItems = objWMIService.ExecQuery( _ "SELECT * FROM Win32_NTLogEvent",,48) For Each objItem in colItems Wscript.Echo "Category: " & objItem.Category Wscript.Echo "ComputerName: " & objItem.ComputerName Wscript.Echo "EventCode: " & objItem.EventCode Wscript.Echo "Message: " & objItem.Message Wscript.Echo "TimeWritten: " & objItem.TimeWritten Wscript.Echo "Type: " & objItem.Type Next

Managing `EventLog` using Visual Basic.NET and VBScript - How to list all “Blue Screen” events (or STOP errors) using Visual Basic.NET
(Page 2 of 4 ) Those who are working with Windows would definitely experience “Blue Screen” errors in some situations (especially when hardware malfunctions occur). We can still get those events using Visual Basic.NET. To get the event information, I am using the same wrapper I used in the previous section. So, I don’t want to repeat it. The following modification to the above program (in vb.net) would give the required result.
Dim searcher As New ManagementObjectSearcher( _ "root\CIMV2", _ "Select * from Win32_NTLogEvent Where Logfile = 'System'" _ & " and SourceName = 'SaveDump'")

The only difference is that I am trying to filter out the events, which are only “System” events, and the source related to “SaveDump.” When “Blue Screen” errors occur, they dump all the information available at that instance onto the hard disk for future analysis. The modification to the VBScript would be the following:
Set colItems = objWMIService.ExecQuery( _ " Select * from Win32_NTLogEvent Where Logfile = 'System' and SourceName = 'SaveDump'",,48)

How to make a backup of “EventLog” dynamically using Visual Basic.NET Making a backup of an “EventLog” is also a part of managing “EventLog” information. Actually we can do this manually using the MMC snap-in. But, our intention is to work through the classic Visual Basic.NET (or VBScript). As we are doing manipulation instead of retrieving information, this section does not need any wrapper to work with. Let us proceed with the Visual Basic.NET version first:
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Try Dim classInstance As New ManagementObject( _ "root\CIMV2", "Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", Nothing) Dim inParams As ManagementBaseObject = _

classInstance.GetMethodParameters ("BackupEventlog") Dim outParams As ManagementBaseObject = classInstance.InvokeMethod("BackupEventlog", inParams, Nothing) MessageBox.Show("Return Value " & outParams ("ReturnValue")) Catch err As ManagementException MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message) End Try End Sub

And here, the script is quite different from some of my scripts available in my previous articles. In the above script, I started working with “InvokeMethod”, which is used to execute a WMI method dynamically! So the following is the most important statement within the above code:
Dim outParams As ManagementBaseObject = _ classInstance.InvokeMethod("BackupEventlog", inParams, Nothing)

“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass parameters (input parameters) to the “BackupEventLog” method (WMI method) dynamically. Similarly, “outParams” generally contains the result of method execution. Here is the e VBScript version, which would be very similar to the Visual Basic.NET version:
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set objShare = objWMIService.Get ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'") Set objInParam = objShare.Methods_("BackupEventlog"). _ inParameters.SpawnInstance_() Set objOutParams = objWMIService.ExecMethod ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", "BackupEventlog", objInParam) Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

Managing `EventLog` using Visual Basic.NET and VBScript - How to clear

“EventLog” dynamically using Visual Basic.NET
(Page 3 of 4 ) We have already seen how to take a backup of “EventLog” in the previous section. Now let us look into “clearing an EventLog”. Since we are doing manipulation instead of retrieving information, this section does not need any wrapper to work with. Let us proceed with the Visual Basic.NET version first:
Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click Try Dim classInstance As New ManagementObject( _ "root\CIMV2", "Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", Nothing) Dim inParams As ManagementBaseObject = _ classInstance.GetMethodParameters ("ClearEventlog") Dim outParams As ManagementBaseObject = _ classInstance.InvokeMethod("ClearEventlog", inParams, Nothing) MessageBox.Show("Return Value " & outParams ("ReturnValue")) Catch err As ManagementException MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message) End Try End Sub

“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass parameters (input parameters) to the “ClearEventLog” method (WMI method) dynamically. Similarly, “outParams” generally contains the result of method execution. Again, here is the VBScript version, which would be very similar to the Visual Basic.NET version:
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set objShare = objWMIService.Get ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'") Set objInParam = objShare.Methods_("ClearEventlog"). _

inParameters.SpawnInstance_() Set objOutParams = objWMIService.ExecMethod ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", "ClearEventlog", objInParam) Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

Managing `EventLog` using Visual Basic.NET and VBScript - How to copy “EventLog” information into a text file using Visual Basic.NET
(Page 4 of 4 ) We have already seen how to take a backup of “EventLog” in the previous sections. Now let us look into “copying an EventLog into a text file.” Even this section does not need any wrapper, as we are not retrieving any information. Let us proceed with the Visual Basic.NET version first:
Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click Try Dim classInstance As New ManagementObject( _ "root\CIMV2", _ "Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", Nothing) Dim inParams As ManagementBaseObject = classInstance.GetMethodParameters("Copy") inParams("FileName") = "c:\sample.txt" Dim outParams As ManagementBaseObject = _ classInstance.InvokeMethod("Copy", inParams, Nothing) Console.WriteLine("Out parameters:") Console.WriteLine("ReturnValue: {0}", outParams ("ReturnValue")) Catch err As ManagementException MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message) End Try End Sub

“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass parameters (input parameters) to the “Copy” method (WMI method) dynamically. Now we are trying to pass a file name as part of the input parameter (which is a bit different from previous sections). The input parameter is assigned as follows: inParams("FileName") = "c:\sample.txt" Similarly, “outParams” generally contains the result of method execution. Here is the VBScript version, which is very similar to the Visual Basic.NET version):
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set objShare = objWMIService.Get("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'") Set objInParam = objShare.Methods_("Copy"). _ inParameters.SpawnInstance_() objInParam.Properties_.Item("FileName") = "c:\sample.txt" Set objOutParams = objWMIService.ExecMethod ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", "Copy", objInParam) Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

How about deleting, compressing, and similar types of operations on “EventLog” using Visual Basic.NET? As the coding is quite similar to the above for the features like deleting, compressing, and so on, I just wanted to provide some of the most useful methods available within the “Win32_NTEventLogFile” class. By using these methods, you can still write your own routines, which could be the extensions of the above routines. Following is the list of methods in the class “Win32_NTEventLogFile”, which you might find useful: Compress CompressEx Copy CopyEx Delete DeleteEx Rename UnCompress UnCompressEx You need to check through the MSDN library for the parameters of the methods along with descriptions and usage. But the program skeleton to work with the above methods will be very similar to the ones I provided above. Currently, I used VB.NET (especially for programmers) and VBScript (for system administrators) to manage the EventLog. But if you would like to manage EventLog remotely using the web, I suggest you use ASP.NET. The coding will be very similar to that of VB.NET. But be sure to make some modifications towards ASP.NET security to work with EventLog.

Further, you can extend the same to the PocketPC level, just to manage EventLog, by developing a Smart Device application. Any comments, suggestions, bugs, errors, feedback etc. are highly appreciated at jag_chat@yahoo.com.

Sign up to vote on this title
UsefulNot useful