EventLog Scanner (WMI)

EventLog Scanner (WMI)

 

 


Const ForReading = 1, ForWriting = 2, ForAppending = 3
Const CONVERT_TO_LOCAL_TIME = True

Set FileSystemObject = CreateObject("Scripting.FileSystemObject")
CurrentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))
Set DeviceListFile = FileSystemObject.OpenTextFile(CurrentDirectory & "\DeviceList.txt", ForReading)

Do Until DeviceListFile.AtEndOfStream
 Devicename = DeviceListFile.ReadLine
 If Trim(Devicename) <> "" Then
 LastBootUpTime=""
 Set winmgmts = GetObject("winmgmts:\\" & Devicename & "\root\cimv2")
 Set Win32_OperatingSystem = winmgmts.ExecQuery ("Select * from Win32_OperatingSystem")
 For each Instance in Win32_OperatingSystem
 LastBootUpTime = Instance.LastBootUpTime
 Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & Devicename & "\root\cimv2")
 Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'Error' and Logfile = 'System' and TimeWritten > '" & LastBootUpTime & "'")
 For each objEvent in colEvents
 Ignore = False
 'Drop your ignore strings in here. Just copy a line and drop your message over the top. Leave out anything non generic so you get better hits.

 If Instr(objEvent.Message, "Contact the administrator to install the driver before you log in again.") > 0 Then Ignore=True
 If Instr(objEvent.Message, "Remote Desktop Session Host server was unable to retrieve") > 0 Then Ignore=True
 If Instr(objEvent.Message, "An SSL 3.0 connection request was received from a remote client application") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The Kerberos client received a KRB_AP_ERR_MODIFIED") > 0 Then Ignore=True
 If Instr(objEvent.Message, "DCOM was unable to communicate with the computer") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The processing of Group Policy failed. Windows could not search the Active Directory organization unit hierarchy") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The following fatal alert was generated: 40. The internal error state is 107.") > 0 Then Ignore=True 'This relates to securechannel falures. It happens intermittantly.

If Ignore = False Then Wscript.Echo Devicename & ", " & UtcDateToString(objEvent.TimeWritten) & ", " & objEvent.Message
 Next
 End if
Loop
DeviceListFile.Close

Function UtcDateToString(UtcFormattedDate)
 UtcDateToString = CDate(Mid(UtcFormattedDate, 5, 2) & "/" & Mid(UtcFormattedDate, 7, 2) & "/" & Left(UtcFormattedDate, 4) & " " & Mid (UtcFormattedDate, 9, 2) & ":" & Mid(UtcFormattedDate, 11, 2) & ":" & Mid(UtcFormattedDate, 13, 2))
End Function

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s