You are on page 1of 8

Managing `EventLog` using Visual

Basic.NET and VBScript


(Page 1 of 4 )

This article explains how to manage “EventLog” information dynamically using Visual
Basic.NET and VBScript. You will learn how to list all events, how to make a backup of the
"Eventlog" dynamically, and how to perform many other tasks as well.

A downloadable file for this article is available here.

The sample downloadable solution (zip) was entirely developed using Visual Studio.NET 2003
Enterprise Architect on Windows Server 2003 Standard Edition. But, I am confident that it
would work with other versions of Windows (which support .NET 1.1) as well.
I contributed several articles on WMI with VB.NET and VBScript (including the articles on
introductory or basic topics of WMI). I even contributed a series (of about six articles) on “WMI
Programming on VB.NET” covering several aspects of WMI. I strongly suggest you go through
the series, before going through this article.
How to list all events from “EventLog” using Visual Basic.NET
Before getting the information out of “EventLog”, we need to create a wrapper to store the
EvenLog information. Let us proceed to create a wrapper:
Public Function getEventLogStructure() As DataTable
Dim dt As New DataTable
dt.Columns.Add(New DataColumn("Category"))
dt.Columns.Add(New DataColumn("ComputerName"))
dt.Columns.Add(New DataColumn("EventCode"))
dt.Columns.Add(New DataColumn("Message"))
dt.Columns.Add(New DataColumn("TimeWritten"))
dt.Columns.Add(New DataColumn("Type"))

Return dt
End Function
The following method “addEventLog” adds a single row based on the structure you create for the
data table using the above method.
Public Sub addEventLog(ByRef dt As DataTable, ByVal Category
As String, ByVal ComputerName As String, ByVal EventCode As
String, ByVal Message As String, ByVal TimeWritten As String,
ByVal Type As String)
Dim dr As DataRow
dr = dt.NewRow
dr("Category") = Category
dr("ComputerName") = ComputerName
dr("EventCode") = EventCode
dr("Message") = Message
dr("TimeWritten") = TimeWritten
dr("Type") = Type
dt.Rows.Add(dr)
End Sub
Once you complete the creation of the wrapper, the following VB.NET code should
support some minimum information about “SoundDevice” available on your system.
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

Try
Dim searcher As New ManagementObjectSearcher( _
"root\CIMV2", _
"SELECT * FROM Win32_NTLogEvent")
Dim dt As DataTable = globals.getEventLogStructure
For Each queryObj As ManagementObject In searcher.Get
()
globals.addEventLog(dt, Convert.ToString(queryObj
("Category")), queryObj("ComputerName"), Convert.ToString
(queryObj("EventCode")), queryObj("Message"), Convert.ToString
(queryObj("TimeWritten")), Convert.ToString(queryObj("Type")))
Next
Me.DataGrid1.DataSource = dt
Catch err As ManagementException
MessageBox.Show("An error occurred while querying for
WMI data: " & err.Message)
End Try
End Sub
You can achieve the same result with VBScript as follows:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_NTLogEvent",,48)
For Each objItem in colItems
Wscript.Echo "Category: " & objItem.Category
Wscript.Echo "ComputerName: " & objItem.ComputerName
Wscript.Echo "EventCode: " & objItem.EventCode
Wscript.Echo "Message: " & objItem.Message
Wscript.Echo "TimeWritten: " & objItem.TimeWritten
Wscript.Echo "Type: " & objItem.Type
Next
Managing `EventLog` using Visual
Basic.NET and VBScript - How to list all
“Blue Screen” events (or STOP errors) using
Visual Basic.NET
(Page 2 of 4 )

Those who are working with Windows would definitely experience “Blue Screen” errors in some
situations (especially when hardware malfunctions occur). We can still get those events using
Visual Basic.NET.
To get the event information, I am using the same wrapper I used in the previous section. So, I
don’t want to repeat it. The following modification to the above program (in vb.net) would give
the required result.
Dim searcher As New ManagementObjectSearcher( _
"root\CIMV2", _
"Select * from Win32_NTLogEvent Where Logfile =
'System'" _
& " and SourceName = 'SaveDump'")
The only difference is that I am trying to filter out the events, which are only “System” events,
and the source related to “SaveDump.” When “Blue Screen” errors occur, they dump all the
information available at that instance onto the hard disk for future analysis.
The modification to the VBScript would be the following:
Set colItems = objWMIService.ExecQuery( _
" Select * from Win32_NTLogEvent Where Logfile = 'System'
and SourceName = 'SaveDump'",,48)
How to make a backup of “EventLog” dynamically using Visual Basic.NET
Making a backup of an “EventLog” is also a part of managing “EventLog” information.
Actually we can do this manually using the MMC snap-in. But, our intention is to work through
the classic Visual Basic.NET (or VBScript). As we are doing manipulation instead of retrieving
information, this section does not need any wrapper to work with.
Let us proceed with the Visual Basic.NET version first:
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles Button1.Click
Try

Dim classInstance As New ManagementObject( _


"root\CIMV2",
"Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'", Nothing)

Dim inParams As ManagementBaseObject = _


classInstance.GetMethodParameters
("BackupEventlog")

Dim outParams As ManagementBaseObject =


classInstance.InvokeMethod("BackupEventlog",
inParams, Nothing)
MessageBox.Show("Return Value " & outParams
("ReturnValue"))
Catch err As ManagementException

MessageBox.Show("An error occurred while trying to


execute the WMI method: " & err.Message)
End Try
End Sub
And here, the script is quite different from some of my scripts available in my previous articles.
In the above script, I started working with “InvokeMethod”, which is used to execute a WMI
method dynamically! So the following is the most important statement within the above code:
Dim outParams As ManagementBaseObject = _
classInstance.InvokeMethod("BackupEventlog",
inParams, Nothing)
“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass
parameters (input parameters) to the “BackupEventLog” method (WMI method) dynamically.
Similarly, “outParams” generally contains the result of method execution.
Here is the e VBScript version, which would be very similar to the Visual Basic.NET version:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set objShare = objWMIService.Get
("Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'")

Set objInParam = objShare.Methods_("BackupEventlog"). _


inParameters.SpawnInstance_()
Set objOutParams = objWMIService.ExecMethod
("Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'", "BackupEventlog", objInParam)
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

Managing `EventLog` using Visual


Basic.NET and VBScript - How to clear
“EventLog” dynamically using Visual
Basic.NET
(Page 3 of 4 )

We have already seen how to take a backup of “EventLog” in the previous section. Now let us
look into “clearing an EventLog”. Since we are doing manipulation instead of retrieving
information, this section does not need any wrapper to work with.
Let us proceed with the Visual Basic.NET version first:
Private Sub Button2_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles Button2.Click

Try

Dim classInstance As New ManagementObject( _


"root\CIMV2",
"Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'", Nothing)

Dim inParams As ManagementBaseObject = _


classInstance.GetMethodParameters
("ClearEventlog")

Dim outParams As ManagementBaseObject = _


classInstance.InvokeMethod("ClearEventlog",
inParams, Nothing)
MessageBox.Show("Return Value " & outParams
("ReturnValue"))

Catch err As ManagementException

MessageBox.Show("An error occurred while trying to


execute the WMI method: " & err.Message)
End Try
End Sub
“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass
parameters (input parameters) to the “ClearEventLog” method (WMI method) dynamically.
Similarly, “outParams” generally contains the result of method execution.
Again, here is the VBScript version, which would be very similar to the Visual Basic.NET
version:
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set objShare = objWMIService.Get
("Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'")
Set objInParam = objShare.Methods_("ClearEventlog"). _
inParameters.SpawnInstance_()
Set objOutParams = objWMIService.ExecMethod
("Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'", "ClearEventlog", objInParam)
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

Managing `EventLog` using Visual


Basic.NET and VBScript - How to copy
“EventLog” information into a text file using
Visual Basic.NET
(Page 4 of 4 )

We have already seen how to take a backup of “EventLog” in the previous sections. Now let us
look into “copying an EventLog into a text file.” Even this section does not need any wrapper,
as we are not retrieving any information.
Let us proceed with the Visual Basic.NET version first:
Private Sub Button3_Click(ByVal sender As System.Object, ByVal e
As System.EventArgs) Handles Button3.Click
Try

Dim classInstance As New ManagementObject( _


"root\CIMV2", _
"Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'", Nothing)

Dim inParams As ManagementBaseObject =


classInstance.GetMethodParameters("Copy")

inParams("FileName") = "c:\sample.txt"

Dim outParams As ManagementBaseObject = _


classInstance.InvokeMethod("Copy", inParams,
Nothing)

Console.WriteLine("Out parameters:")
Console.WriteLine("ReturnValue: {0}", outParams
("ReturnValue"))

Catch err As ManagementException


MessageBox.Show("An error occurred while trying to
execute the WMI method: " & err.Message)
End Try
End Sub
“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass
parameters (input parameters) to the “Copy” method (WMI method) dynamically. Now we are
trying to pass a file name as part of the input parameter (which is a bit different from previous
sections). The input parameter is assigned as follows:
inParams("FileName") = "c:\sample.txt"
Similarly, “outParams” generally contains the result of method execution.
Here is the VBScript version, which is very similar to the Visual Basic.NET version):
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\CIMV2")
Set objShare =
objWMIService.Get("Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'")

Set objInParam = objShare.Methods_("Copy"). _


inParameters.SpawnInstance_()
objInParam.Properties_.Item("FileName") = "c:\sample.txt"

Set objOutParams = objWMIService.ExecMethod


("Win32_NTEventlogFile.Name='C:\WINDOWS\system32
\config\AppEvent.Evt'", "Copy", objInParam)

Wscript.echo "ReturnValue: " & objOutParams.ReturnValue


How about deleting, compressing, and similar types of operations on “EventLog” using
Visual Basic.NET?
As the coding is quite similar to the above for the features like deleting, compressing, and so
on, I just wanted to provide some of the most useful methods available within the
“Win32_NTEventLogFile” class. By using these methods, you can still write your own routines,
which could be the extensions of the above routines.
Following is the list of methods in the class “Win32_NTEventLogFile”, which you might find
useful:
Compress
CompressEx
Copy
CopyEx
Delete
DeleteEx
Rename
UnCompress
UnCompressEx
You need to check through the MSDN library for the parameters of the methods along with
descriptions and usage. But the program skeleton to work with the above methods will be
very similar to the ones I provided above.
Currently, I used VB.NET (especially for programmers) and VBScript (for system
administrators) to manage the EventLog. But if you would like to manage EventLog remotely
using the web, I suggest you use ASP.NET. The coding will be very similar to that of VB.NET.
But be sure to make some modifications towards ASP.NET security to work with EventLog.
Further, you can extend the same to the PocketPC level, just to manage EventLog, by developing
a Smart Device application.
Any comments, suggestions, bugs, errors, feedback etc. are highly appreciated at
jag_chat@yahoo.com.

You might also like