Is there anyway to only output the description field in an event log entry?
Im current using:
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true > C :\query.txt
However this output everything. I just want to output the description which is under:
<EventData>
<Data> Description bllah blah</data>
</EventData>
You can use /f:text modifier and grep with ^|FIND "Description"
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true ^|FIND "Description" > C:\query.txt
Note the ^ before the pipe, it escapes the pipe in scripts.
Related
When I use the following command, it outputs a text file with a computer's printer information: wmic printer list full >> c:\computer_printers.txt
However, the list is very long, and I only want to see the fields for DriverName, Name, and Portname in the output. Is there a way to modify the command I am using to get this result?
I researched the adverbs associated with the verb List, but the way I am interpreting the document here (https://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx), it does not seem like what I am trying to do is possible. Is there anyone with more experience with WMIC that can confirm this?
I only want to see the fields for DriverName, Name, and Portname in the output
Use the following command:
wmic printer get DriverName, Name, Portname >> c:\computer_printers.txt
Example output:
> type c:\computer_printers.txt
DriverName Name PortName
Microsoft XPS Document Writer Microsoft XPS Document Writer XPSPort:
Microsoft Shared Fax Driver Fax SHRFAX:
EPSON Stylus Photo RX560 Series EPSON Stylus Photo RX560 Series USB001
CutePDF Writer CutePDF Writer CPW2:
Further Reading
An A-Z Index of the Windows CMD command line | SS64.com
Windows CMD Commands (categorized) - Windows CMD - SS64.com
WMIC - Windows Management - Windows CMD - SS64.com
I want to export only event id 4624 from Security
Code below exports all event from security (i want only 4624);
WEVTUtil query-events Security /rd:true /format:text > %~dp0Logins.txt /q:"<EventID>4624</EventID>"
When all 4624 events exported i want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
This will be RDP logs with IP, because logs in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" dont have IP (only username) :( I heard this is because RDP connection is TLS secured...
I want to export only Event ID 4624 from Security
WEVTUtil query-events Security /rd:true /format:text > "%~dp0Logins.txt"<EventID>4624</EventID>"
You are using the wrong format for the /q option.
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true /f:text > "%~dp0Logins.txt"
How do I restrict the filter to Event ID 4624 containing User32?
When all 4624 events exported I want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true | findstr User32 >nul && wevtutil qe Security "/q:*[System [(EventID=4648)]]" /f:text /rd:true > "%~dp0Logins.txt"
Code based on the following source link.
Source How to use wevtutil command to get event details if it only comply with specific text or word
Further Reading
An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
findstr - Search for strings in files.
wevutil - Windows Events Command Line Utility.
I am using wevtutil to get the last 10 logs in windows servers, with this simple command.
wevtutil qe Application /rd:false /c:10 /f:text
So can I parse events like: all the error events in last 10 logs.
this will list the lasts 10 errors:
wevtutil qe application "/q:*[System[(Level=1 or Level=2 )]]" /c:10 /f:text /rd:true
be carefull the Xpath query is case sensitive
I am trying to use wevtutil to extract the value of a particular attribute, ObjectName, (without tags) from the most recent audit event of a specific ID, 4663. I then want to place that in an environment variable for use in a batch file which is triggered by occurrences of 4663. I have copied in the xml for the event below.
I have got to the point of being able to select the event and output the XML using this syntax:
C:\Users\Mike>wevtutil qe security /q:"*[System [(EventID=4663)]]" /c:1 /rd:true
But I cannot work out how to retrieve just one attribute from within the event XML that results. Is it even possible? Xpath appears to provide the syntax, but does wevtutil support it?
I'd prefer to do it in one stage, but I understand wevtutil can output to a file so I guess you could then process that in some way.
Obviously if there were a better utility than wevtutil to do this I could use that.
Many thanks to anyone who can help.
Mike
Event XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
<EventID>4663</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2013-12-07T16:50:28.582540600Z"/>
<EventRecordID>2637347</EventRecordID>
<Correlation/>
<Execution ProcessID="4" ThreadID="64"/>
<Channel>Security</Channel>
<Computer>Dell-8300-PC</Computer>
<Security/>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1054466239-2335366426-2448288976-1001</Data>
<Data Name="SubjectUserName">Mike</Data>
<Data Name="SubjectDomainName">Dell-8300-PC</Data>
<Data Name="SubjectLogonId">0x4149a</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">D:\Mike's data\My Documents\fred</Data>
<Data Name="HandleId">0x12a74</Data>
<Data Name="AccessList">%%4418</Data>
<Data Name="AccessMask">0x4</Data>
<Data Name="ProcessId">0x1048</Data>
<Data Name="ProcessName">C:\Windows\explorer.exe</Data>
</EventData>
</Event>
A strange discovery. If I use webtutil to write the whole event as a file, and I then edit that file to remove the string
xmlns="http://schemas.microsoft.com/win/2004/08/events/event"
and nothing else, I can access the data I require via
PowerShell using this command:
PS> select-xml -path "C:\Users\Mike\xmltext1.xml" -Xpath "*//EventDat
a/Data[#Name = 'ObjectName']" | ForEach-Object {$_.Node.'#text'}
Which correctly returns:
C:\Program Files\MXContactEE\MXContact.pst
But the same command returns nothing unless I remove the 'xmlns' string from the file, which is inconvenient.
I'm lost as to why.....
Best wishes, Mouse
The two stage solution, writing the event to a file in cmd.exe then processing it using select XML, almost works. Here are the commands I used. First in cmd.exe:
C:\Users\Mike> Wevtutil qe security /q:"*[System [(EventID=4663)]]" /c:1 /rd:true > xmltext.xml
Then in Powerwshell:
PS C:\scripts> Select-xml -namespace #{p="http://schemas.microsoft.com/win/2004/08/events/event"} -path "C:\Users\Mike\xmltext.xml" -Xpath "*//p:EventData/p:Data[#Name = 'ObjectName']" | ForEach-Object {$_.Node.'#text'}
Unfortunately the select-xml statement fails on meeting an unexpected end of file 2/3 of the way through the record. It does this even if you try the whole thing via a pipe in Powershell:
PS C:\Windows\System32\WindowsPowerShell\v1.0> & C:\windows\system32\wevtutil.exe --% qe security /q:*[System[(EventID=4663)]] /c:1 /rd:true | select-xml -namespace #{p="http://schemas.microsoft.com/win/2004/08/events/event"} -Xpath "*//p:EventData/p:Data[#Name = 'ObjectName']" | ForEach-Object {$_.Node.'#text'}
Both approaches yield (very quickly!) the following error:
select-xml : Cannot convert value "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid
='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4663</EventID><Version>0</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</K
eywords><TimeCreated SystemTime='2013-12-14T12:19:50.172177700Z'/><EventRecordID>3598848</EventRecordID><Correlation/><Execution ProcessID='4'
ThreadID='52'/><Channel>Security</Channel><Computer>Dell-8300-PC</Computer><Security/></System><EventData><Data
Name='SubjectUserSid'>S-1-5-21-1054466239-2335366426-2448288976-1001</Data><Data Name='SubjectUserName'>Mike</Data><Data
Name='SubjectDomainName'>Dell-8300-PC</Data><Data Name='SubjectLogonId'>0x39533</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data
Name='ObjectName'>C:\Program Files\MXContactEE\MXContact.pst</Data><Data Name='HandleId'>0x4ef0</Data><Data Name='AccessList'>%%4416" to type "System.Xml.XmlDocument".
Error: "Unexpected end of file has occurred. The following elements are not closed: Data, EventData, Event. Line 1, position 980."
At line:1 char:97
+ & C:\windows\system32\wevtutil.exe --% qe security /q:*[System[(EventID=4663)]] ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Select-Xml], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvalidCastToXmlDocument,Microsoft.PowerShell.Commands.SelectXmlCommand
select-xml : Cannot convert value " </Data><Data Name='AccessMask'>0x1</Data><Data Name='ProcessId'>0x1b4c</Data><Data Name='ProcessName'>C:\Program
Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE</Data></EventData></Event>" to type "System.Xml.XmlDocument". Error: "Unexpected end tag. Line 1, position 7."
At line:1 char:97
+ & C:\windows\system32\wevtutil.exe --% qe security /q:*[System[(EventID=4663)]] ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Select-Xml], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvalidCastToXmlDocument,Microsoft.PowerShell.Commands.SelectXmlCommand
It appears the reason that it sees an end of file is that there are Tab characters in the EventXML. (I looked at the webtutil output file using a disk sector editor and at the point select-xml gives up processing there is a sequence of 4 Tab characters plus maybe a carriage return or two after the access list data item. It also shows up in the formatted event in event viewer though strangely not in the XML.). The reason that did not happen with the file I originally created and tested in the last answer was, I think, that I screen-scraped the output and pasted it into a file instead of writing it to file, or possibly that I did a .NET reinstall in between.
The problem could I guess be fixed with a stream character filter, but I don't know how to do that for a non-printing character like a tab.
So I ended up with a one-stage solution (well more correctly a solution with no intermediate file) using Powershell, as follows:
$events = Get-WinEvent -FilterHashtable #{ProviderName="Microsoft-Windows-Security-Auditing"; id=4663}
$event = [xml]$events[0].ToXml()
$ObjectName=$event.Event.EventData.Data | Where-Object {$_.name -eq "ObjectName"}
$ObjectName."#text"
Which rather slowly but correctly gives:
C:\Program Files\MXContactEE\MXContact.pst
I adapted that solution from here:
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/5aa133b0-ea69-4348-9bac-d028ba895024/powershell-obtaining-eventdata-from-a-specific-event?forum=ITCG
So we have a solution of sorts, albeit a slow one, and not involving webtutil. One could get to dislike Microsoft a bit after this experience. What are the tabs doing there?
Many thanks Marcus for all your help with this!
Best wishes
Mike
I'd like to modify the path to my application, but doing so breaks it because the service still points to the old location.
By going to Administrative Tools > Services you can open a properties dialog and view the Path to executable, but there is no way to change it.
Is there any way a user can modify the service path without having to reinstall the application ?
There is also this approach seen on SuperUser which uses the sc command line instead of modifying the registry:
sc config <service name> binPath= <binary path>
Note: the space after binPath= is important. You can also query the current configuration using:
sc qc <service name>
This displays output similar to:
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ServiceName
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Services\ServiceName
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : <Display name>
DEPENDENCIES :
SERVICE_START_NAME : user-name#domain-name
It involves editing the registry, but service information can be found in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services. Find the service you want to redirect, locate the ImagePath subkey and change that value.
You could also do it with PowerShell:
Get-WmiObject win32_service -filter "Name='My Service'" `
| Invoke-WmiMethod -Name Change `
-ArgumentList #($null,$null,$null,$null,$null, `
"C:\Program Files (x86)\My Service\NewName.EXE")
Or:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\My Service" `
-Name ImagePath -Value "C:\Program Files (x86)\My Service\NewName.EXE"
Open Run(win+R) , type "Regedit.exe" , to open "Registry Editor", go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
find "Apache2.4" open the folder find the "ImagePath" in the right side, open "ImagePath"
under "value Data" put the following path:
"C:\xampp\apache\bin\httpd.exe" -k runservice foe XAMPP for others point to the location where Apache is installed and inside locate the bin folder "C:(Apache installed location)\bin\httpd.exe" -k runservice
Slight modification to this #CodeMaker 's answer, for anyone like me who is trying to modify a MongoDB service to use authentication.
When I looked at the "Path to executable" in "Services" the executed line already contained speech marks. So I had to make minor modification to his example.
To be specific.
Type Services in Windows
Find MongoDB (or the service you want to change) and open the service, making sure to stop it.
Make a note of the Service Name (not the display name)
Look up and copy the "Path to executable" and copy it.
For me the path was (note the speech marks)
"C:\Program Files\MongoDB\Server\4.2\bin\mongod.exe" --config "C:\Program Files\MongoDB\Server\4.2\bin\mongod.cfg" --service
In a command line type
sc config MongoDB binPath= "<Modified string with \" to replace ">"
In my case this was
sc config MongoDB binPath= "\"C:\Program Files\MongoDB\Server\4.2\bin\mongod.exe\" --config \"C:\Program Files\MongoDB\Server\4.2\bin\mongod.cfg\" --service -- auth"
You can't directly edit your path to execute of a service. For that you can use sc command,
SC CONFIG ServiceName binPath= "Path of your file"
Eg:
sc config MongoDB binPath="I:\Programming\MongoDB\MongoDB\bin\mongod.exe --config I:\Programming\MongoDB\MongoDB\bin\mongod.cfg --service"
i just felt like adding for Git Bash users you should put the path in single quotes ' ' as in
sc config <service name> binPath='<binary path>'
in e.g. sc config MongoDB binPath='"C:\Program Files\MongoDB\Server\5.03\bin\mongod.exe" --config "C:\Program Files\MongoDB\Server\5.03\bin\mongod.cfg" --service --auth'
this worked for me to update the path of the service with Git Bash on Windows 10
If you have Process Hacker installed, you can use it.
An alternative to using Invoke-WmiMethod is to use the newer CIM cmdlets. This also avoids the need for the #($null,$null...) object, as seen in a previous answer.
Get-CimInstance win32_service -Filter "Name='My Service'" | Invoke-CimMethod -MethodName Change -Arguments #{PathName="C:\Program Files\My Service\NewName.exe"}
A little bit deeper with 'SC' command, we are able to extract all 'Services Name' and got all 'QueryServiceConfig' :)
>SC QUERY > "%computername%-services.txt" [enter]
>FIND "SERVICE_NAME: " "%computername%-services.txt" /i > "%computername%-services-name.txt" [enter]
>NOTEPAD2 "%computername%-services-name.txt" [enter]
Do 'small' NOTEPAD2 editing..
Then, continue with 'CMD'..
>FOR /F "DELIMS= SKIP=2" %S IN ('TYPE "%computername%-services-name.txt"') DO #SC QC "%S" >> "%computername%-services-list-config.txt" [enter]
>NOTEPAD2 "%computername%-services-list-config.txt" [enter]
Raw data is ready for feeding 'future batch file' so the result is look like this below!!!
+ -------------+-------------------------+---------------------------+---------------+--------------------------------------------------+------------------+-----+----------------+--------------+--------------------+
| SERVICE_NAME | TYPE | START_TYPE | ERROR_CONTROL | BINARY_PATH_NAME | LOAD_ORDER_GROUP | TAG | DISPLAY_NAME | DEPENDENCIES | SERVICE_START_NAME |
+ -------------+-------------------------+---------------------------+---------------+--------------------------------------------------+------------------+-----+----------------+--------------+--------------------+
+ WSearch | 10 WIN32_OWN_PROCESS | 2 AUTO_START (DELAYED) | 1 NORMAL | C:\Windows\system32\SearchIndexer.exe /Embedding | none | 0 | Windows Search | RPCSS | LocalSystem |
+ wuauserv | 20 WIN32_SHARE_PROCESS | 2 AUTO_START (DELAYED) | 1 NORMAL | C:\Windows\system32\svchost.exe -k netsvcs | none | 0 | Windows Update | rpcss | LocalSystem |
But, HTML will be pretty easier :D
Any bright ideas for improvement are welcome V^_^
The best way for this scenario is to uninstall the application and reinstall the application. That is the right legal way.
You can delete the service:
sc delete ServiceName
Then recreate the service.