Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

	Backups
	Ctrl Alt Del Issues
	Determine Platform - OS
	Get EXE Name
	Get Machine Name - Workstation
	Icons
	Reboot Issues
	Recycle Bin
	Resource Lock
	System Information
	User Profiles

• !Windows Commandline Tricks
• A Word or Phrase in the file search Not Working on XP
• Access to Hardware MP3 Player Device
• Admin Test
• AskYesNo with TimeOut
• Associate Extension to Run Winbatch File
• Autohide Taskbar Code
• Automate FireFox
• Automatically Answer a Dialog Box
• Automatically Clear Pause after EXE Launches
• Base64 encodeing a file
• Block New Program Installs
• BMP Color Change
• Brute Force Way to Convert an int64 that WinBatch Can Handle
• Calculate Text width and height
• Can WinBatch Associate Files
• Capture Control Break
• Change Cursor to Hourglass
• Change Cursor
• Change Explorer Favorites Location
• Change Ip Address
• Change Proportional to Fixed Fonts in Itembox
• Change Share Path
• Changing Default CDROM Drive
• Changing the Windows language
• Check for Multiple Instances of an Application
• Check If a File Is Locked
• Check if a Server is Available
• Check if Application is Installed
• Check if Application is Responsive
• Check if Computer is Locked or Idle
• Check If Extender Is Already Loaded
• Check if Program is Installed
• Check If Someone Is Logged In
• Check If Third Party Menu Item Is Checkmarked
• Check Systems for the MSBlaster Virus
• Check the Grayed-NonGrayed State of Buttons in Pull Down Menus
• Check Which Patches Are Installed
• Clipboard Input Blocked
• Close Child Windows
• Combining WB Scripts
• Command Line Stdin Stdout
• Communicate with a Third-Party Applications Windows-dialogs
• Compress Directory Attribute
• Configure a Workstation to Run HealthStar
• Control Compatibility Mode
• Controlling Citrix Web Client Using WinBatch
• Convert Hex to Ascii
• Convert Image to TIFF
• Convert Temperatures
• Convert TIF to JPG
• Convert Unicode to Big Endian Format File
• Convert Unicode to Big Endian
• Copy Protecting WinBatch Applications
• Create a PDF File
• Create a Shortcut to DUN
• Create a Template WBT file
• Create a Zero K file
• Create Editbox to Accept Formatted Data
• Create Hard Link
• Create Junction Points
• Create Single Byte Arrays and Structures
• Create Startup or Shutdown Script Policies
• Delete a Large Number of Files
• Delete Internet Cookies
• Detect Interact with Desktop
• Detect System Startup Complete
• Detect Version of Java
• Detecting a Locked Workstation
• Detecting Dual Monitors
• Determine Color Range
• Determine Current CD ROM WB is Running On
• Determine IE version installed
• Determine If Menu Bar Has Been Clicked
• Determine if RAS Connection
• Determine Process Start Time
• Determining If a Machine is a Domain Controller
• Disable a Device
• Disable CD Autorun
• Disable Device
• Disable Enable Network Card
• Display Graphical Directory Tree in a Message
• Displaying JPG Files Using Windows Viewer
• Displaying Text Messages on the Console
• DNS Suffix
• Easily Parse Log Files
• Easter finder
• Email HTML Form Data
• Enable or Disable Network Connections
• Enable or Disable Wireless Connection
• Enumerate Devices
• Even or Odd
• Excel Version
• Executing EXE on Remote Computer
• Exit if PC is Idle
• File Size On Disk
• File System Notification on Change
• Financial calculations
• Force Extender Dll Updates
• Format a disk on Windows 2000 or Windows XP
• FTPS Protocol
• Get Current Power Scheme
• Get Current Process ID
• Get Current User Remotely
• Get Data From Memory Address,txt
• Get Default Internet Connection
• Get Highlighted text from Any Window
• Get IE Cache history
• Get Info from a Pair of Directories
• Get Length of MPEG File
• Get line Count and Append if Necessary
• Get Menu String
• Get Microsoft Office Version
• Get Network Address Using IP Address and Subnet mask
• Get Persistent Drive Mappings
• Get Pixel Color
• Get Preferred Language
• Get Process Information from running WinBatch Scripts
• Get ProcessID Thread
• Get Program Files Directory
• Get Remote IP Addresses and Usernames to a List
• Get Unique Records in a List
• Get Version of Internet Explorer
• Get WinBatch Process Environment Block
• Get Windows API Documentation
• Getting WinBatch to Wait - Pause
• GINA Winlogon Desktop and Winbatch
• Grab System Information from MSINFO32
• Handle Errors Including UDFs
• Handling Asynchronous Notifications
• Hibernate
• Hide all the Icons on the Desktop
• Holding down a Key
• How To Call Windows API Functions
• How To Check if a File Handle is Closed
• How to clear event logs
• How to Count Items and Delimiters in a List and Extract Items
• How to Encrypt a Line of Text - Simple Explanation
• How to FTP
• How to Get Encrypted Attribute from a Directory
• How to Locate Functions In Helpfiles
• How to Locate functions in the help files
• How to push Microsoft hotfixes
• How To Read Large File in Multiple Parts
• How to Recurively Copy Files
• How to Retrieve Data from a Database File
• How to Set the AskDirectory Dialog Box Size
• HTML Form Submitted to Winbatch Script
• HTTP Authentication
• Icon Extractor
• Image Comparison
• Increment Through the Alphabet
• Inf Install
• Install a font
• Install AD Printer
• Install File and Print Sharing
• International Date Settings
• Internet Explorer Cache History Retrieval
• Internet time monitor
• Interprogram Communication
• ISO CD Image File
• Issues Interacting with FileMaker Pro
• Kill Predecessor
• Killing 16 bit apps in NT
• Last time ScanDisk and Defrag Performed
• Launch a program on the System Tray
• Launch a WBT File using Explorer SendTo
• Launch Script from SendTo
• Launch the file properties dialog for a file
• Launch WinBatch from Internet Explorer Context Menu
• Limit User Access to Computer
• List all Hotkeys
• List Applications Installed on Remote Machines
• List DVD Drives
• List Installed Modems
• Listing Files from within Zip Files
• Lock NT Server
• Loop Forever until SHIFT Key Pressed
• Lotus Notes - DllCall to change password
• Make a Multiline Input Box
• Make a Thumbdrive Read-Only
• Make Directory Listings
• Make Task Bar Blink
• Make WinBatch Delete Itself
• Making Bitmap files via GDI calls
• Manipulate screen or file data
• Map Ports to Services
• Microsoft Service Pack Checker
• MIME Utility for Email Messages
• Modify Internet Explorer Automatic Detect Setting
• Modify Local Group Policy
• Monitor for Windows Shutdown or Logoff
• Mouse Drag and Highlight - Display Image
• Msi Get File Version
• OCR Support
• Open File Search from StartMenu
• Open MultiUser Files on a Network
• Parse HTML
• Pass Memory Variables to VB
• Passing Parameters from Javascript
• Print Formatted Image Files
• Pushing Elevated WinBatch Scripts to Users
• Query Excel Status Bar Txt
• Random Alpha Numeric Number
• Read Hardware Video BIOS
• Read Quote in INI File
• Read Statusbar Text from Browser
• Recursive directory name search
• Reduce Shape Point List
• Refresh Policy
• Regular Expression Question
• Release LAN IP Settings
• Remove HTML Tags
• Rename a Username without Admin Rights
• Reset IE Settings
• Resize and Place Dialog boxes with 2nd wbt
• Retain Quotation Marks in WB Command Lines
• Run Explorer in a Different Security Context
• Run from Current Location - Webpage
• Run PowerShell Command
• Run WinBatch From Webpage
• RunWithLogon Return to Local User Account
• Save Screen to a BMP File
• Script Minimized When Launched from Lotus Notes Email
• Script Windows Component Install
• Scripting the Group Policy Management Console
• Search for Folder Existence
• Send Control Break to a Window
• Server Connectivity
• Set Disk Volume Name
• Set Modified Date for a Directory
• Set USB Drives To Read Only
• Set Volume
• Show Desktop
• Sorting START menu Alphabetically
• Specify a Script to Run on Startup Shutdown Logon Logoff
• Start Program Only at Windows Shutdown
• Store Image in WBT Script
• Strip out Variable from WBERRORHANDLER Line
• Switch with a Variable Name
• Test
• Thoughts on Writing Faster Code
• Track an Incoming Fax
• Transferring info between WB and other programs
• Translate ANSI Sequences
• Traversing Network Neighborhood using AskFileName
• Turn File Sharing Off on Win95
• Uninstalling Software
• Unlock Workstation Trick
• Use Contents of One AskItemList Box within Another
• Use Global Varaible to tell Errorhandler to Ignore Specific Errors
• Using MS System Agent to Run a WBT File
• Validate WIL Variable Name
• Validating Password
• Various Ways to Download a File
• Verify Calling Parent Process
• Wait until no Input
• WAN IP Address
• Web Scraping
• Winbatch Findstr Equivalent
• Working with RAR Files
• Write to USB Port

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

How to Clear Dump Event Logs

---

Question:

We are interested in a script to dump and clear event logs. in the knowledge base, we found psloglist.exe

However, what we really want to do is dump the log the same way it would be dumped if you went into the event log menu, right-clicked on the event log, and selected 'save log file as'. Psloglist interprets records into a format that is not .evt-format. Is there a batchie way to dump event logs?

Also, in psloglist it is unclear how to specify which log you want to operate on. it says there is a switch to do this, 'eventlog' but it is unclear how to specify it, and nothing that seems logical, like specifying 'application' or 'event' seems to work. The help html which came with the program is also no help.

We can't just copy c:\winnt\system32\config\AppEvent.evt (or the sys or sec .evt's) because they are always marked in-use and can't be copied. for the same reason, can't clear them by renaming/reallocating them.

The other thing is that after dumping the log we want to clear it. if we could figure out the switch in psloglist that would specify which event, log, we might be able to use it for clearing event logs.

Answer:

There may be a few different options:

---

Option 1:

Clear event log:

http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/nftechsupt.web+WinBatch/Samples~from~Users/Event~Logs+Clear~Event~Log.txt

---

Option 2:

There is probably an API call to save it, maybe see:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216089

Here is a part of a script to clear and backup eventlogs. Left out the error handling routines, you can add them if you want to.

; How to do it:
; 1 - Open specified eventlog (Application, Security, System)
; 2 - Clear (and Backup) eventlog
; 3 - Close eventlog

; Note: 
; Make sure backup file does not exist already, otherwise DllCall will fail!

#DefineFunction OpenEventLog(dllhandle,computername,sourcename)
; The OpenEventLog function opens a handle to an event log.
; Declare Function OpenEventLog Lib "advapi32.dll" Alias "OpenEventLog"
; (ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long
	eventloghandle = DllCall(dllhandle,LONG:"OpenEventLogA",lpstr:computername,lpstr:SourceName)
	Return(eventloghandle)
#EndFunction

#DefineFunction CloseEventLog(dllhandle,evthandle)
; The CloseEventLog function closes a read handle to the specified event log.
; Declare Function CloseEventLog Lib "advapi32.dll" Alias "CloseEventLog"
; (ByVal hEventLog As Long) As Long
	closeevt = DllCall(dllhandle,LONG:"CloseEventLog",long:evthandle)
	Return(closeevt)
#EndFunction

#DefineFunction ClearEventLog(dllhandle,evthandle,backup_filename)
; The ClearEventLog function clears the specified event log, and optionally saves the current copy of the logfile to a backup file.
; If the lpBackupFileName parameter is NULL, the current event logfile is not backed up.
; Declare Function ClearEventLog Lib "advapi32.dll" Alias "ClearEventLogA"
; (ByVal hEventLog As Long, ByVal lpBackupFileName As String) As Long
	If backup_filename == ""
		result = DllCall(dllhandle,LONG:"ClearEventLogA",long:evthandle,lpnull)
	Else
		result = DllCall(dllhandle,LONG:"ClearEventLogA",long:evthandle,lpstr:backup_filename)
	Endif
	Return(result)
#EndFunction



computername    = ItemExtract(1,WinSysInfo(),@tab)
dllname         = StrCat(DirWindows(1),"advapi32.dll")
dllhandle       = DllLoad(dllname)
sourcename      = "Application"
backup_filename = "C:\Backups\Application.evt"

evthandle = OpenEventLog(dllhandle,computername,sourcename)

; Now check if backup file already exists. If it does, first delete/move the backup file
backupresult = ClearEventLog(dllhandle,evthandle,backup_filename)

closeevt = CloseEventLog(dllhandle,evthandle)

DllFree(dllhandle)

Exit

---

Option 2: This code will dump the security log to a text file ... add a few loops and you can manage all of your logs from a central location then tack on that piece of code to clear each log at the end...

Locator = ObjectOpen("WbemScripting.SWbemLocator")

;can be run from a central location so this can be machine.domain.com
computer = ""
;user = "username"
;password = "password"

machine = ItemExtract(1,computer,".")

if machine == "" then machine = Environment("COMPUTERNAME")

log = "security" ;system, application, etc..

file = strCat(dirget(), "%machine%_%log%.txt")

fhW = FileOpen(file, "WRITE")

Service = Locator.ConnectServer(computer); can take these parameters as well user, password)

Security = Service.Security_
Security.ImpersonationLevel = 3

Privs = Security.Privileges
Privs.AddAsString("SeSecurityPrivilege") ;this is VERY important if you want to dump security logs!

query = "Select * from Win32_NTLogEvent WHERE logfile='%log%'"

events = Service.ExecQuery(query)

hEnum = ObjectCollectionOpen(events)
counter = 0
While @true

event = ObjectCollectionNext(hEnum)

if event == 0 then 
message("", "the end")
break
endif
counter = counter + 1

source = event.sourceName
type = event.eventType
computer = event.computerName
time = ItemExtract(1,event.timewritten,".") ;or timegenerated?
eventid = event.eventcode
user = event.user
event_message = event.message
category = event.categorystring


Select type 

case 1 
type = "Error"
break

case 2 
type = "Warning"
break

case 3 
type = "Information"
break

case 4 
type = "Audit Success"
break

case 5 
type = "Audit Failure"

end select

if category == "" then category = "None"

if user == "" then user = "NA"


;format the time a little
year = StrSub(time, 1, 4)
month = StrSub(time, 5, 2)
day = StrSub(time, 7, 2)

hour = StrSub(time, 9, 2)
minute = StrSub(time, 11, 2)
second = StrSub(time, 13, 2)

time = StrCat(year,":", month, ":", day, ":", hour, ":", minute,":", second)

line = StrCat(category,", ",source, ", " , type, ", ", computer, ", ", time, ", ", eventid, ", ", user, ", ", event_message)

line = StrReplace(line, @crlf, "")

FileWrite(fhW,line)
FileWrite(fhw,"")
endwhile



;clean up
objectCollectionClose(hEnum)
objectClose(Security)
objectClose(Service)
objectClose(Locator)


FileWrite(fhW, "Events Dumped:%counter%")

FileClose(fhW)



exit 

---

Option 3:

Here's a link to a VBS script "Event Log Backup Solution...This script backs up and clears the events on remote machines, then moves the backed up EVT files back to the server that ran the script. End result is a daily folder containing all listed servers' event logs. Error checking, user notification of events, and event logging of errors and success are also included. A complete solution, for use in AD and NT domains."

http://cwashington.netreach.net/depo/view.asp?Index=690&ScriptType=vbscript

If you go to http://cwashington.netreach.net/main/default.asp?topic=news & put "eventlog" into the "QuickFIND" you'll get several other potentially interesting scripts.

Maybe they can be translated from VBS to winbatch or at least provide a different perspective/starting point.

---

Article ID:   W15981

File Created: 2014:07:18:09:51:38

Last Updated: 2014:07:18:09:51:38