Главная » Linux

Windows event log task category

Содержание
  1. Event Logging (Windows Installer)
  2. WMI Tasks: Event Logs
  3. How to display String name of task category in event log using Write-EventLog?
  4. 2 Answers 2
  5. Windows Event Logs: Task Category
  6. 2 Answers 2
  7. Windows event log task category
  8. Answered by:
  9. Question
  10. Answers
  11. All replies

Event Logging (Windows Installer)

Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. Prior to WindowsВ Vista, you would use either Event Tracing for Windows (ETW) or Event Logging to log events. WindowsВ Vista introduced a new eventing model that unifies both ETW and the Windows Event Log API.

The installer also writes entries into the event log. These record events such as following:

  • Success or failure of the installation; removal or repair of a product.
  • Errors that occur during product configuration.
  • Detection of corrupted configuration data.

If a large amount of information is written, the Event Log file can become full and the installer displays the message, «The Application log file is full.»

The installer may write the following entries in the event log. All event log messages have a unique event ID. All general errors authored in the Error table that are returned for an installation that fails are logged in the Application Event Log with a message ID equal to the Error + 10,000. For example, the error number in the Error table for an installation completed successfully is 1707. The successful installation is logged in the Application Event Log with a message ID of 11707 (1707 + 10,000).

For information about how to enable verbose logging on a user’s computer when troubleshooting deployment, see Windows Installer Best Practices.

WMI Tasks: Event Logs

WMI tasks for event logs obtain event data from event log files and perform operations like backing up or clearing log files. For other examples, see the TechNet ScriptCenter at https://www.microsoft.com/technet.

The script examples shown in this topic obtain data only from the local computer. For more information about how to use the script to obtain data from remote computers, see Connecting to WMI on a Remote Computer.

The following procedure describes how to run a script.

To run a script

  1. Copy the code and save it in a file with a .vbs extension, such as filename.vbs. Ensure that your text editor does not add a .txt extension to the file.
  2. Open a command prompt window and navigate to the directory where you saved the file.
  3. Type cscript filename.vbs at the command prompt.
  4. If you cannot access an event log, check to see if you are running from an Elevated command prompt. Some Event Log, such as the Security Event Log, may be protected by User Access Controls (UAC).
Читайте также:  What is damn vulnerable linux

By default, cscript displays the output of a script in the command prompt window. Because WMI scripts can produce large amounts of output, you might want to redirect the output to a file. Type cscript filename.vbs > outfile.txt at the command prompt to redirect the output of the filename.vbs script to outfile.txt.

The following table lists script examples that can be used to obtain various types of data from the local computer.

Use the Win32_NTEventlogFile class and the BackupEventLog method. You may need to include the Backup privilege when connecting to WMI. For more information, see Executing Privileged Operations Using VBScript.

How do I. WMI classes or methods
. retrieve information about the Security event log? Include the Security privilege when connecting to the Win32_NTEventlogFile class. For more information, see Executing Privileged Operations Using VBScript.
VB
PowerShell
. back up an event log?
. back up an event log more than once?

Ensure that the backup file has a unique name before using the Win32_NTEventlogFile and the BackupEventLog method. The operating system does not allow you to overwrite an existing backup file; you must either move the backup file or rename it before you can run the script again. You may need to include the Backup privilege when connecting to WMI. For more information, see Executing Privileged Operations Using VBScript.
. determine the number of records in an event log?

Use the Win32_NTEventlogFile class and check the value of the NumberOfRecords property.

How to display String name of task category in event log using Write-EventLog?

So, I am attempting to write to the Windows Event Log using Write-EventLog . I’ve compiled a CategoryMessageFile .dll and have registered it in the registry.

My script writes to the event log for the most part, but the problem is that the event doesn’t display the category name; it displays the category message id enumerated in the dll.

I know the mapping is correct because when I run

The correct Category name shows up under Category for the events I had just written to the log.

Here is what my mc file looked like.

So, how do I get the name to display instead of the number in the event log?

2 Answers 2

You’re probably looking for it in the Application or System log event and the first command you ran created a log named TEST1.

DESCRIPTION This cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.

Try adding the machine’s Authenticated Users or Users group to the message folder’s security level. Keep the default permissions. Then either reboot or try to restart the EventLog service.

At an administrator command prompt: net stop eventlog

You will likely be prompted to shutdown other services. You must enter Y to continue. The services being shutdown will normally restart on their own so you just need to wait a few seconds. The eventlog service may fail to shutdown because another service has restarted, it may take a couple of tries to get everything down. Watch the resulting text closely for status.

Windows Event Logs: Task Category

I have been scouring the internet for a formal definition of this piece of the Windows Event Logs. How is the category determined? Is there a set of standard values for this field? Can an application create its own Task Category?

2 Answers 2

Looking into .NET’s EventLog and EventLogEntry classes should give you a clue, especially the latter’s Category property:

Each application (event source) can define its own numbered categories and the text strings to which they are mapped. The Event Viewer can use the category to filter events in the log.

Additionally, as the page on Event Categories states:

Categories help you organize events so Event Viewer can filter them. Each event source can define its own numbered categories and the text strings to which they are mapped.

The page shows you how your app (which would be the Event Source) can define its own Event Categories. You can get some useful tips about getting that example to work on Win7 and Server 2008 R2 here. This Dr. Dobb’s article about Customizing Event Log Categories might also be useful. I’m sure there are many more tutorials available, and if you need help with the code Stack Overflow would be the place to turn to.

Note: AFAIK there’s no set of standard values for this field, since an app can use its own custom strings. Of course if you want to use the ones Windows itself uses, I’m sure they must be defined in some resource/header/message file somewhere.

Windows event log task category

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

Environment

I am trying to read the ‘ Microsoft-Windows-TaskScheduler/Operational’ event logs to determine the completion status of a scheduled task.

I have simplified the scheduled task down to

The Task Scheduler UI shows that the ‘Last Run Result’ was ‘0x8007003F’ (as expected)

However the ‘ Microsoft-Windows-TaskScheduler/Operational’ event logs does not contain any reference to the exit code of 63.

What am I missing??

Where did the UI get the ‘0x8007003F’ from?

The ‘ Microsoft-Windows-TaskScheduler/Operational’ event logs show..

Log Name: Microsoft-Windows-TaskScheduler/Operational

Date: 02/12/2014 10:45:15 AM

Task Category: Action completed

Task Scheduler successfully completed task «\JCtest1» , instance «» , action «C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE» with return code 0.

Log Name: Microsoft-Windows-TaskScheduler/Operational

Date: 02/12/2014 10:45:15 AM

Task Category: Task completed

Task Scheduler successfully finished «» instance of the «\JCtest1» task for user «FRED\JOE».

Answers

Anna, thanks for the suggestion, but this would be a little tedious when checking 100+ tasks every 10 minutes!

The eventlog looked like the ideal solution.

What I have done is added code into our common wrapper to maintain a SQL table containing the ‘real’ return code (with a key of TaskInstanceID). I then join this with the extracted Task scheduler events to supplement the missing info.

All replies

I tested your code in task scheduler with the same result as your description, the last result represent Code that indicates the result of the last run.

Because you changed the exitcode in powershell script, so the last result display System Error code 63:
ERROR_PRINT_CANCELLED63 (0x3F)
Your file waiting to be printed was deleted.

If Task Scheduler successfully launches the task and the launched program exits, then from the point of view of the Task Scheduler it was a success as event id 201.

A similar discussion is for your reference:

If there is anything else regarding this issue, please feel free to post back.

If you have any feedback on our support, please click here.

TechNet Community Support

The subject of this thread is «Microsoft-Windows-TaskScheduler/Operational event log does not contain ‘Last Run Result'». Any discussion on the reasons why the 201 record contains zero is irrelevant. From where I am standing the Task Scheduler event log should contain this information so that I can get it when reading the event log (Just as I can see it visually via the UI.

Where does the UI get the information from anyway?

The scheduled task related event logs can also be found in the history of this task, the task category include «Task Started», «Action Started», «Task triggered by user»,»Action completed» and «Task completed».

The task running result should be shown in «Action completed» and «Task completed», the event 201 show in «Action completed», the return code is usually used to judge if the task execute successfully, so I provide the last reply.

However, based on my research, I haven’t found anything in event log indicate the script result as ‘Last Run Result’.

In summary: The last result represent Code that indicates the result of the last run, and Event log show us if the task launches successfully regardless of the program result.

If there is anything else regarding this issue, please feel free to post back.

If you have any feedback on our support, please click here.

Читайте также:  Драйвер usb для windows sp3
Оцените статью
© 2024 Советы по настройке компьютера