I need to parse the XP event viewer to track reboots.
I need to evaluate the event viewer in XP sp2 to find out when reboots occur.
I found the code (vbs) for parsing the event viewer and producing a flat file with the results.
What I don't know is how to determine if a reboot has occured.
I didn't say this was hard. I am not an administrator, nor do I play one on TV.
Thank you.
I found the code (vbs) for parsing the event viewer and producing a flat file with the results.
What I don't know is how to determine if a reboot has occured.
I didn't say this was hard. I am not an administrator, nor do I play one on TV.
Thank you.
Option Explicit
Dim strComputer, objWMIService, colEvents
Dim objFSO, objTS, objEvent
Dim sobj
Dim dtmStartDate
Dim dtmEndDate
Dim DateToCheck
Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
'create output file
Set objTS = objFSO.CreateTextFile("c:\bsod.csv",True)
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
'connect to WMI
strComputer = "IT1D620"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
'run through SaveDump events found
'and write to output file
For each objEvent in colEvents
sobj = objEvent.Category&","&objEvent.ComputerName&","&objEvent.EventCode&","&objEvent.Message&"," _
&objEvent.RecordNumber&","&objEvent.SourceName&","&objEvent.TimeWritten&","&objEvent.Type&"," _
&objEvent.User
objTS.WriteLine(sobj)
Next
'finish
objTS.Close
MsgBox "Report written to c:\bsod.csv"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to filter out all the "restarts" for the computer, simply right click the System Event Log, and filter out events ID 6009, that means OS name, start, in eventlog. Each one of these, is one computer boot, so if you have records from the last year for example, you have all the reboots documented.
Also you could use Event Comb tool to filter certain events with more features.
http://support.microsoft.com/kb/308471
thanks
Also you could use Event Comb tool to filter certain events with more features.
http://support.microsoft.com/kb/308471
thanks
Filter out events ID 6009, that means OS name, start, in eventlog. Each one of these, is when computer boots.
OR
To figure out when your PC was last rebooted, you can simply open up Event Viewer, head into the Windows Logs -> System log, and then filter by Event ID 6006, which indicates that the event log service was shut down—one of the last things that happens before a reboot. This technique won't help you figure out when there was a power outage, but you can filter by Event ID 6005 to see when the system was last turned on—that event shows when the event log service was started again.
Regards,
OR
To figure out when your PC was last rebooted, you can simply open up Event Viewer, head into the Windows Logs -> System log, and then filter by Event ID 6006, which indicates that the event log service was shut down—one of the last things that happens before a reboot. This technique won't help you figure out when there was a power outage, but you can filter by Event ID 6005 to see when the system was last turned on—that event shows when the event log service was started again.
Regards,
ASKER