search

mhammond / pywin32

Python for Windows (pywin32) Extensions
5k stars 792 forks source link

win32evtlog.OpenEventLog cannot open log under "Applications and Services Logs" #676

Open ghost opened 10 years ago

ghost commented 10 years ago

I tried a lot of different ways to open one of the log files listed under "Applications and Services Logs" in the Eventlog of Windows 7/2008 R2. Accessing these logs always resulted in an opened "Application" log which has in my case 9635 entries.

File: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx

Example Code: hand = win32evtlog.OpenEventLog(None,"Microsoft-Windows-TaskScheduler/Operational") print win32evtlog.GetNumberOfEventLogRecords(hand) 9635

Reported by: neo23x0

Original Ticket: pywin32/bugs/676

ghost commented 10 years ago

Found some hints here:

http://social.msdn.microsoft.com/Forums/en-US/882df3d5-9a9b-437b-a6ab-e09873ce6ece/cant-access-event-log-for-tasks?forum=csharplanguage

Original comment by: neo23x0

ghost commented 10 years ago

Found a workaround (that sucks, as you have to edit the registry to make it work). I tried it and it worked. Is it possible to adapt the "OpenEventLog" Function to assume that this registry key exists and simply access the log?

https://support.zoho.com/portal/manageengine/helpcenter/articles/monitoring-the-custom-eventlog-in-opmanager

Original comment by: neo23x0

ghost commented 10 years ago

You can access the Application and Services logs using the newer Evt* functions introduced with Vista.

Original comment by: rupole

ghost commented 10 years ago

When I try this the Python process crashes.

I use the current Python 2.7.7 32bit on Windows 7 x64. Pywin32 build 219 Running the script with Administrator rights

Code: logtype = "Microsoft-Windows-Windows Defender/Operational" hand = win32evtlog.EvtOpenLog(logtype, 1, None) total = win32evtlog.GetNumberOfEventLogRecords(hand)

[[img src=http://s7.directupload.net/images/140814/828p7ak6.png]]

Original comment by: neo23x0

ghost commented 10 years ago

Handles aren't portable between the older event log functions and the newer Evt* functions. To get the number of event in the log, try win32evtlog.EvtGetLogInfo(h, win32evtlog.EvtLogNumberOfLogRecords)

Original comment by: rupole

ghost commented 10 years ago

Ahh - thank you. Now I see. I cannot close this ticket but I consider it closed.

Original comment by: neo23x0

ghost commented 10 years ago

No wait. Running this on Windows 2003 completely crashes the python process. I cant handle this with a try catch statement:

hand = win32evtlog.EvtOpenLog(logtype, 1, None)

Original comment by: neo23x0

dashingsuma commented 4 years ago

i need to do this on windows 10. whats the solution is the thread closed?

harrihaven2 commented 4 years ago

i need to do this on windows 10. whats the solution is the thread closed?

The solution with the newer Evt* functions is to

  1. Use EvtQuery to get an event handle iterable and then
  2. Use EvtNext with the handle to get an event tuple and then
  3. Use EvtRender on a single event in the tuple to view all that event's data in XML.

Source: https://mail.python.org/pipermail/python-win32/2012-May/012292.html

bbrendon commented 3 years ago

Found this. https://stackoverflow.com/questions/62173180/open-specific-event-logs-using-win32evtlog-python