Hello all,
I'm currently working on a program that I would be able to send to a customer with a single day's use. I've developed a formula based on the current date that returns a passcode, which would in turn be sent to the customer with the program (which will allow them access to a higher level on some specialized equipment for troubleshooting purposes). The next thing I'd like to do is add functionality to the program to prevent the customer from setting the date on their computer so that they can keep re-using the program. I've come up with a couple of ideas to prevent this, but I'm not sure how to implement them, or if Auto Hot Key even has the capability to do so.
Method 1:
I would write to the registry when the program is run. After it starts - it would check the event log to see if the date on the current system had been changed within the past 24 hours. If it had, it would create another registry entry, and the program would not be allowed to run ever again with that date. This would allow the customer to get a new passcode from us in a future date for future troubleshooting. My primary question here is this: can Auto Hot Key read from the Event Log in Windows, and search for a specific event ID (in Windows 7, a date and time change is event 4616, if I remember correctly)?
Method 2:
Simply use the network time protocol and check the current time with Google or another atomic clock, and only allow the program to run if the date matches that. The question here is: can Auto Hot Key use the NTP to check the time? I would prefer not to use this method as I don't want to have to connect to an outside network.
Thanks in advance for the advice.
Search and Read From Windows Event Log
-
- Posts: 3
- Joined: 12 Jul 2017, 17:57
Re: Search and Read From Windows Event Log
... a date and time change is event 4616, if I remember correctly)?
https://www.ultimatewindowssecurity.com ... entID=4616
- JoeWinograd
- Posts: 2209
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Search and Read From Windows Event Log
I haven't tried this myself, but it looks promising:Does anyone have any code for reading of Event Log entries?
Windows Event Log API examples / libs?
Regards, Joe
Re: Search and Read From Windows Event Log
I have an event logs example, but it's very slow. Is it slow for other people? It took around 33 seconds for me, and gave datestamps for roughly the last 2 months (31 May to 19 Jul). Cheers.
Code: Select all
q:: ;event logs
;STATUS_SHUTDOWN_CLEAN := 1074
;WARNING_ISSE_SHUTDOWN_CANCELLED := 1075
vEventID := 1074
;vEventID := 1075
vOutput := ""
VarSetCapacity(vOutput, 1000000*2)
vTickCount1 := A_TickCount
oWMI := ComObjGet("winmgmts:")
oQueryEnum := oWMI.ExecQuery("Select * from Win32_NTLogEvent where EventCode=" vEventID)._NewEnum()
while oQueryEnum[oEvent]
;vOutput .= SubStr(oEvent.TimeGenerated, 1, 14) "`r`n"
vOutput .= oEvent.TimeGenerated "`r`n"
oWMI := oQueryEnum := oEvent := ""
vTickCount2 := A_TickCount
Clipboard := vOutput
MsgBox, % "tick count (msec): " vTickCount2-vTickCount1
MsgBox, % vOutput
return
Last edited by jeeswg on 15 Sep 2017, 07:53, edited 2 times in total.
homepage | tutorials | wish list | fun threads | donate
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA
- JoeWinograd
- Posts: 2209
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Search and Read From Windows Event Log
Hi jeeswg,
First, nice code — works well! Takes about 28 seconds here. I compared the output with the output from NirSoft's MyEventViewer and they match. I think the reason that you're seeing date stamps for roughly the last two months is that they're the only 1074 entries in it. I get 54 of them here going back to February. But when I change vNum to 1066, it gets more than a thousand of them. And then I tested to make sure it's getting old entries — it is! It gets the last entries in the log (several years old). Thanks for the script! Regards, Joe
First, nice code — works well! Takes about 28 seconds here. I compared the output with the output from NirSoft's MyEventViewer and they match. I think the reason that you're seeing date stamps for roughly the last two months is that they're the only 1074 entries in it. I get 54 of them here going back to February. But when I change vNum to 1066, it gets more than a thousand of them. And then I tested to make sure it's getting old entries — it is! It gets the last entries in the log (several years old). Thanks for the script! Regards, Joe
Re: Search and Read From Windows Event Log
@JoeWinograd: Cheers for the link:
Windows Event Log API examples / libs? - AutoHotkey Community
https://autohotkey.com/boards/viewtopic.php?f=5&t=9658
I've used this as a basis to rewrite my script using DllCall, although it's still very slow. I got 22 seconds.
I believe that the code at the link only retrieves information for one event, the most recent one.
NirSoft MyEventViewer was also very slow. I used it to find out that for SourceName I should specify 'System', for use with shutdown event 1074.
I revised both scripts to make it a fairer test, and got these results (in a stand-alone script):
tick count (msec): 35724 (WMI)
tick count (msec): 36036 (DllCall)
So that's the same duration.
I got these results when I appended the code to my main script:
tick count (msec): 32729 (WMI)
tick count (msec): 7145 (DllCall)
So maybe something is making it faster.
Windows Event Log API examples / libs? - AutoHotkey Community
https://autohotkey.com/boards/viewtopic.php?f=5&t=9658
I've used this as a basis to rewrite my script using DllCall, although it's still very slow. I got 22 seconds.
I believe that the code at the link only retrieves information for one event, the most recent one.
NirSoft MyEventViewer was also very slow. I used it to find out that for SourceName I should specify 'System', for use with shutdown event 1074.
Code: Select all
q:: ;event logs
;STATUS_SHUTDOWN_CLEAN := 1074
;WARNING_ISSE_SHUTDOWN_CANCELLED := 1075
vEventID := 1074
;vEventID := 1075
vOutput := ""
VarSetCapacity(vOutput, 1000000*2)
vTickCount1 := A_TickCount
vSourceName := "System"
if !(hEventLog := DllCall("advapi32\OpenEventLog", Str,"", Str,vSourceName, Ptr))
{
MsgBox, % "error"
return
}
Loop
{
VarSetCapacity(EVENTLOGRECORD, 2, 0)
;EVENTLOG_BACKWARDS_READ := 0x8 ;EVENTLOG_SEQUENTIAL_READ := 0x1
DllCall("advapi32\ReadEventLog", Ptr,hEventLog, UInt,0x9, UInt,0, Ptr,&EVENTLOGRECORD, UInt,0, UIntP,0, UIntP,vSize)
VarSetCapacity(EVENTLOGRECORD, vSize+1, 0)
if !(DllCall("advapi32\ReadEventLog", Ptr,hEventLog, UInt,0x9, UInt,0, Ptr,&EVENTLOGRECORD, UInt,vSize, UIntP,0, UIntP,0))
break
vEventID2 := NumGet(EVENTLOGRECORD, 20, "UInt") & 0x7FFF ;EventID
if !(vEventID2 = vEventID)
continue
vDate := NumGet(EVENTLOGRECORD, 12, "UInt") ;TimeGenerated
;vDate := DateAdd(1970, vDate, "Seconds") ;AHK v2
vDate2 := vDate
vDate := 1970
vDate += vDate2, Seconds
vOutput .= vDate "`r`n"
}
vTickCount2 := A_TickCount
Clipboard := vOutput
MsgBox, % "tick count (msec): " vTickCount2-vTickCount1
MsgBox, % vOutput
return
tick count (msec): 35724 (WMI)
tick count (msec): 36036 (DllCall)
So that's the same duration.
I got these results when I appended the code to my main script:
tick count (msec): 32729 (WMI)
tick count (msec): 7145 (DllCall)
So maybe something is making it faster.
homepage | tutorials | wish list | fun threads | donate
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA
Who is online
Users browsing this forum: Bing [Bot], tabr3 and 236 guests