Search and Read From Windows Event Log

[deltran552]

Hello all,

I'm currently working on a program that I would be able to send to a customer with a single day's use. I've developed a formula based on the current date that returns a passcode, which would in turn be sent to the customer with the program (which will allow them access to a higher level on some specialized equipment for troubleshooting purposes). The next thing I'd like to do is add functionality to the program to prevent the customer from setting the date on their computer so that they can keep re-using the program. I've come up with a couple of ideas to prevent this, but I'm not sure how to implement them, or if Auto Hot Key even has the capability to do so.

Method 1:
I would write to the registry when the program is run. After it starts - it would check the event log to see if the date on the current system had been changed within the past 24 hours. If it had, it would create another registry entry, and the program would not be allowed to run ever again with that date. This would allow the customer to get a new passcode from us in a future date for future troubleshooting. My primary question here is this: can Auto Hot Key read from the Event Log in Windows, and search for a specific event ID (in Windows 7, a date and time change is event 4616, if I remember correctly)?

Method 2:
Simply use the network time protocol and check the current time with Google or another atomic clock, and only allow the program to run if the date matches that. The question here is: can Auto Hot Key use the NTP to check the time? I would prefer not to use this method as I don't want to have to connect to an outside network.

Thanks in advance for the advice.

[BoBo]

... a date and time change is event 4616, if I remember correctly)?

https://www.ultimatewindowssecurity.com ... entID=4616

[JoeWinograd]

Does anyone have any code for reading of Event Log entries?

I haven't tried this myself, but it looks promising:
Windows Event Log API examples / libs?
Regards, Joe

[jeeswg]

I have an event logs example, but it's very slow. Is it slow for other people? It took around 33 seconds for me, and gave datestamps for roughly the last 2 months (31 May to 19 Jul). Cheers.

Code: Select all

q:: ;event logs
;STATUS_SHUTDOWN_CLEAN := 1074
;WARNING_ISSE_SHUTDOWN_CANCELLED := 1075
vEventID := 1074
;vEventID := 1075
vOutput := ""
VarSetCapacity(vOutput, 1000000*2)

vTickCount1 := A_TickCount
oWMI := ComObjGet("winmgmts:")
oQueryEnum := oWMI.ExecQuery("Select * from Win32_NTLogEvent where EventCode=" vEventID)._NewEnum()
while oQueryEnum[oEvent]
	;vOutput .= SubStr(oEvent.TimeGenerated, 1, 14) "`r`n"
	vOutput .= oEvent.TimeGenerated "`r`n"
oWMI := oQueryEnum := oEvent := ""
vTickCount2 := A_TickCount
Clipboard := vOutput
MsgBox, % "tick count (msec): " vTickCount2-vTickCount1
MsgBox, % vOutput
return

[JoeWinograd]

Hi jeeswg,
First, nice code — works well! Takes about 28 seconds here. I compared the output with the output from NirSoft's MyEventViewer and they match. I think the reason that you're seeing date stamps for roughly the last two months is that they're the only 1074 entries in it. I get 54 of them here going back to February. But when I change vNum to 1066, it gets more than a thousand of them. And then I tested to make sure it's getting old entries — it is! It gets the last entries in the log (several years old). Thanks for the script! Regards, Joe

[jeeswg]

@JoeWinograd: Cheers for the link:
Windows Event Log API examples / libs? - AutoHotkey Community
https://autohotkey.com/boards/viewtopic.php?f=5&t=9658

I've used this as a basis to rewrite my script using DllCall, although it's still very slow. I got 22 seconds.

I believe that the code at the link only retrieves information for one event, the most recent one.

NirSoft MyEventViewer was also very slow. I used it to find out that for SourceName I should specify 'System', for use with shutdown event 1074.

Code: Select all

q:: ;event logs
;STATUS_SHUTDOWN_CLEAN := 1074
;WARNING_ISSE_SHUTDOWN_CANCELLED := 1075
vEventID := 1074
;vEventID := 1075
vOutput := ""
VarSetCapacity(vOutput, 1000000*2)

vTickCount1 := A_TickCount
vSourceName := "System"
if !(hEventLog := DllCall("advapi32\OpenEventLog", Str,"", Str,vSourceName, Ptr))
{
	MsgBox, % "error"
	return
}

Loop
{
	VarSetCapacity(EVENTLOGRECORD, 2, 0)
	;EVENTLOG_BACKWARDS_READ := 0x8 ;EVENTLOG_SEQUENTIAL_READ := 0x1
	DllCall("advapi32\ReadEventLog", Ptr,hEventLog, UInt,0x9, UInt,0, Ptr,&EVENTLOGRECORD, UInt,0, UIntP,0, UIntP,vSize)
	VarSetCapacity(EVENTLOGRECORD, vSize+1, 0)
	if !(DllCall("advapi32\ReadEventLog", Ptr,hEventLog, UInt,0x9, UInt,0, Ptr,&EVENTLOGRECORD, UInt,vSize, UIntP,0, UIntP,0))
		break

	vEventID2 := NumGet(EVENTLOGRECORD, 20, "UInt") & 0x7FFF ;EventID
	if !(vEventID2 = vEventID)
		continue
	vDate := NumGet(EVENTLOGRECORD, 12, "UInt") ;TimeGenerated
	;vDate := DateAdd(1970, vDate, "Seconds") ;AHK v2
	vDate2 := vDate
	vDate := 1970
	vDate += vDate2, Seconds
	vOutput .= vDate "`r`n"
}
vTickCount2 := A_TickCount
Clipboard := vOutput
MsgBox, % "tick count (msec): " vTickCount2-vTickCount1
MsgBox, % vOutput
return

I revised both scripts to make it a fairer test, and got these results (in a stand-alone script):
tick count (msec): 35724 (WMI)
tick count (msec): 36036 (DllCall)
So that's the same duration.

I got these results when I appended the code to my main script:
tick count (msec): 32729 (WMI)
tick count (msec): 7145 (DllCall)
So maybe something is making it faster.