我想分析一個特殊的Windows應用程序(Windows 7企業版,64位)的事件日誌。WQL-Statement來檢查應用程序的事件日誌
我需要一個特殊事件,它在幾秒鐘前被記錄。
這是我的VBScript代碼,其產生的完全錯誤的結果(錯誤數量的事件):
strComputer = "." ' Dieser Computer
' Retrieving Specific Events from an Event Log
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\" & strComputer & "\root\cimv2")
Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME dtmEndDate.SetVarDate now() ' CONVERT_TO_LOCAL_TIME
dim var_wql
var_wql = "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '< ... >' AND SourceName = '< ... >' AND EventCode = '< ... >' AND (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')"
Set colLoggedEvents = objWMIService.ExecQuery(var_wql)
...
(anzahl = colLoggedEvents.count)的行數必須是0或1,任何否則是不可能的。
wql語句有什麼問題?我想檢查過去的最後幾秒鐘(從現在開始)。
謝謝。
Tommy