Query the windows event logs via the command line

Today someone told me "You can find if bibblebob happened by looking in the event viewer". I automate things so I went hunting for a CLI tool to accomplish this task. wevtutil is its name-o. The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil. Here's an example of finding all the times DHCP started:C:\Windows\System32>wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=50036)]]" |moreEvent[0]: Log Name: System Source: Microsoft-Windows-Dhcp-Client Date: 2009-09-22T17:42:54.667 Event ID:...

Read More

Use cdb to see what files your application is opening.

In this post I'll show you how to use CDB to intercept CreateFile and see what files your application is opening. For this problem, Process Monitor is often a better tool, but the techniques I demonstrate work for any API you should learn them. This won't take much time, so if you've never done this before I recommend you follow along.First Load CDB against cmd: C:\Program Files\Debugging Tools for Windows (x64)>cdb.exe cmd.exe Microsoft (R) Windows Debugger Version 6.12.0000.526 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: cmd.exe Symbol search...

Read More

Copying files across parallel directory structures.

It happens to all of us, you've made a change in branch2, now you need to copy it to branch1. Here's a trick I use to accomplish this task:C:\src\branch1\mydir\mydir2\mydir3\mydir4>xcopy %cd:branch1=branch2%\foo*Overwrite C:\src\branch1\mydir\mydir2\mydir3\mydir4\foo.txt (Yes/No/All)? yC:\src\branch2\mydir\mydir2\mydir3\mydir4\foo.txt1 File(s) copiedHow'd that work? Use echo to find out what happened:C:\src\branch1\mydir\mydir2\mydir3\mydir4>echo %cd:branch1=branch2%C:\src\branch2\mydir\mydir2\mydir3\mydir4For more information run help s...

Read More