Today someone told me "You can find if bibblebob happened by looking in the event viewer". I automate things so I went hunting for a CLI tool to accomplish this task. wevtutil is its name-o.
The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil.
Here's an example of finding all the times DHCP started:
C:\Windows\System32>wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=50036)]]" |more
Event[0]:
Log Name: System
Source: Microsoft-Windows-Dhcp-Client
Date: 2009-09-22T17:42:54.667
Event ID: 50036
Task: Service State Event
Level: Information
Opcode: ServiceStart
Keyword: N/A
User: S-1-5-19
User Name: NT AUTHORITY\LOCAL SERVICE
Computer: igordm1.redmond.corp.microsoft.com
Description:
DHCPv4 client service is started
Event[1]:
Log Name: System
Source: Microsoft-Windows-Dhcp-Client
Date: 2009-09-17T20:46:36.179
Event ID: 50036
Task: Service State Event
Level: Information
Opcode: ServiceStart
Keyword: N/A
User: S-1-5-19
User Name: NT AUTHORITY\LOCAL SERVICE
Computer: igordm1.redmond.corp.microsoft.com
Description:
DHCPv4 client service is started
Good Hunting!
0 comments:
Post a Comment