First published on TECHNET on Oct 12, 2007
Here on the Performance Team, we recently had a discussion about the pains associated with viewing exported Event Log (.evt) files from Windows XP and Windows Server 2003 on a Windows Vista machine. In order to increase the usability of these files within the Windows Vista Event Viewer, the best thing to do is convert them to the new Event Log file format - .evtx. Of course, if you open up a .evt file on a Windows Vista machine, you are presented with the following banner message at the top of the window as well as the option to navigate from one page through the next instead of being able to scroll down through all the events at once:
Most of us routinely ignore these messages and carry on viewing the file. However, there are a couple of ways to convert the file to a .evtx file for greater benefit:
Option 1: Let the Event Viewer MMC do the conversion for you:
Right Click on the Saved Log and Select "Save Events As ..." as shown below.
Once you choose the folder to save the file in and provide the filename, the MMC does the conversion for you. One caveat here, this process may take quite a while if you have very large Event Log files!
Option 2: Use WEVTUTIL to perform the conversion:
You can use the Windows Events Command Line Utility (WEVTUTIL.EXE) to perform the conversion. This utility is very powerful when manipulating Event Log files. You can retrieve information about event logs and publishers, install and uninstall event manifests, export logs and more. For our purposes though we are going to use the utility to convert our log file. The syntax is as follows:
wevtutil export-log <sourcelogfile>.evt <targetlogfile>.evtx /lf
. The example below demonstrates a conversion of the AppLog-XP.evt file that I saved from my Windows XP test machine into .evtx format. With larger log files using this utility is quicker than having the MMC export and save the file.
Option 3: Use a script file to add a context menu handler for .evt files:
You can automate the process a bit more by using a script to add a context menu handler for .evt files. The sample VBScript below adds a “Convert to .EVTX” option to the right-click context menu for .evt files. The script will convert the file, then automatically open the converted file in the Vista event viewer. You can change this behavior by changing the AUTO_OPEN_EVTX constant to false. This will prompt you to open the file with a Yes or No prompt in case you just want to convert the file, then copy it somewhere.
**** SCRIPT DISCLAIMER****
|
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business
profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages
|
'==========================================================================
'
' NAME: ConvertEVTtoEVTX.vbs
'
' AUTHOR: Steve Paruszkiewicz, Microsoft
' DATE : 10/04/2007
'
' COMMENT: Adds "Convert to .EVTX" to the shell context menu for .evt files
' calls wevtutil to convert evt file for use on Vista/Longhorn
' then opens the converted .evtx file in event viewer
'
' If you would later like to remove the Convert to .EVTX context
' menu option you can delete the following registry key
' "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\"
'==========================================================================
Option Explicit
Const LAST_MODIFIED = "10/11/2007"
Const AUTO_OPEN_EVTX = True
'Set this to False if you want to be prompted to open the converted file instead of opening autmatically
'On Error Resume Next
CheckReg()
'Check to see if script is already registered - NEEDS ADMIN TOKEN ON VISTA
If WScript.Arguments.Count < 1 Then ExitScript("** No File Argument Specified **" & VbCrLf & _
"Script Exiting..." & VbCrLf & VbCrLf & "Convert to .EVTX has been added to the context menu")
Dim strInputFile : strInputFile = WScript.Arguments(0)
ConvertEvtToEVTx(strInputFile)
'************************ Subs and Functions ****************************
Sub ConvertEvtToEVTx(strFileName)
Dim Shell : Set Shell = CreateObject("Wscript.Shell")
Dim FSO : Set FSO = CreateObject("Scripting.FileSystemObject")
Dim strCommand, ret, shortname
If Not(FSO.FileExists(strFileName & "x")) Then
strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf"
WScript.Echo "Converting " & strFileName & " to .EVTX file"
Shell.Run strCommand,0,True
Else
shortname = Right(strFileName,Len(strFileName)-InStrRev(strFilename,"\"))
ret = MsgBox ("The file: " & shortname & "x" & VbCrLf & VbCrLf & "Already Exists." & VbCrLf & _
"Would you like to overwrite it?",vbYesNo+vbInformation,"File exists")
If ret = vbYes Then
strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf /ow:true"
WScript.Echo "Converting " & strFileName & " to .EVTX file"
Shell.Run strCommand,0,True
Else
WScript.Echo "File already exists: Skipping conversion."
End If
End If
WScript.Echo "WEvtUtil Command Done."
If AUTO_OPEN_EVTX Then
If fso.FileExists(strFileName & "x") Then
Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
Else
MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _
" Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _
,vbOKOnly+vbExclamation,"Error"
WScript.Quit
End If
Else
ret = MsgBox ("Would you like to open the .EVTX file now?",vbYesNo+vbInformation,"Conversion complete.")
If ret = vbYes then
If fso.FileExists(strFileName & "x") Then
Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
Else
MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _
" Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _
,vbOKOnly+vbExclamation,"Error"
WScript.Quit
End If
Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
Else
WScript.Quit
End If
End If
End Sub
'*** Checks to see if script has already registered right-click menu entries
Function CheckReg()
On Error Resume next
Dim retval, Shell : Set Shell = CreateObject("WScript.Shell")
retval = Shell.RegRead("HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\")
If Err.Number <> 0 Then
'WScript.Echo Err.Description & " " & Err.Number
Err.Clear
AddSelfToReg()
'adds ability to run from context menu
End If
End Function
Sub AddSelfToReg()
ElevateThisScript()
On Error Resume Next
Dim strCommand, Shell
Set Shell = CreateObject("WScript.Shell")
If IsWin64bit() Then
'Use 32-bit wscript.exe to overcome problems creating excel.application object when passing in a file on x64
strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\SysWOW64\cscript.exe """ & _
WScript.ScriptFullName & """ ""%1"""
Else
strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\System32\cscript.exe """ & _
WScript.ScriptFullName & """ ""%1"""
End If
Shell.RegWrite "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\",strCommand,"REG_SZ"
If Err.Number <> 0 Then
ExitScript("Unable to write to HKEY_CLASSES_ROOT " & VbCrLf & _
"This Script may need to be run with a full administrative token once to register context menu entries.")
End If
End Sub
Function IsWin64bit()
On Error Resume Next
Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
Dim shell : Set shell = CreateObject("wscript.shell")
Dim Windir : Windir = shell.ExpandEnvironmentStrings("%SYSTEMROOT%")
If fso.FolderExists(Windir & "\SysWOW64") Then
IsWin64bit = True
Else
IsWin64bit = False
End If
End Function
Sub ExitScript(ByVal MSG)
Msg = Msg & VbCrLf
Msg = Msg & "_______________________________________________________" & vbCrLf
Msg = Msg & "VBS script created by Steve Paruszkiewicz. Last modified on: " & LAST_MODIFIED & vbCrLf & VbCrLf
DisplayMsg(Msg)
wscript.quit
End Sub
Sub DisplayMsg(Msg)
On error resume Next
Msgbox Msg
End Sub
'*********************************************************************************
' Subroutine: ElevateThisScript()
'
' Author: Steve Paruszkiewicz, Microsoft
' Last Modified: August 2, 2007
'
' Purpose: (Intended for Vista and Windows Server 2008)
' Forces the currently running script to prompt for UAC elevation if it detects
' that the current user credentials do not have administrative priviliges
'
' If run on Windows XP this script will cause the RunAs dialog to appear if the user
' does not have administrative rights, giving the opportunity to run as an administrator
'
' This Sub Attempts to call the script with its original arguments. Arguments that contain a space
' will be wrapped in double quotes when the script calls itself again.
'
' Usage: Add a call to this sub (ElevateThisScript) to the beginning of your script to ensure
' that the script gets an administrative token
'**********************************************************************************
Sub ElevateThisScript()
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
const KEY_QUERY_VALUE = 1
Const KEY_SET_VALUE = 2
Dim scriptEngine, engineFolder, argString, arg, Args, scriptCommand, HasRequiredRegAccess
Dim objShellApp : Set objShellApp = CreateObject("Shell.Application")
scriptEngine = Ucase(Mid(Wscript.FullName,InstrRev(Wscript.FullName,"\")+1))
engineFolder = Left(Wscript.FullName,InstrRev(Wscript.FullName,"\"))
argString = ""
Set Args = Wscript.Arguments
For each arg in Args 'loop though argument array as a collection to rebuild argument string
If instr(arg," ") > 0 Then arg = """" & arg & """" 'if the argument contains a space wrap it in double quotes
argString = argString & " " & Arg
Next
scriptCommand = engineFolder & scriptEngine
Dim strComputer : strComputer = "."
Dim objReg, bHasAccessRight
Set objReg=GetObject("winmgmts:"_
& "{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
'Check for administrative registry access rights
objReg.CheckAccess HKEY_LOCAL_MACHINE, "System\CurrentControlSet\Control\CrashControl", _
KEY_SET_VALUE, bHasAccessRight
If bHasAccessRight = True Then
HasRequiredRegAccess = True
Exit Sub
Else
HasRequiredRegAccess = False
objShellApp.ShellExecute scriptCommand, " """ & Wscript.ScriptFullName & """" & argString, "", "runas"
WScript.Quit
End If
End Sub
Once you have the script installed, right click on a .EVT file and you should have the option to convert the file to .EVTX format as shown below:
And that wraps up this post. Hopefully you find this information useful and if you have any feedback, please let us know!
- Steve Paruszkiewicz