Windows Vista and Exported Event Log Files

Windows Vista and Exported Event Log Files

  • Comments 9
  • Likes
Here on the Performance Team, we recently had a discussion about the pains associated with viewing exported Event Log (.evt) files from Windows XP and Windows Server 2003 on a Windows Vista machine.  In order to increase the usability of these files within the Windows Vista Event Viewer, the best thing to do is convert them to the new Event Log file format - .evtx.  Of course, if you open up a .evt file on a Windows Vista machine, you are presented with the following banner message at the top of the window as well as the option to navigate from one page through the next instead of being able to scroll down through all the events at once:

image

Most of us routinely ignore these messages and carry on viewing the file.  However, there are a couple of ways to convert the file to a .evtx file for greater benefit:

Option 1: Let the Event Viewer MMC do the conversion for you:  Right Click on the Saved Log and Select "Save Events As ..." as shown below.

image

Once you choose the folder to save the file in and provide the filename, the MMC does the conversion for you.  One caveat here, this process may take quite a while if you have very large Event Log files!

Option 2: Use WEVTUTIL to perform the conversion:  You can use the Windows Events Command Line Utility (WEVTUTIL.EXE) to perform the conversion.  This utility is very powerful when manipulating Event Log files.  You can retrieve information about event logs and publishers, install and uninstall event manifests, export logs and more.  For our purposes though we are going to use the utility to convert our log file.  The syntax is as follows: wevtutil export-log <sourcelogfile>.evt <targetlogfile>.evtx /lf.  The example below demonstrates a conversion of the AppLog-XP.evt file that I saved from my Windows XP test machine into .evtx format.  With larger log files using this utility is quicker than having the MMC export and save the file.

image

Option 3:  Use a script file to add a context menu handler for .evt files:  You can automate the process a bit more by using a script to add a context menu handler for .evt files.  The sample VBScript below adds a “Convert to .EVTX” option to the right-click context menu for .evt files.  The script will convert the file, then automatically open the converted file in the Vista event viewer.  You can change this behavior by changing the AUTO_OPEN_EVTX constant to false.  This will prompt you to open the file with a Yes or No prompt in case you just want to convert the file, then copy it somewhere.

**** SCRIPT DISCLAIMER****

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business
profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages

 
'==========================================================================
'
' NAME: ConvertEVTtoEVTX.vbs
'
' AUTHOR: Steve Paruszkiewicz, Microsoft
' DATE  : 10/04/2007
'
' COMMENT:  Adds "Convert to .EVTX" to the shell context menu for .evt files
'            calls wevtutil to convert evt file for use on Vista/Longhorn
'             then opens the converted .evtx file in event viewer
'
'            If you would later like to remove the Convert to .EVTX context
'            menu option you can delete the following registry key
'            "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\"
'==========================================================================
Option Explicit
Const LAST_MODIFIED = "10/11/2007"
Const AUTO_OPEN_EVTX = True            
'Set this to False if you want to be prompted to open the converted file instead of opening autmatically


'On Error Resume Next
CheckReg()                                                
'Check to see if script is already registered - NEEDS ADMIN TOKEN ON VISTA


If WScript.Arguments.Count < 1 Then ExitScript("** No File Argument Specified **" & VbCrLf & _ 
 "Script Exiting..." & VbCrLf & VbCrLf & "Convert to .EVTX has been added to the context menu")

Dim strInputFile : strInputFile = WScript.Arguments(0)

ConvertEvtToEVTx(strInputFile)



'************************   Subs and Functions ****************************
Sub ConvertEvtToEVTx(strFileName)
    Dim Shell : Set Shell = CreateObject("Wscript.Shell")
    Dim FSO : Set FSO = CreateObject("Scripting.FileSystemObject")
    Dim strCommand, ret, shortname
    
    If Not(FSO.FileExists(strFileName & "x")) Then
        
        strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf"
    
        WScript.Echo "Converting " & strFileName & "  to .EVTX file"
    
        Shell.Run strCommand,0,True
    
    Else
        shortname = Right(strFileName,Len(strFileName)-InStrRev(strFilename,"\"))
        ret = MsgBox ("The file: " & shortname & "x" & VbCrLf & VbCrLf & "Already Exists." & VbCrLf & _ 
                       "Would you like to overwrite it?",vbYesNo+vbInformation,"File exists")

        If ret = vbYes Then
            strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf /ow:true"
            WScript.Echo "Converting " & strFileName & "  to .EVTX file"
    
            Shell.Run strCommand,0,True
    
        Else
            WScript.Echo "File already exists:  Skipping conversion."
        End If
    
    End If    
    
    WScript.Echo "WEvtUtil Command Done."
    
    If AUTO_OPEN_EVTX Then
    
        If fso.FileExists(strFileName & "x") Then 
            Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
        Else
            MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _ 
            " Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _ 
            ,vbOKOnly+vbExclamation,"Error"
            WScript.Quit
        End If     
        
    Else
        ret = MsgBox ("Would you like to open the .EVTX file now?",vbYesNo+vbInformation,"Conversion complete.")
        If ret = vbYes then
            
            If fso.FileExists(strFileName & "x") Then 
                Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
            Else
                MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _ 
                " Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _ 
                ,vbOKOnly+vbExclamation,"Error"
                WScript.Quit
            End If     
            
            Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
            
        Else
        
            WScript.Quit
            
        End If
    End If
            
End Sub 



'*** Checks to see if script has already registered right-click menu entries
Function CheckReg()
    On Error Resume next
    Dim retval, Shell : Set Shell = CreateObject("WScript.Shell")
    retval = Shell.RegRead("HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\")
    
    If Err.Number <> 0 Then
        'WScript.Echo Err.Description & "  " & Err.Number
        Err.Clear
        AddSelfToReg()                                                    
'adds ability to run from context menu

    End If
End Function

Sub AddSelfToReg()
    ElevateThisScript()
    On Error Resume Next
    Dim strCommand, Shell
    
    Set Shell = CreateObject("WScript.Shell")
    If IsWin64bit() Then
        'Use 32-bit wscript.exe to overcome problems creating excel.application object when passing in a file on x64
        strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\SysWOW64\cscript.exe """ & _
        WScript.ScriptFullName & """ ""%1"""
    Else
        strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\System32\cscript.exe """ & _
        WScript.ScriptFullName & """ ""%1"""
    End If
    
    Shell.RegWrite "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\",strCommand,"REG_SZ"
        
    If Err.Number <> 0 Then
            ExitScript("Unable to write to HKEY_CLASSES_ROOT " & VbCrLf & _
            "This Script may need to be run with a full administrative token once to register context menu entries.")
    End If
End Sub

Function IsWin64bit()
    On Error Resume Next
    Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
    Dim shell : Set shell = CreateObject("wscript.shell")
    Dim Windir : Windir = shell.ExpandEnvironmentStrings("%SYSTEMROOT%")
    If fso.FolderExists(Windir & "\SysWOW64") Then
        IsWin64bit = True
    Else
        IsWin64bit = False
    End If
End Function

Sub ExitScript(ByVal MSG)
  Msg = Msg & VbCrLf
  Msg = Msg & "_______________________________________________________" & vbCrLf 
  Msg = Msg & "VBS script created by Steve Paruszkiewicz. Last modified on: " & LAST_MODIFIED & vbCrLf & VbCrLf
  DisplayMsg(Msg)
  wscript.quit   
End Sub

Sub DisplayMsg(Msg)
      On error resume Next
    Msgbox Msg
End Sub

'*********************************************************************************
'    Subroutine: ElevateThisScript()    
'
'    Author: Steve Paruszkiewicz, Microsoft
'    Last Modified:  August 2, 2007
'    
'    Purpose: (Intended for Vista and Windows Server 2008)
'    Forces the currently running script to prompt for UAC elevation if it detects
'    that the current user credentials do not have administrative priviliges
'
'    If run on Windows XP this script will cause the RunAs dialog to appear if the user
'    does not have administrative rights, giving the opportunity to run as an administrator  
'
'    This Sub Attempts to call the script with its original arguments.  Arguments that contain a space
'    will be wrapped in double quotes when the script calls itself again.
'
'    Usage:  Add a call to this sub (ElevateThisScript) to the beginning of your script to ensure
'            that the script gets an administrative token
'**********************************************************************************        
Sub ElevateThisScript()
    
    Const HKEY_CLASSES_ROOT  = &H80000000
    Const HKEY_CURRENT_USER  = &H80000001
    Const HKEY_LOCAL_MACHINE = &H80000002
    Const HKEY_USERS         = &H80000003
    const KEY_QUERY_VALUE      = 1
    Const KEY_SET_VALUE          = 2

    Dim scriptEngine, engineFolder, argString, arg, Args, scriptCommand, HasRequiredRegAccess
    Dim objShellApp : Set objShellApp = CreateObject("Shell.Application")
        
    
    scriptEngine = Ucase(Mid(Wscript.FullName,InstrRev(Wscript.FullName,"\")+1))
    engineFolder = Left(Wscript.FullName,InstrRev(Wscript.FullName,"\"))
    argString = ""
    
    Set Args = Wscript.Arguments
    
    For each arg in Args                        'loop though argument array as a collection to rebuild argument string
        If instr(arg," ") > 0 Then arg = """" & arg & """"    'if the argument contains a space wrap it in double quotes
        argString = argString & " " & Arg
    Next

    scriptCommand = engineFolder & scriptEngine
        
    Dim strComputer : strComputer = "."
        
    Dim objReg, bHasAccessRight
    Set objReg=GetObject("winmgmts:"_
        & "{impersonationLevel=impersonate}!\\" &_ 
        strComputer & "\root\default:StdRegProv")
    

    'Check for administrative registry access rights
    objReg.CheckAccess HKEY_LOCAL_MACHINE, "System\CurrentControlSet\Control\CrashControl", _
        KEY_SET_VALUE, bHasAccessRight
    
    If bHasAccessRight = True Then
    
        HasRequiredRegAccess = True
        Exit Sub
        
    Else
        
        HasRequiredRegAccess = False
        objShellApp.ShellExecute scriptCommand, " """ & Wscript.ScriptFullName & """" & argString, "", "runas"
        WScript.Quit
    End If
        
    
End Sub
 
Once you have the script installed, right click on a .EVT file and you should have the option to convert the file to .EVTX format as shown below:

 

image

 

And that wraps up this post.  Hopefully you find this information useful and if you have any feedback, please let us know!

- Steve Paruszkiewicz

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://businessteacher.info/?p=30169

  • I stumbled upon a good post on the Ask the Performance Team blog that explains how to convert EVT files

  • I stumbled upon a good post on the Ask the Performance Team blog that explains how to convert EVT files

  • 如果希望pslistorpskill可以查看远程机器,需要下列两��条件:

    1.远程机器上的remoteregistryaccessed服务是启动状态.

    2.你已经连接...

  • Regarding EVT file reading on Windows Vista - we actually just released a new version of our Event Analyst software that can read and report on downlevel EVT files natively inside Windows Vista, without the limitations present in the Microsoft Event Viewer.  Our tool also handles EVTX files as well.  For more information on this latest release, you can visit our blog at http://eventlogs.blogspot.com

    Best wishes,

    The Dorian Software Development Team

  • Is there a difference in the way LH and Vista try to read downlevel evt files?

    Also, is there a difference in the event descriptions for LH and Vista (for pre-Vista events)?

  • Did you have a scripts file to convert evtx file to evt???

  • I always get the same error message when I try to convert from *.evt to *.evtx.

    I tried the second and third opinion.

    Opinion 3 says: "Could not be created. Please check drive space and permissions on the target order".

    Not possible because there is more than 60 GB free and all full permission are set. I try it in the Vista security mode , too.

    Can you help me?

  • I'm trying to automate this process and I'm in a situation, where we get lot of event files (both EVT and EVTX files) from various systems and sits in a folder. Is this possible?