NT event log XPath query

Question

I have an existing script, let's say this:

set cimv2=getobject("winmgmts:root\cimv2")
set evcol=cimv2.execquery("select * from win32_ntlogevent where logfile='System' and (sourcename='Microsoft-Windows-Kernel-General' or sourcename='Disk')")

for each evt in evcol
  wscript.echo evt.timewritten & ": " & evt.sourcename & ", " & evt.type & ", " & evt.eventcode & ", " & evt.message  
next

Is there a way that I can query the Windows Event Log using XPath query instead of WMI select query?

For example:

*[System[Provider[@Name='Microsoft-Windows-Disk' or @Name='Microsoft-Windows-Kernel-General']]]

Edit: I still want to have VBscript Collection as an object, not just execute "wevtutil".

Answer 1

The PowerShell Get-WinEvent cmdlet has a -FilterXPath parameter to which you can pass an XPath expression:

$xpath = "*[System[Provider[@Name='Microsoft-Windows-Disk' or @Name='Microsoft-Windows-Kernel-General']]]"
Get-WinEvent -LogName 'Security' -FilterXPath $xpath

In VBScript you'll need to shell out to wevutil and then load the XML data into a DOMDocument object:

Function qq(s) : qq = """" & s & """" : End Function

xpath    = "*[System[Provider[@Name='Microsoft-Windows-Disk' or @Name='Microsoft-Windows-Kernel-General']]]"
datafile = "C:\temp.xml"

Set sh  = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")

Set evt = sh.Exec("cmd /c wevtutil qe Security /q:" & qq(xpath) & " > " & qq(datafile))

While evt.Status = 0 : WScript.Sleep 100 : Wend

Set xml = CreateObject("Msxml2.DOMDocument.6.0")
xml.async = False
xml.loadXML "<events>" & fso.OpenTextFile(datafile).ReadAll & "</events>"

If xml.parseError <> 0 Then
  WScript.Echo xml.parseError.reason
  WScript.Quit 1
End If

For further information on filtering event logs via XPath expressions see here.