Reputation: 17565
Interrogate all event log based on date/time, not on path
I'm investigating a problem on my PC (more exactly a sharing violation during the xcopy of a bunch of files), and I'm thinking of verifying the event log, but I'd like to investigate all events which occured between the beginning of that xcopy and the end of it, something like:
wevtutil qe * /q:"*[System[TimeCreated[@SystemTime>='2017-04-11T03:30:00' and @SystemTime<'2017-04-11T03:33:00']]]" /f:text
(the timestamps are retrieved from the commands echo [!TIME!], one just before and one just behind the xcopy command)
This command is not accepted, as the usage of * is not permitted while working with wevtutil qe. I can have a look inside the event viewer but then I'd need to investigate all possible logs (and I'm not very familiar with this).
Is there a way to interrogate all event logs and filter them on timestamps?
Upvotes: 0
Views: 1824
Answers (1)
Reputation: 86
While Microsoft and others say the format is UTC it is actually a variation, if you query the values you will see the difference, no "T" for starters.
The format is the correct time for the BIAS at the end of the string, so for me in a +600 TZ with a bias of "+600" on end of the WMI time string the values can be read as local time (as many Microsoft samples assume is ALWAYS the case).
If however the bias is "-000" for example, in my case the values are all 10 hours (600 minutes) older as you'd expect.
Upvotes: 1
Related Questions
- Read Event Log From Newest to Oldest
- EventLog XML Query Filter Date Range
- Filter EventLog based on date
- PS using Get-WinEvent with FilterXPath and datetime variables?
- Event Log by date
- Query windows event log for the past two weeks
- Read Event log file from path
- Event Logs since current time
- read the windows event log by particular Source
- Get the location of windows event log files