read Windows 7 and 2008 Setup event logRSS

1 reply

Last post Nov 26, 2014 09:20 AM by Perkinsville

  • read Windows 7 and 2008 Setup event log

    Nov 25, 2014 12:53 PM|sspeed|LINK

    I'm trying to use LogParser to read the 2008 Windows Setup log from a Windows 2008 machine, but it's failing.

    C:\Program Files (x86)\Log Parser 2.2>logparser -i:evt "select * from \\server1\Setup"
    Error: Error retrieving files: Error searching for files in folder \\server1\Setup: The network name cannot be found.

    It appears to be that this is because the new Windows 7/2008 logs do not have a registry entry under:

    HKLM\SYSTEM\CurrentControlSet\services\eventlog\

    So, to test I created a key:

    HKLM\SYSTEM\CurrentControlSet\services\eventlog\Setup

    and subsequent REG_EXPAND_SZ entry

    File : %SystemRoot%\system32\winevt\Logs\Setup.evtx

    and then ran LogParser against it again.  I got farther, but I'm missing the definitions.  Which I'm guessing are specified with "DisplayNameFile" and "DisplayNameID", but don't know what they are.  The output I get with adding those entries is:

    Setup 463 2013-01-04 13:34:01 2013-01-04 13:34:01 3 0
    Success event 0 None Microsoft-Windows-Servicing KB2758
    857|5064|Staged|0x800f0816|WindowsUpdateAgent server1 S-1-5-18 The description for Event ID 3 in Source "Microsoft-Windows-Servicing" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer <NULL>

    How can I parse the Windows 7 and 2008 Setup logs using Microsoft LogParser?

    windows7 setup registry 2008 MicrosoftWindowsServicing

  • Re: read Windows 7 and 2008 Setup event log

    Nov 26, 2014 09:20 AM|Perkinsville|LINK

    Hi,

    You might want to try LogParser Lizard, it formats and configures LogParser for you and has some nice default scripts.

    HTH, Benjamin