PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 6 - Event Viewer

Welcome to Guy's Scripting Ezine 6 - Event Viewer

This was the first week of the HTML version of the Ezine.

Contents for Ezine Week 6 :-

I will let you into a secret

Most people born before 1950 think there is only one type of script – the .bat logon script. However, the more enlightened, realize that there are other (better) ways of creating logon scripts.  Probably the best method for Windows networks is the combination of VBScripts and WSH (Windows scripting host).

ˆ

The rise of WSH and VBScript

In the old NT 4.0 days, batch files ran in what some called a DOS window and others called a command shell.  Windows 2000 and Server 2003 have replaced that DOS shell with Windows Scripting Host.  The concept is similar to the way your Internet Explorer is a host to HTML files.  In this case WSH is the host and provides everything VBScript files need to run their lines of code.  Whilst I will concentrate on VBScript, WSH is versatile and interprets other languages, for example: Jscript, Perl, Python or Rexx.

What makes WSH and VBScripting so powerful is the ability to query WMI (Windows Management Instrumentation). For instance, my first script this week will interrogate the Event Log to find out how many times the server has been shut down unexpectedly. As with most of my scripts, my desire is to show you a method and then for you to adapt the technique to your own purposes. So think of an Event and modify the script to query how often it occurred.

Another use for the WSH and VBScript combination is to query objects in ADSI (Active Directory Systems Interface), but I will save that environment for another day. My message is: there is huge potential in WSH scripting.

WSH executables

Technically, the actual executables that perform all the WSH tasks are CScript and WScript. The latest version of CScript is 5.6; this is built-in to Windows Server 2003. Windows 2000 however, ships with version 2.0 but this is upgraded to the 5.6 version when you install Service Pack 3 or later.

You can check out your version of CScript or WScript by simply running either command at the CMD prompt.

Script to count and display the number of unexpected shutdowns.

Instructions

  1. Copy the entire script in the blue box below.
  2. Paste it into notepad.exe.
  3. File (menu), Save as Shutdown.vbs   Note: Omitting the .vbs extension, this is where people go wrong.
  4. Double click Shutdown.vbs
  5. Wait 30 seconds and check the Windows Scripting Host flashing in the navigation area.

 


'VBScript
'Purpose of script to query System log for Unexpected shutdowns

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '6008'")
Wscript.Echo "Unexpected shutdowns: " & colLoggedEvents.Count
 

 

Learning points

  1. strComputer = "." set the script to query the current machine
  2. Set ObjWMIService tell the script to use WMI as opposed the ADSI.
  3. Here is the crucial line Logfile = 'System' and " _ & "EventCode = '6008'"
  4. Wscript.Echo calls for a message box to display the results.

ˇ

Further ideas

Check out the Event Viewer, System logs for other events that you want to check.  Change the "Unexpected shutdowns: to what ever you are listing.

For more ideas on WSH / WMI scripts check here

 

Script to check Logon Failures

Instructions

  1. Copy the entire script in the blue box below.
  2. Paste it into notepad.exe.
  3. File (menu), Save as logonfailure.vbs   Note: Omitting the .vbs extension, this is where people go wrong.
  4. Double click logonfailure.vbs
  5. Wait 60 seconds and check the Windows Scripting Host flashing in the navigation area.

 


'VBScript
'Purpose to check the Security log for Logon Failures
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
& "EventCode = '673'")
Wscript.Echo "Logon Failures " & colLoggedEvents.Count

 

Learning points

  1. This script checks the Security Log not the System log.
  2. If you do not get any logon failures, then log off and deliberately create some errors.
  3. Check your actual Security log, and note the Event ID's.  Substitute your ID's for 673.  If you change the ID number change the Wscript.Echo "...." line.

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Webcomputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.