Rem: Dumping the Security Log

I've had two problems with a script, which Listing 1 shows, that I use to dump the event logs on Windows 2000 Service Pack 3 (SP3) and SP2 servers. First, the script fails to retrieve events from the Security log. Second, the script takes hours to run if the event logs contain thousands of records, but only a few minutes to run on servers with fewer than 1000 events. Can you help?

To dump the Security log by using the Windows Management Instrumentation (WMI) Scripting Library and the WMI Win32_NTLogEvent class, you need to enable the Security privilege. Win32_NTLogEvent is one of several WMI classes that require you to enable privileges to fully use the class. To determine whether a WMI class requires special privileges, you can examine the class's EnumPrivileges qualifier, as Figure 1 shows. In Figure 1, I use the WMI Tester (%systemroot%system32wbemwbemtest.exe) utility to examine the EnumPrivileges class qualifier on the Win32_NTLogEvent class. To view the Win32_NTLogEvent class by using WMI Tester, follow the instructions in Windows & .NET Magazine's "Windows Management Instrumentation: The Journey Begins" (http://www.winnetmag.com, InstantDoc ID 8959).

After you open the Object editor for the Win32_NTLogEvent dialog box, select the EnumPrivileges qualifier and click Edit Qualifier. The Qualifier Editor dialog box displays the privileges for the Win32_NTLogEvent class, as Figure 1 shows. You can also use WMI Common Information Model (CIM) Studio and the WMI Scripting Library to view class, method, and property qualifiers.

You can enable the Security privilege in two ways, depending on how you connect to the WMI Service on the target computer and on the version of Windows you're running. You can enable the Security privilege as part of the connection string that you pass to VBScript's GetObject function, as the code at callout A in Listing 2 shows. You can also enable privileges after the initial WMI connection is established, as the code at callout B shows. Note, however, that callout B's post-connection approach works only on Win2K and later systems; you can't use this approach on Windows NT 4.0 machines.

To solve the script's performance problem, you can optimize the query's behavior by passing optional flags to the ExecQuery method, as the code at callout C shows. The wbemFlagReturnImmediately flag is the default ExecQuery behavior and is semisynchronous. The important optimization is the wbemFlagForwardOnly flag. Combining wbemFlagReturnImmediately with wbemFlagForwardOnly results in a forward-only enumerator. A forward-only enumerator performs much faster than the default enumerator because WMI doesn't maintain references to objects in the enumeration.

To learn more about WMI class, method, and property qualifiers, including the EnumPrivileges qualifier, check out Microsoft's "Scripting Clinic: WMI Scripting Primer" series on the Microsoft Developer Network (MSDN) Web site. See "Scripting Clinic: WMI Scripting Primer: Part 2" at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting08132002.asp. For more information about the SWbemServices ExecQuery method, see the WMI software development kit (SDK) at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/swbemservices_execquery.asp. You can also find the hexadecimal values for constants at this Web site.