Make scanning Windows XP's Event Logs easier with Eventquery.vbs

by Greg Shultz | Jul 13, 2005 3:39:00 PM

Tags: Greg Shultz, Eventquery.vbs, Microsoft Windows XP, Microsoft Windows, Windows XP Tips Newsletter

Takeaway: Sifting through the logs in Windows XP's Event Viewer can be a bit of a nightmare due to the sheer volume of entries in any one log file. You can save time by using Eventquery, which provides you with parameters that allow you to narrow your search to a specific event at a certain time in a particular log file.

Windows XP maintains several log files that can be great sources of information when troubleshooting problems. However, sifting through the logs in Event Viewer can be a pain due to the sheer volume of entries in any one log file.

You can save yourself time and effort by learning how to use the Eventquery VBScript program, which is in the \Windows\System32 folder in every installation of Windows XP. Eventquery provides you with a series of parameters that will allow you to instantly narrow your search down to a specific event during a chosen time period in a particular log file.

Keep in mind that Eventquery.vbs runs in the command-line version of Windows Script Host: Cscript.exe. Therefore, in order to run it, you have to open a Command Prompt, change to the Windows\System32 folder, and type:

Cscript Eventquery.vbs {parameters}

For example, if you want to search through the System log for Warning events that occurred since the beginning of the day, you would use a command line like this:

Cscript Eventquery.vbs /l system /fi "Datetime gt mm/dd/yy,12:00:00AM"
 /fi "Type eq Warning"

where mm/dd/yy is the current date.

You can find a detailed list of parameters for Eventquery.vbs in the Windows XP Help and Support Center or by typing Cscript Eventquery.vbs /?on the command line.

Stay on top of the latest XP tips and tricks with our free Windows XP newsletter, delivered each Thursday. Automatically sign up today!

Print/View all Posts Comments on this article

Try it and report back!Greg Shultz  | 07/13/05

Can't find the eventquery_vbs fileBC008  | 07/14/05

RE: Can't find the eventquery_vbs fileinfoguy  | 07/14/05

Works only with XP?KB InfoSec Admin  | 07/14/05

Can't say for sure...Greg Shultz  | 07/14/05

Eventquery in W2K ServerGreg Shultz  | 07/15/05

Event ViewerRalphY123  | 07/14/05

WHere is it?jamesjurden@...  | 07/23/05

What am I doing wrong?infoguy  | 07/14/05

Datetimegt should be Datetime gt....rrjkramer@...  | 07/14/05

Formatting error...Greg Shultz  | 07/14/05

Some Mis-Information Hereallenf@...  | 07/14/05

Are you positive?Greg Shultz  | 07/14/05

Perhaps it's only XP Pro?CSA  | 07/14/05

Should be in XP Home tooGreg Shultz  | 07/14/05

Nope, not here eitherKen G.  | 07/14/05

WinXP Home is not for networking...ServHi-Tech  | 07/14/05

Windows XP HOME not for....Synthetic  | 07/15/05

MIA here as well. Did HP omit?deepsand  | 07/21/05

How do you save it to a text file?ehurt@...  | 12/13/05

Event Viewer without event description is uselessbrucelloyd@...  | 07/14/05

detailstown_drunk  | 07/14/05

The /V switch works great! Thanks!brucelloyd@...  | 07/14/05

another optiontown_drunk  | 07/15/05

Use within batch file for ease of editinginnocent_bystander  | 10/09/05

Why type the whole pathferal@...  | 03/19/06