Re: Dumpevt from Schedule service

What is the exact command you are using?

Re: Dumpevt from Schedule service

A CMD File call RUNCMD, which looks like this ...
d:\collectevents\now Starting ... >> d:\collectEvents\CollectEvents.log
:START
del d:\collectevents\sec.txt
d:\collectevents\now Dumping ... >> d:\collectEvents\CollectEvents.log
start /low /wait d:\collectEvents\dumpevt /logfile=sec /reg=local_machine /outfile=d:\collectevents\sec.txt
d:\collectevents\now Importing ... >> d:\collectEvents\CollectEvents.log
start /low /wait cscript d:\collectevents\jcimportevents2.vbs d:\collectEvents\sec.txt
d:\collectevents\now Sleeping >> d:\collectEvents\CollectEvents.log
d:\collectevents\sleep 300
goto START

Thanks,
James

Re: Dumpevt from Schedule service

This should work the way you have it setup, but it's hard to debug since its running in
another process. Try it from the administrator account to see if it works that way, to see if it's a permissions issue.

Do you get any errors or anything in the output?

Re: Dumpevt from Schedule service

The program creates logs and these are getting created ok ... obviously can't see any output since its running from the schedule service.

Is the source code available/in the public domain?

Thanks,
James

Re: Dumpevt from Schedule service

Unfortunately no it is not.

Re: Dumpevt from Schedule service

The output from the prog is:

D:\CollectEvents>d:\collectEvents\dumpevt /logfile=sec /reg=local_machine /outfi
le=d:\collectevents\sec.txt
1/12/2005 1:54:45 PM
Somarsoft DumpEvt V1.7.3, Copyright ⌐ 1995-1997 by Somarsoft, Inc.
LogType=Security
Computer=(local)
SystemRoot=C:\WINNT
Outfile=d:\collectevents\sec.txt
Use HKEY_LOCAL_MACHINE for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator= (blank)
ReplaceCR=^
ReplaceLF=^
StringSeparator=;
MaxMessageLen=64000
MaxFragmentLen=64000
DumpData=none
SplitDateTime=no
DumpRecnum=no
==>LastProcessed (0) < Oldest (7380964), log records lost
process event log records starting with 7380964
==>Format message error, source=Security type=Parameter msg=5382 rc=317
==>Format message error, source=Security type=Parameter msg=5383 rc=317
==>Format message error, source=Security type=Parameter msg=5384 rc=317

Does the mesasge records lost mean anything relevant to this problem?

Thanks,
James

Re: Dumpevt from Schedule service

Here is a log from REGMON ... the app queries for the key Security-HORODC02 but never sets its value!

Any ideas,
James

59 3.52961596 DUMPEVT.exe:4880 CloseKey HKLM\SOFTWARE SUCCESS
60 3.52984603 DUMPEVT.exe:4880 CreateKey HKLM\SOFTWARE\Somarsoft\DumpEvt SUCCESS Access: 0x20019
61 3.52987900 DUMPEVT.exe:4880 CloseKey HKLM\SOFTWARE\Somarsoft SUCCESS
62 3.52992132 DUMPEVT.exe:4880 QueryValue HKLM\SOFTWARE\Somarsoft\DumpEvt\Security-HORODC02 NOTFOUND
63 3.52995142 DUMPEVT.exe:4880 CloseKey HKLM\SOFTWARE\Somarsoft\DumpEvt SUCCESS
64 3.54159657 DUMPEVT.exe:4880 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS Access: 0x20019
65 3.54162423 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\CategoryMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll"
66 3.54164566 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\CategoryMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll"
67 3.54167768 DUMPEVT.exe:4880 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS
68 3.54217959 DUMPEVT.exe:4880 OpenKey HKCU SUCCESS Access: 0x2000000
69 3.54222114 DUMPEVT.exe:4880 OpenKey HKLM\System\CurrentControlSet\Control\Nls\MUILangu ages NOTFOUND
70 3.54226128 DUMPEVT.exe:4880 OpenKey HKCU\Control Panel\Desktop SUCCESS Access: 0x80000000
71 3.54229278 DUMPEVT.exe:4880 QueryValue HKCU\Control Panel\Desktop\MultiUILanguageId NOTFOUND
72 3.54231560 DUMPEVT.exe:4880 CloseKey HKCU\Control Panel\Desktop SUCCESS
73 3.54233494 DUMPEVT.exe:4880 CloseKey HKCU SUCCESS
74 3.54248056 DUMPEVT.exe:4880 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS Access: 0x20019
75 3.54250318 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile BUFOVRFLOW
76 3.54252748 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\S ystem32\sp2res.dll;%SystemRoot%\System32\sp3res.dl l"
77 3.54254728 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile BUFOVRFLOW
78 3.54256980 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\EventMessageFile SUCCESS "%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\S ystem32\sp2res.dll;%SystemRoot%\System32\sp3res.dl l"
79 3.54259798 DUMPEVT.exe:4880 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS
80 3.62336209 DUMPEVT.exe:4880 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS Access: 0x20019
81 3.62339235 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\ParameterMessageFile SUCCESS "%SystemRoot%\System32\MsObjs.dll"
82 3.62341451 DUMPEVT.exe:4880 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security\ParameterMessageFile SUCCESS "%SystemRoot%\System32\MsObjs.dll"
83 3.62344797 DUMPEVT.exe:4880 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Se curity\Security SUCCESS
84 178.39226011 DUMPEVT.exe:4880 CloseKey HKCU SUCCESS
85 178.39228428 DUMPEVT.exe:4880 CloseKey HKLM SUCCESS

Re: Dumpevt from Schedule service

Thank you for your help in analyzing your problem. The output from DumpEvt that you provided in the next-to-previous posting may be the key to this problem. The message about "log records lost" indicates that DumpEvt is starting from the first record, because it can't find the key in the registry <eventlogname>-<computername> that you can see if looking for in the RegMon output.

So, in cases where it either can't find the registry key or in cases where the record IDs are out of sync, DumpEvt starts from the beginning of the log.

DumpEvt writes the last event log records that it processes back into the registry at the end of its processing. See if you see any error at the bottom of your log file. Its should say:

"last event log record processed = ???"

If there is an error trying to write to the registry key, there should be an error message after that.

[This message has been edited by kstanush (edited 01-12-2005).]

Re: Dumpevt from Schedule service

Thanks kstanush,
I've run the program again and here is the output. Strangely, if you delete the whole key, it gets re-created, but the values don't appear!

James

D:\CollectEvents>d:\collectEvents\dumpevt /logfile=sec /reg=local_machine
le=d:\collectevents\sec.txt
1/12/2005 3:48:52 PM
Somarsoft DumpEvt V1.7.3, Copyright ⌐ 1995-1997 by Somarsoft, Inc.
LogType=Security
Computer=(local)
SystemRoot=C:\WINNT
Outfile=d:\collectevents\sec.txt
Use HKEY_LOCAL_MACHINE for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator= (blank)
ReplaceCR=^
ReplaceLF=`
StringSeparator=;
MaxMessageLen=32000
MaxFragmentLen=32000
DumpData=none
SplitDateTime=yes
DumpRecnum=no
==>LastProcessed (0) < Oldest (6260913), log records lost
process event log records starting with 6260913
==>Format message error, source=Security type=Parameter msg=5382 rc=317
==>Format message error, source=Security type=Parameter msg=5383 rc=317
==>Format message error, source=Security type=Parameter msg=5384 rc=317
==>Format message error, source=Security type=Parameter msg=7689 rc=317
==>Format message error, source=Security type=Parameter msg=7691 rc=317
==>Format message error, source=Security type=Parameter msg=7695 rc=317
==>Format message error, source=Security type=Parameter msg=7690 rc=317
==>Format message error, source=Security type=Parameter msg=7692 rc=317
==>Format message error, source=Security type=Parameter msg=7693 rc=317
==>Format message error, source=Security type=Parameter msg=7694 rc=317
==>Format message error, source=Security type=Parameter msg=5413 rc=317
==>Format message error, source=Security type=Parameter msg=5415 rc=317
==>Format message error, source=Security type=Parameter msg=5416 rc=317
==>Format message error, source=Security type=Parameter msg=5429 rc=317
==>Format message error, source=Security type=Parameter msg=5430 rc=317
==>Format message error, source=Security type=Parameter msg=5431 rc=317
==>Format message error, source=Security type=Parameter msg=5432 rc=317
==>ReadEventLog rc=1500 cbReq=0

D:\CollectEvents>

Re: Dumpevt from Schedule service

The rc=1500 error is why it is aborting, and that error seems to mean:

ERROR_EVENTLOG_FILE_CORRUPT

Re: Dumpevt from Schedule service

OH goody!!! Will try to clear them and let you know what happens.

Thanks,
James

Re: Dumpevt from Schedule service

Well cleared them and it started working ...

Thanks for your help,
James