Announcement

Collapse
No announcement yet.

DumpEvt Formatting Errors

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DumpEvt Formatting Errors

    When running DumpEvt on a Windows computer joined to a network, and on a Windows computer not joined to a network (i.e., a standalone machine), DumpEvt correctly formats the data from the networked machine, but fails to format the data from the standalone machine.

    The command line syntax used from the C:\Temp directory, where the executable and INI files are located, is:

    dumpevt.exe /computer=myComputer /logfile=sec /outfile=c:\temp\sel.txt /all >> c:\temp\errors.txt

    The contents of the errors.txt file after running DumpEvt on a standalone machine is:

    12/6/2004 2:45:30 PM
    Somarsoft DumpEvt v1.7.3, Copyright (c) 1995-1997 by Somarsoft, Inc.
    LogType=Security
    Computer=myComputer (real name masked)
    SystemRoot=C:\WINNT
    Outfile=c:\temp\sel.txt
    Use HKEY_CURRENT_USER for saving record number
    Format=yes
    DateFormat=(locale dependent)
    TimeFormat=HH':'mm':'ss
    FieldSeparator=,
    ReplaceFieldSeparator= (blank)
    ReplaceCR=^
    ReplaceLF=^
    StringSeparator=;
    MaxMessageLen=64000
    MaxFragmentLen=64000
    DumpData=none
    SplitDateTime=no
    DumpRecnum=no
    process all event log records
    ==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\MsAuditE.dl l
    ==>Format message error, source=Security type=Category msg=4 rc=0
    ==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\sp2res.dll
    ==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\sp3res.dll
    ==>Format message error, source=Security type=Message msg=577 rc=0
    ==>Format message error, source=Security type=Category msg=2 rc=0
    ==>Format message error, source=Security type=Message msg=538 rc=0
    ==>Format message error, source=Security type=Category msg=1 rc=0
    ==>Format message error, source=Security type=Message msg=515 rc=0
    ==>Format message error, source=Security type=Message msg=528 rc=0
    ==>Format message error, source=Security type=Message msg=576 rc=0
    ==>Format message error, source=Security type=Category msg=9 rc=0
    ==>Format message error, source=Security type=Message msg=680 rc=0

    I can specify "no" to "Format" in the INI and receive an unformatted dump, and then correlate the data using a third-party tool to format the data in like manner as produced from a networked machine, but that's too much like work. I'd rather do it using DumpEvt, if possible.

    Has anyone else had this problem of formatting errors when dumping from a standalone machine, do you have a fix, and are you willing to share?

    Again, I'm looking for a quick fix using DumpEvt and would rather not deal with a third-party workaround as I already have a backup plan should DumpEvt formatting ultimately fail.

    Thanks in advance for the help.

  • #2
    Re: DumpEvt Formatting Errors

    That error would seem to indicate it can't find the dlls it needs for the error message. It could be that the computer can't understand UNC paths like that since there is no networking. Either that and/or the C$ share doesn't exist.

    I would verify that the dlls exist, that there is a C$ share, and that you can perform UNC functions. Such as dir \\mycomputer\c$.

    Comment


    • #3
      Re: DumpEvt Formatting Errors

      Thanks for the quick response, cmc. As soon as I saw "UNC," a smidgen of light began to pierce the dark tunnel.

      Comment


      • #4
        Re: DumpEvt Formatting Errors

        While looking for information on another topic (documentation for all RC--return code--numbers used by DumpEvt and their meaning), I thought I would share the UNC solution for the benefit of others.

        Specifically, to enable UNCing on standalone Windows computers (NT and later), install Microsoft's Loopback Adapter through Add New Hardware. Then go into My Network Neighborhood and right click on the new network adapter to open its properties. Select the properties of TCP/IP and set the IP to 192.168.1.1 with a mask of 255.255.255.0. Finally, ensure there's a share on the root (C$ is usually created during install and will suffice); if not, create a root share and limit to administrators.

        Comment

        Working...
        X