Backing Up EventViewer Logs?

[(PeteCresswell)]

My system has been getting weird: spotty slow response, "Bad
Block" errors on one of the drives, the occasional BSOD.

In the even that it goes unbootable before I resolve the problem
it seems like it would be helpful to have copies of EventViewer's
logs on the NAS box for review after the fact.

Is there a way to automate this? Maybe a scheduled .BAT or .CMD
file?

 

[SC Tom]

My system has been getting weird: spotty slow response, "Bad
Block" errors on one of the drives, the occasional BSOD.

In the even that it goes unbootable before I resolve the problem
it seems like it would be helpful to have copies of EventViewer's
logs on the NAS box for review after the fact.

Is there a way to automate this? Maybe a scheduled .BAT or .CMD
file?

Read this:
http://technet.microsoft.com/en-us/library/ee176696.aspx

Even has a couple of scripts you can use.

 

[glee]

My system has been getting weird: spotty slow response, "Bad
Block" errors on one of the drives, the occasional BSOD.

In the even that it goes unbootable before I resolve the problem
it seems like it would be helpful to have copies of EventViewer's
logs on the NAS box for review after the fact.

Is there a way to automate this? Maybe a scheduled .BAT or .CMD
file?

Bad Block errors? Wouldn't it make more sense to backup/clone the drive
before it fails, than to worry about saving logs?

 

[(PeteCresswell)]

Per glee:

Bad Block errors? Wouldn't it make more sense to backup/clone the drive
before it fails, than to worry about saving logs?

Yes, but it's a 2-TB drive and I have to wait until a new one is
delivered - and the copy process will take the better part of a
day.

That's assuming it's the block error issue with that drive and
not something else.

Just to confuse the issue, Hard Disk Sentinel seems tb saying the
drive is OK for use albeit not exactly pristine at "97% Health".

To wit:
"The drive found 1 bad sectors during its self test.
There are 4 weak sectors found on the disk surface. They may be
remapped any time in the later use of the disk.
At this point, warranty replacement of the disk is not yet
possible, only if the health drops further.
It is recommended to examine the log of the disk regularly. All
new problems found will be logged there."

OTOH, the system *is* throwing Events in the spirit of "The
device, \Device\Harddisk1\D, has a bad block."

 

[glee]

Per glee:

Yes, but it's a 2-TB drive and I have to wait until a new one is
delivered - and the copy process will take the better part of a
day.

That's assuming it's the block error issue with that drive and
not something else.

Just to confuse the issue, Hard Disk Sentinel seems tb saying the
drive is OK for use albeit not exactly pristine at "97% Health".

To wit:
"The drive found 1 bad sectors during its self test.
There are 4 weak sectors found on the disk surface. They may be
remapped any time in the later use of the disk.
At this point, warranty replacement of the disk is not yet
possible, only if the health drops further.
It is recommended to examine the log of the disk regularly. All
new problems found will be logged there."

OTOH, the system *is* throwing Events in the spirit of "The
device, \Device\Harddisk1\D, has a bad block."

Hard Disk Sentinel is NOT accepted by manufacturers as a diagnostic tool
to determine RMA eligibility of drives under warranty.... you must use
the diagnostic of the manufacturer, if they have one. What brand drive
is it?

 

[(PeteCresswell)]

Per glee:

Hard Disk Sentinel is NOT accepted by manufacturers as a diagnostic tool
to determine RMA eligibility of drives under warranty.... you must use
the diagnostic of the manufacturer, if they have one. What brand drive
is it?

Western Digital

 

[(PeteCresswell)]

Per SC Tom:

Read this:
http://technet.microsoft.com/en-us/library/ee176696.aspx

Even has a couple of scripts you can use.

Anybody know the name of a built-in-to-XP environment that this
script could be run in?

I'm guessing VBA would work, as would VB6 or .NET... but maybe
there is something closer to the surface... ?
=========================================================
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE
LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog =
objLogFile.BackupEventLog("c:\scripts\application.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Application event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
==========================================================

 

[glee]

Per glee:

Western Digital

I presume it's a 3.5" SATA or SAS drive, since you are a bit stingy with
your details.
If so, go here:
http://support.wdc.com/product/download.asp?level1=6&lang=en

Click your drive.
On the next page, click the link for "Data Lifeguard Diagnostic for DOS
(CD)"
Download the .iso file of the bootable CD image... it will probably be
Diag504fCD.iso

Use an image-burning utility to make the bootable CD, and use it to
start your system and run the short and long tests on the drive. If it
is bad enough for WD to RMA it, you will be given a diagnostic result
number to start your RMA.

 

[Paul]

Per SC Tom:

Anybody know the name of a built-in-to-XP environment that this
script could be run in?

I'm guessing VBA would work, as would VB6 or .NET... but maybe
there is something closer to the surface... ?
=========================================================
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE
LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog =
objLogFile.BackupEventLog("c:\scripts\application.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Application event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
==========================================================

If I use my search engine, and search on "objLogFile.BackupEventLog",
it seems to be VBScript (.vbs). Try editing with a text editor,
change the extension to .vbs (as in example.vbs), then go to the
Command Prompt window and type in "example" to run it.

http://www.activexperts.com/activmonitor/windowsmanagement/scripts/logs/event/

For inspiration...

http://en.wikipedia.org/wiki/VBScript

"The simplest example:

MsgBox "Hello World"

Save it as a .vbs file. Then execute using cscript.exe or wscript.exe."

See how easy this is ? I didn't need to type in cscript or wscript,
just the name of the file sitting in the current working directory.
And notice a subtle distinction... The script does not "block", but
the command prompt comes back right away, although the message
box is still waiting for me to click it. I think I had some problems
with something I was doing, because of that.

http://img401.imageshack.us/img401/4001/myvbs.gif

Paul

 

[glee]

Per SC Tom:

Anybody know the name of a built-in-to-XP environment that this
script could be run in?

I'm guessing VBA would work, as would VB6 or .NET... but maybe
there is something closer to the surface... ?
=========================================================
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE
LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog =
objLogFile.BackupEventLog("c:\scripts\application.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Application event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
==========================================================

Look like VBScript to me.... something that would run as a .vbs file. I
think you could also run it as a Windows Script File (.wsf), which takes
mixed code from various scripting languages in one file.

But I don't do much scripting, so I could be wrong. Try and see.

 

[(PeteCresswell)]

Per Paul:

If I use my search engine, and search on "objLogFile.BackupEventLog",
it seems to be VBScript (.vbs). Try editing with a text editor,
change the extension to .vbs (as in example.vbs), then go to the
Command Prompt window and type in "example" to run it.

Bingo! Exactly what I was trolling for.

The .VBS suffix invokes something-or-other right from XP.

 

[(PeteCresswell)]

Per Paul:

change the extension to .vbs (

Worked like a charm.

FWIW, it somebody else does it, XP may not know what to do with a
..EVT file and the app to point it to is
C:\Windows\System32\eventvwr.exe evtvwr.msc.

BCO the size diff, I'm guessing that .exe just points to .msc.

Here's the code as it actually worked:
==========================================================
strComputer = "GIGA"

Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='Application'")

For Each objLogfile in colLogFiles
errBackupLog =
objLogFile.BackupEventLog("\\NAS\a\Dat\303\LAN\EventLogBackups\EventLog_Backup_GIGA.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Application event log could not be
backed up. Error '" & errBackupLog & "'."
End If
Next
==========================================================

 

[(PeteCresswell)]

Per glee:

I presume it's a 3.5" SATA or SAS drive, since you are a bit stingy with
your details.
If so, go here:
http://support.wdc.com/product/download.asp?level1=6&lang=en

I went for the Windows version.

Looks like about six hours down time for the disc if one heeds
the admonition to close any apps that are using it.

I'll kick it off later tonite and see what tomorrow brings.

 

[glee]

Per glee:

I went for the Windows version.

Looks like about six hours down time for the disc if one heeds
the admonition to close any apps that are using it.

I'll kick it off later tonite and see what tomorrow brings.

I do NOT recommend the Windows version. Use the bootable CD DOS version
for the most accurate results. I directed you to that version for a
reason.

 

[(PeteCresswell)]

Per glee:

I do NOT recommend the Windows version. Use the bootable CD DOS version
for the most accurate results. I directed you to that version for a
reason.

Thanks... that was in the back of my mind... but I overrode it.

I killed the long test and ran the quick test - and the disc
failed. Based on that, I'm copying it's contents to another
drive. Once the other drive is installed in place of the
problem drive, I'll do the DOS thing.

Tangential Question: Assuming there are bad sectors, will a NTFS
regular (not "Quick") format put it back into service?

 

[glee]

Per glee:

Thanks... that was in the back of my mind... but I overrode it.

I killed the long test and ran the quick test - and the disc
failed. Based on that, I'm copying it's contents to another
drive. Once the other drive is installed in place of the
problem drive, I'll do the DOS thing.

Tangential Question: Assuming there are bad sectors, will a NTFS
regular (not "Quick") format put it back into service?

Possibly.... until the next time (tomorrow, next week, month?) when a
bunch of sectors go, and you lose your OS and/or data.
The drive failed the test..... it's bad, get the test result code and
return it for replacement (RMA) if it is still under warranty. I would
never keep a drive in service that fails the manufacturer's diagnostics.