VB Forum / COM / April 2008

Problem:
I need to backup and clear the security event log.  I have this working via
a vbsscript which I will post below.  However while I can use this script
manually it is not user friendly and my end users who have to perform the
backup and clear chore weekly are the "where is the button" types.

I have written a vb.net 2005 gui as a front end that can launch my script
and run it ok but the problem is since it is a script running in a shell
object I have no way to return status to my vb.net program saying it succeded
or failed or even to know when the shell exits.

So I decided to look into writing performing the steps via vb.net code.  I
can successfully create a WMI connection and (on the local machine) I can
even list out all log files by code shown below.  What I cannot do is execute
the BackupEventLog method via WMI.  I get access denied, which I have
researched and I feel the reason is that the WMI connection does not have the
privileges enabled for backup and security.  If you look at the vbs script
below you will see where it addes (Backup, security) into the moniker for the
object and I believe allows the execution of the method.

I did find out there that you are supposed to use the ".EnablePrivileges =
True" option but I also found that .NET 1.1 messed that option up.  Someone
please help!

CREATE CONNECTION CODE:
===================BEGIN
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

       With myConnectionOptions
           .Impersonation = Management.ImpersonationLevel.Impersonate

           '* Use next line for XP
           .Authentication = System.Management.AuthenticationLevel.Packet
           .EnablePrivileges = True

           'Cannot specify username/password for local connections
           '.Username = Me.txtUsername.Text
           '.Password = Me.txtPassword.Text
        End With

       '* "." is the string for a local connection
       Dim myServerName As String = Me.txtServer.Text

       myManagementScope = New System.Management.ManagementScope("\\" &
myServerName & "\root\cimv2", myConnectionOptions)

       '* connect to WMI namespace
       myManagementScope.Connect()
       If myManagementScope.IsConnected = False Then
           rtbStatus.AppendText("Could not connect to WMI namespace on " &
myServerName & ControlChars.Cr)
       Else
           rtbStatus.AppendText("Connected to WMI namespace on " &
myServerName & ControlChars.Cr)
       End If
   End Sub
===================END

LIST ALL LOG FILES CODE:
===================BEGIN
Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button3.Click
       Dim logfileSearcher As System.Management.ManagementObjectSearcher
       Dim logfiles As System.Management.ManagementObjectCollection
       Dim logfile As System.Management.ManagementObject

       logfileSearcher = New
System.Management.ManagementObjectSearcher(myManagementScope.Path.ToString,
"Select * from win32_NTEventLogFile")

       '* execute query
       logfiles = logfileSearcher.Get()

       Try

           For Each logfile In logfiles

               rtbStatus.AppendText("Found logfile " &
logfile.GetPropertyValue("FileName").ToString & " which is the " &
logfile.GetPropertyValue("LogfileName").ToString & " event log" &
ControlChars.Cr)

          'INSERT BACKUP CODE HERE (SHOWN BELOW)

           Next

       Catch ex As Exception
           rtbStatus.AppendText("Error Encountered: " & ex.ToString &
ControlChars.Cr)
       End Try
   End Sub
===================END

FAILING BACKUP METHOD INVOCATION
===================BEGIN
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")

               inParams("ArchiveFileName") = "c:\testing.evt"

               Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
===================END

WORKING VBS SCRIPT
===================BEGIN
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"

'NOTE: for this to work on a normal user account they must have following
rights
'Manage Auditing and Secuirty
'Generate Security Audits

strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")

For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)

If errBackupLog = 0 Then
   Wscript.Echo "The Security event log was backed up."
   objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
   Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
   Wscript.Echo "Invalid Parameter in call"
End If

If errBackupLog = 183 Then
   Wscript.Echo "The archive file already exists."
End If
Next
===================END