0

I'm investigating a problem on my PC (more exactly a sharing violation during the xcopy of a bunch of files), and I'm thinking of verifying the event log, but I'd like to investigate all events which occured between the beginning of that xcopy and the end of it, something like:

wevtutil qe * /q:"*[System[TimeCreated[@SystemTime>='2017-04-11T03:30:00' and @SystemTime<'2017-04-11T03:33:00']]]" /f:text

(the timestamps are retrieved from the commands echo [!TIME!], one just before and one just behind the xcopy command)

This command is not accepted, as the usage of * is not permitted while working with wevtutil qe. I can have a look inside the event viewer but then I'd need to investigate all possible logs (and I'm not very familiar with this).

Is there a way to interrogate all event logs and filter them on timestamps?

Dominique
  • 16,450
  • 15
  • 56
  • 112

1 Answers1

1

While Microsoft and others say the format is UTC it is actually a variation, if you query the values you will see the difference, no "T" for starters.

The format is the correct time for the BIAS at the end of the string, so for me in a +600 TZ with a bias of "+600" on end of the WMI time string the values can be read as local time (as many Microsoft samples assume is ALWAYS the case).

If however the bias is "-000" for example, in my case the values are all 10 hours (600 minutes) older as you'd expect.

Dennis Bareis
  • 66
  • 6
  • I hope I don't sound too idiot, but I don't understand anything of your answer :-) – Dominique Apr 24 '17 at 07:06
  • 1
    I assumed that the command uses WMI (Win32_NTLogEvent) but it doesn't and I don't use that command. Use event viewer to set filter then view the XML tab: http://blog.backslasher.net/filtering-windows-event-log-using-xpath.html I just used it to generate the query for 2017-01-01 00:00:00 to 2017-02-01 00:00:00 (I'm GMT+10), the query is: – Dennis Bareis Apr 25 '17 at 11:01