how to use xpath in wevtutil to retrieve events since a specific time

3.1k views Asked by At

I don't know xpath. I have looked at the W3 tutorial, but they do not seem to work.

I'm using wevtutil to extract events from the windows event logs

I'm on Windows Server 2008 R2 Enterprise

If I list just the last three events using the following command:

wevtutil qe Application /c:3 /rd:true /e:root

I get the following results:

<?xml version="1.0"?>
<root>
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider EventSourceName="Software Protection Platform Service" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" Name="Microsoft-Windows-Security-SPP"/>
      <EventID Qualifiers="16384">902</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2016-04-22T08:20:30.000000000Z"/>
      <EventRecordID>49232</EventRecordID>
      <Correlation/>
      <Execution ThreadID="0" ProcessID="0"/>
      <Channel>Application</Channel>
      <Computer>EU9742K8WEB01.emea.sitel-world.net</Computer>
      <Security/>
    </System>
    <EventData>
      <Data>6.1.7601.17514</Data>
    </EventData>
  </Event>
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider EventSourceName="Software Protection Platform Service" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" Name="Microsoft-Windows-Security-SPP"/>
      <EventID Qualifiers="16384">1003</EventID>
      <Version>0</Version>
      <Level>4</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2016-04-22T08:20:30.000000000Z"/>
      <EventRecordID>49231</EventRecordID>
      <Correlation/>
      <Execution ThreadID="0" ProcessID="0"/>
      <Channel>Application</Channel>
      <Computer>EU9742K8WEB01.emea.sitel-world.net</Computer>
      <Security/>
    </System>
    <EventData>
      <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
      <Data>1: 0cb1d6b4-3c07-487f-82fc-886d44a646aa, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]2: 2d727362-1f80-4a74-9e4d-e7c79826e659, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]3: 4bcc8879-e699-4159-a810-f829566662ca, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]4: 620e2b3d-09e7-42fd-802a-17a13652fe7a, 1, 1 [(0 [0x00000000, 1, 0], [(?)(?)( 1 0x00000000 30 0 msft:rm/algorithm/volume/1.0 0x00000000 254400)(?)(?)(?)])(1 )(2 )]5: 6a4bd364-4b60-4856-a727-efb59d94348e, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]6: 8fe15d04-fc66-40e6-bf34-942481e06fd8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]7: b297426d-464d-4af1-abb2-3474aeecb878, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]8: c60b048b-8071-4532-8398-f15f4c981861, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]9: c74dc7f6-ea35-4bd7-9776-333ab5dddae6, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]10: c99b641f-c4ea-4e63-bec3-5ed2ccd0f357, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]11: ea36520d-fbfe-4042-acd8-fe926781b615, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]</Data>
    </EventData>
  </Event>
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider EventSourceName="Software Protection Platform Service" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" Name="Microsoft-Windows-Security-SPP"/>
      <EventID Qualifiers="16384">1066</EventID>
      <Version>0</Version>
      <Level>4</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2016-04-22T08:20:30.000000000Z"/>
      <EventRecordID>49230</EventRecordID>
      <Correlation/>
      <Execution ThreadID="0" ProcessID="0"/>
      <Channel>Application</Channel>
      <Computer>EU9742K8WEB01.emea.sitel-world.net</Computer>
      <Security/>
    </System>
    <EventData>
      <Data>C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000</Data>
    </EventData>
  </Event>
</root>

As you can see there is a TimeCreated element with a SystemTime attribute. I want to say just those with SystemTime between two times.

If I add an xpath to my previous command:

wevtutil qe Application /c:3 /rd:true /e:root /q:"TimeCreated"

All that returns is:

<root>
</root>

If I change the xpath to Event/System/TimeCreated, I get the same xml as listed above.

So two questions:

  1. How do I get just the TimeCreated elements without all the other elements (this one is less important to me)?

  2. How do I retrieve where the SystemTime attribute is between two specified values?

and if someone can explain to me why I can't just use TimeCreated on it's own as suggested in the W3 tutorial, that would be nice too.

Tutorial found at http://www.w3schools.com/xsl/xpath_syntax.asp

2

There are 2 answers

0
Tomalak On BEST ANSWER

First off, the Windows event logs support only a limited sub-set of XPath. General-purpose XPath tutorials will help you get a grip on the basic principles of the expression syntax, which is good, but you will hit the limitations in the context of complex event log querying, so keep this in mind.

In your case, the greater-than and less-than operators are sufficient, and they are supported, so the following works (variables are for readability purposes only):

set "FROM=2016-04-01T00:00:00"
set "TO=2016-04-21T00:00:00"
set "XPATH=Event/System/TimeCreated[@SystemTime >= '%FROM%' and @SystemTime < '%TO%']"

wevtutil qe Application /c:30 /rd:true /e:root /q:"%XPATH%"

Note that timestamps are accepted in the YYYY-MM-DDTHH:NN:SS format only, i.e. using just the date will not work.

Also note that extracting partial event data is not supported. Technically, the XPath above selects the TimeCreated elements only but in the way that event log queries work, the full event data structure will be returned.

To reduce the returned data further use regular XML processing tools. Powershell has a set of tools to work with XML, for example.

1
Graham On

Never mind, found it elsewhere:

*[System[TimeCreated[@SystemTime>='2016-04-22T00:00:00' and @SystemTime<'2016-04-22T01:00:00']]]

though I don't understand the xpath completely, but that works so that'll do.

The complete line for reference is:

wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2016-04-22T00:00:00 ' and @SystemTime<'2016-04-22T01:00:00']]]" /f:RenderedXml > t.xml