In "Windows Server 2003 Directory Service Tools," October 2004, InstantDoc ID 43753, I showed you how to manipulate Active Directory (AD) objects from the command line. However, manipulating AD objects is only one aspect of Windows management. Windows 2003 and Windows XP Professional Edition include command-line tools that can save you time and effort in performing repetitive tasks such as creating and managing event logs, configuring the page file and Boot.ini file, managing processes, and determining free disk space. Using command-line tools falls between scripting and the UI and can save you hours writing a script to perform the same tasks. Although you might need a few minutes to determine the exact syntax that each tool needs to use, the time will be well spent. Let's put a few of these tools to work.
Create and Manage Event Logs
Windows 2003 and XP offer three tools to create and manage event logs from the command line: Eventcreate.exe, Eventquery.vbs, and Eventtriggers.exe. Eventcreate allows the creation of events in the Windows NT event log. For example, to create an error event log entry in the application event log, use the following command:
Eventcreate /S vm75459312b.LissWare.Net
/L application
/SO "Eventcreate TEST"
/T Error
/ID 999
/D "Event log creation with Eventcreate.exe"
The /S switch specifies the server name. The /L switch specifies the event log to use. The /SO switch specifies the event source name. The /T switch specifies the type of event to create (e.g., success, error, warning, information). The /ID switch specifies the ID number of the event log entry. The /D switch specifies the description of the event log entry. You can also use the /U switch to specify credentials for the Domain\Username and the /P switch to specify the password if a remote system requires credentials other than the current user security context. For more information about available switches and options, use the /? switch.
Now that you've created an event log entry, you can use Eventquery to search for the entry. This tool is written in VBScript so that it can leverage the Windows Management Instrumentation (WMI) features of the Win32_NTEventlogFile class. For example, to locate the event you just created, you would enter the command
C:\>Eventquery /S vm75459312b.LissWare.Net
/L application
/FI "type eq Error"
The /S switch specifies the server name, and the /L switch specifies the event log to locate for the query. The /FI switch is specific to Eventquery and specifies the filter to apply to locate the event log entry. In this example, the filter returns event log entries of type error. Of course, the /FI switch accepts other filters. For example, you can locate an event log entry by its type (e.g., success, error, information) and its ID together. The filter combines different criteria, as the following command-line sample, which leverages a logical operator (i.e., AND) shows:
C:\>Eventquery /S vm75459312b.LissWare.Net
/L application
/FI "type eq errorAND id eq 999"
As with Eventcreate, you can use the /? switch to see a complete list of switch syntaxes. You can also use the /FO switch to specify the output format (e.g., comma-separated value—CSV—format, table format) and the /V switch to display additional information about the event log entries in verbose mode.
Querying event logs for specific events is interesting, but what's even more interesting is to trigger an action when a specific event log entry is created. You can accomplish this with Eventtriggers. This tool leverages the monitoring capabilities of WMI. Let's say that you want to shut down the system after the event log entry above is created. To do so, you would use the following command:
C:\>Eventtriggers /S vm75459312b.LissWare.Net
/Create
/TR "Detect EventCreate"
/L application
/T ERROR
/EID 999
/TK "Shutdown.exe /S /T 0"
The /S switch specifies the system name, and the /Create switch tells the script to create a new trigger with a name that the /TR switch parameter determines. The /L switch specifies the application event log to filter. The action is triggered only by error event log entries with an event ID of 999, which the /T and /EID switches specify, respectively. You can add the /SO switch to search for the event log entry source name, if necessary. The /TK switch specifies the task to perform, which in this case is a system shutdown performed with the shutdown.exe tool. The tool's /S switch specifies a shutdown, and the /T 0 switch specifies waiting 0 seconds before shutting the system down.
Eventtriggers prompts you for credentials to determine the security context when you execute the shutdown command. Running this command against production systems can cause problems because your systems could shut down frequently if the application event log entries you create match the shutdown command's conditions. To avoid this situation, you can narrow the scope of the query (e.g., by using the /SO switch) and change the trigger conditions to a different event log file, such as the security event log, and a different event log entry type, such as failureaudit. Obviously, you can trigger other actions, such as sending a mail alert or page. The sky is the limit here!
To view the triggers configured in a system, you can use the following command:
C:\>Eventtriggers /S vm75459312b.LissWare.Net /Query
This command lists all triggers with their related tasks. Note that only error, information, warning, successaudit, and failureaudit event log entry types can be tracked—the success event log entry type can't.
Previous
Register
