Asynchronously Retrieving Event Log Statistics

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

WMI supports both asynchronous and semi-synchronous scripts. When retrieving events from the event logs, asynchronous scripts often retrieve this data much faster.

In an asynchronous script, a query is issued and control is immediately returned to the script. The query continues to process on a separate thread while the script begins to immediately act on the information that is returned. Asynchronous scripts are event driven: each time an event record is retrieved, the OnObjectReady event is fired. When the query has completed, the OnCompleted event will fire, and the script can continue based on the fact that all the available records have been returned.

In a semi-synchronous script, by contrast, a query is issued and the script then queues a large amount of retrieved information before acting upon it. For many objects, semi-synchronous processing is adequate; for example, when querying a disk drive for its properties, there might be only a split second between the time the query is issued and the time the information is returned and acted upon. This is due in large part to the fact that the amount of information returned is relatively small.

When querying an event log, however, the interval between the time the query is issued and the time that a semi-synchronous script can finish returning and acting on the information can take hours. On top of that, the script might run out of memory and fail on its own before completing.

For event logs with a large number of records, the difference in processing time can be considerable. On a Windows 2000 based test computer with 2,000 records in the event log, a semi-synchronous query that retrieved all the events and displayed them in a command window took 10 minutes 45 seconds. An asynchronous query that performed the same operation took one minute 54 seconds.

Scripting Steps

Listing 12.11 contains a script that asynchronously queries the event logs for all records. To perform this task, the script must apply the following steps:

1. Define two constants used to create a message box.
   • POPUP_DURATION = 10 Indicates that the message box will automatically dismiss itself after 10 seconds unless the user clicks the OK button.
   • OK_BUTTON = 0 Indicates that only an OK button will be displayed as part of the message box.
2. Create a variable to specify the computer name.
3. Use a GetObject call to connect to the WMI namespace root\cimv2 on the computer, and set the impersonation level to "impersonate."
4. Create an SWbemSink object named SINK_.
5. Retrieve the records in the event logs by using an InstancesOfAsync query, specifying Win32_NTLogEvent as the source of the query.
6. Display a Popup message box that dismisses itself after 10 seconds.

   Displaying the message box ensures that the query will have enough time to start before the last line of the script has been processed. Without this message box, the script might finish before the query starts; if the last line of the script is executed before the query can begin to return data, the script will terminate and no data will be returned. After the query begins to return data, however, the data retrieval will continue, even if the last line of the script has been executed.

7. Use a SINK_OnCompleted subroutine to indicate the code that runs when the query is complete. In this case, a message will be echoed to the screen.
8. Use a SINK_OnObjectReady subroutine to indicate the code that runs each time the query returns an object (in this case, an event record).

Listing 12.11   Asynchronously Querying an Event Log

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 

Const POPUP_DURATION = 10 Const OK_BUTTON = 0 Set objWSHShell = Wscript.CreateObject("Wscript.Shell") strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_") objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent" errReturn = objWshShell.Popup("Retrieving events", POPUP_DURATION, _     "Event Retrieval", OK_BUTTON) Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)     WScript.Echo "Asynchronous operation is done." End Sub Sub SINK_OnObjectReady(objEvent, objAsyncContext)     Wscript.Echo "Category: " & objEvent.Category     Wscript.Echo "Computer Name: " & objEvent.ComputerName     Wscript.Echo "Event Code: " & objEvent.EventCode     Wscript.Echo "Message: " & objEvent.Message     Wscript.Echo "Record Number: " & objEvent.RecordNumber     Wscript.Echo "Source Name: " & objEvent.SourceName     Wscript.Echo "Time Written: " & objEvent.TimeWritten     Wscript.Echo "Event Type: " & objEvent.Type     Wscript.Echo "User: " & objEvent.User End Sub

Send us your feedback

« Previous | Next »