2月15日
Abrir .evt de Windows 2003 en Windows Vista
Por si en algun momento lo intentan se encontraran con algun que otro
incoveniente para visualizar un .evt exportado de Windows 2003 en un Windows Vista.
En el siguiente link se muestran varias soluciones aunque creo la mejor es utilizar
el Script abajo mencionado , ya que nos generara una opcion en el menu Contextual.
Aqui esta el Link
'==========================================================================
'
' NAME: ConvertEVTtoEVTX.vbs
'
' AUTHOR: Steve Paruszkiewicz, Microsoft
' DATE : 10/04/2007
'
' COMMENT: Adds "Convert to .EVTX" to the shell context menu for .evt files
' calls wevtutil to convert evt file for use on Vista/Longhorn
' then opens the converted .evtx file in event viewer
'
' If you would later like to remove the Convert to .EVTX context
' menu option you can delete the following registry key
' "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\"
'==========================================================================
Option Explicit
Const LAST_MODIFIED = "10/11/2007"
Const AUTO_OPEN_EVTX = True
'Set this to False if you want to be prompted to open the converted file instead of
'opening autmatically
'On Error Resume Next
CheckReg()
'Check to see if script is already registered - NEEDS ADMIN TOKEN ON VISTA
If WScript.Arguments.Count < 1 Then ExitScript("** No File Argument Specified **" & VbCrLf & _
"Script Exiting..." & VbCrLf & VbCrLf & "Convert to .EVTX has been added to the context menu")
Dim strInputFile : strInputFile = WScript.Arguments(0)
ConvertEvtToEVTx(strInputFile)
'************************ Subs and Functions ****************************
Sub ConvertEvtToEVTx(strFileName)
Dim Shell : Set Shell = CreateObject("Wscript.Shell")
Dim FSO : Set FSO = CreateObject("Scripting.FileSystemObject")
Dim strCommand, ret, shortname
If Not(FSO.FileExists(strFileName & "x")) Then
strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf"
WScript.Echo "Converting " & strFileName & " to .EVTX file"
Shell.Run strCommand,0,True
Else
shortname = Right(strFileName,Len(strFileName)-InStrRev(strFilename,"\"))
ret = MsgBox ("The file: " & shortname & "x" & VbCrLf & VbCrLf & "Already Exists." & VbCrLf & _
"Would you like to overwrite it?",vbYesNo+vbInformation,"File exists")
If ret = vbYes Then
strCommand = "wevtutil export-log """ & strFileName & """ """ & strFileName & "x"" /lf /ow:true"
WScript.Echo "Converting " & strFileName & " to .EVTX file"
Shell.Run strCommand,0,True
Else
WScript.Echo "File already exists: Skipping conversion."
End If
End If
WScript.Echo "WEvtUtil Command Done."
If AUTO_OPEN_EVTX Then
If fso.FileExists(strFileName & "x") Then
Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
Else
MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _
" Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _
,vbOKOnly+vbExclamation,"Error"
WScript.Quit
End If
Else
ret = MsgBox ("Would you like to open the .EVTX file now?",vbYesNo+vbInformation,"Conversion complete.")
If ret = vbYes then
If fso.FileExists(strFileName & "x") Then
Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
Else
MsgBox "The EVTX file: " & strFileName & VbCrLf & VbCrLf & "Could not be created. " & VbCrLf & _
" Please check drive space and permissions on the target folder." & VbCrLf & VbCrLf & "Script Exiting..." _
,vbOKOnly+vbExclamation,"Error"
WScript.Quit
End If
Shell.Run "eventvwr.exe /l:""" & strFileName & "x"""
Else
WScript.Quit
End If
End If
End Sub
'*** Checks to see if script has already registered right-click menu entries
Function CheckReg()
On Error Resume next
Dim retval, Shell : Set Shell = CreateObject("WScript.Shell")
retval = Shell.RegRead("HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\")
If Err.Number <> 0 Then
'WScript.Echo Err.Description & " " & Err.Number
Err.Clear
AddSelfToReg()
'adds ability to run from context menu
End If
End Function
Sub AddSelfToReg()
ElevateThisScript()
On Error Resume Next
Dim strCommand, Shell
Set Shell = CreateObject("WScript.Shell")
If IsWin64bit() Then
'Use 32-bit wscript.exe to overcome problems creating excel.application object when passing in a file on x64
strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\SysWOW64\cscript.exe """ & _
WScript.ScriptFullName & """ ""%1"""
Else
strCommand = Shell.ExpandEnvironmentStrings("%systemroot%") & "\System32\cscript.exe """ & _
WScript.ScriptFullName & """ ""%1"""
End If
Shell.RegWrite "HKEY_CLASSES_ROOT\evtfile\shell\Convert to .EVTX\command\",strCommand,"REG_SZ"
If Err.Number <> 0 Then
ExitScript("Unable to write to HKEY_CLASSES_ROOT " & VbCrLf & _
"This Script may need to be run with a full administrative token once to register context menu entries.")
End If
End Sub
Function IsWin64bit()
On Error Resume Next
Dim fso : Set fso = CreateObject("Scripting.FileSystemObject")
Dim shell : Set shell = CreateObject("wscript.shell")
Dim Windir : Windir = shell.ExpandEnvironmentStrings("%SYSTEMROOT%")
If fso.FolderExists(Windir & "\SysWOW64") Then
IsWin64bit = True
Else
IsWin64bit = False
End If
End Function
Sub ExitScript(ByVal MSG)
Msg = Msg & VbCrLf
Msg = Msg & "_______________________________________________________" & vbCrLf
Msg = Msg & "VBS script created by Steve Paruszkiewicz. Last modified on: " & LAST_MODIFIED & vbCrLf & VbCrLf
DisplayMsg(Msg)
wscript.quit
End Sub
Sub DisplayMsg(Msg)
On error resume Next
Msgbox Msg
End Sub
'*********************************************************************************
' Subroutine: ElevateThisScript()
'
' Author: Steve Paruszkiewicz, Microsoft
' Last Modified: August 2, 2007
'
' Purpose: (Intended for Vista and Windows Server 2008)
' Forces the currently running script to prompt for UAC elevation if it detects
' that the current user credentials do not have administrative priviliges
'
' If run on Windows XP this script will cause the RunAs dialog to appear if the user
' does not have administrative rights, giving the opportunity to run as an administrator
'
' This Sub Attempts to call the script with its original arguments. Arguments that contain a space
' will be wrapped in double quotes when the script calls itself again.
'
' Usage: Add a call to this sub (ElevateThisScript) to the beginning of your script to ensure
' that the script gets an administrative token
'**********************************************************************************
Sub ElevateThisScript()
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
const KEY_QUERY_VALUE = 1
Const KEY_SET_VALUE = 2
Dim scriptEngine, engineFolder, argString, arg, Args, scriptCommand, HasRequiredRegAccess
Dim objShellApp : Set objShellApp = CreateObject("Shell.Application")
scriptEngine = Ucase(Mid(Wscript.FullName,InstrRev(Wscript.FullName,"\")+1))
engineFolder = Left(Wscript.FullName,InstrRev(Wscript.FullName,"\"))
argString = ""
Set Args = Wscript.Arguments
For each arg in Args 'loop though argument array as a collection to rebuild argument string
If instr(arg," ") > 0 Then arg = """" & arg & """" 'if the argument contains a space wrap it in double quotes
argString = argString & " " & Arg
Next
scriptCommand = engineFolder & scriptEngine
Dim strComputer : strComputer = "."
Dim objReg, bHasAccessRight
Set objReg=GetObject("winmgmts:"_
& "{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
'Check for administrative registry access rights
objReg.CheckAccess HKEY_LOCAL_MACHINE, "System\CurrentControlSet\Control\CrashControl", _
KEY_SET_VALUE, bHasAccessRight
If bHasAccessRight = True Then
HasRequiredRegAccess = True
Exit Sub
Else
HasRequiredRegAccess = False
objShellApp.ShellExecute scriptCommand, " """ & Wscript.ScriptFullName & """" & argString, "", "runas"
WScript.Quit
End If
End Sub
Once you have the script installed, right click on a .EVT file and you should have the option to convert the file to .EVTX format as shown below:
工具 
帮助
