Retrieving events from remote computers when WMI or RPC are not working
When you’re investigating computer management client health issues you may benefit from knowing the history of the computer. When was it last rebooted? Did it crash at that time? Did someone stop certain services? Retrieving such details from the event logs on the client via WMI is very easy and is well documented – just bing it (by which I mean, of course, that you should use your favorite search engine). But what if the client health issues are probably causing WMI to be broken, or even RPC generally. For example, when you try that method you get error messages such as “The remote server machine does not exist or is unavailable”.
Fortunately PSexec.exe can help (someday I’ll have to investigate what magical protocol enables PSexec). You will need administrator privileges on the remote computers, but assuming that, the following batch file should do the trick:
copy \\<server>\<share>\EventVwr_query.xml \\<client>\c$\windows\temp
<path>\psexec.exe \\<client> cmd.exe /q /c "wevtutil query-events /structuredquery:true /f:Text c:\windows\temp\EventVwr_query.xml > c:\windows\temp\temp.txt"
erase \\<client>\c$\windows\temp\EventVwr_query.xml
type \\<client>\c$\windows\temp\temp.txt
So it copies an event query file to the client, uses wevtutil to run it (in the system context), removes the query file, and uses the output (which you should also delete when you’re done).
A key question is: how do you create the query file? I couldn’t find any documentation on how to do it manually but it’s easy to do interactively. Just start Event Viewer on any computer as you normally would, right-mouseclick, and create a custom view (which really means to create a query). Specify your options such as which Windows log, the source (such as WMI), event IDs, or other details. Now switch to the XML tab of that dialog box and copy the XML code you will see there. Paste it into the “EventVwr_query.xml” file and you’re ready to go.
p.s. In my case I wrap the above with a vbscript in order to inspect the event history of many clients, and that includes parsing the output file. I look forward to sharing more of those details in future posts.