-1

I have come up with a script that will restart a specific service and now I would like to know if there is a way I can get a service start time from event viewer using batch files.

Appreciate if anyone could give me the answer. Thanks!

wOxxOm
  • 65,848
  • 11
  • 132
  • 136
Cheska
  • 1
  • 1
  • for command line use, there is a `eventvwr` command. Also `wevtutil` might be helpful. – Stephan Oct 12 '15 at 11:15
  • 1
    The question shows total lack of research effort and I would vote to delete it any time but the task itself is interesting and seems useful. – wOxxOm Oct 12 '15 at 11:48

1 Answers1

1

Use wevtutil.

  1. The service start/stop events are logged in the system event log, there are several ways to open it (use google). Clicking the events we can see a "service entered the running state" event with an ID 7036, let's use it to find the last start time of Application Experience service.

    Only one event is needed /c:1 and since it's the last in the log let's reverse the direction with /rd:true:

    wevtutil qe system /rd:true /c:1 /q:"Event[EventData[Data[@Name='param1']='Application Experience'] and System[EventID=7036]]

    The output is this xml blob:

    <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2015-10-12T10:43:13.841899000Z'/><EventRecordID>4287264</EventRecordID><Correlation/><Execution ProcessID='800' ThreadID='1804'/><Channel>System</Channel><Computer>zOo</Computer><Security/></System><EventData><Data Name='param1'>Application Experience</Data><Data Name='param2'>running</Data><Binary>410065004C006F006F006B00750070005300760063002F0034000000</Binary></EventData></Event>

  2. Let's extract the date and time.

    First remove everything from the beginning up to SystemTime= with string replacement set "xml=!xml:*SystemTime=!":

    ='2015-10-12T10:43:13.841899000Z'/>.....................................(the rest of the string)

    Then split at ' and T and . into tokens: =, 2015-10-12, 10:43:13, 841899000Z, />.... and grab the 2nd and the 3rd:

    @echo off
setlocal enableDelayedExpansion
for /f "tokens=*" %%a in ('
    wevtutil qe system /rd:true /c:1 ^
        /q:"Event[EventData[Data[@Name='param1']='Application Experience'] and System[EventID=7036]]"
') do (
    set "xml=%%a" & set "xml=!xml:*SystemTime=!"
    for /f "delims='T. tokens=2,3" %%b in ("!xml!") do (
        echo Started at date: %%b time: %%c
    )
)
endlocal
pause

    The date uses YYYY-MM-DD format, the time is 24-hour:

    Started at date: 2015-10-12 time: 10:43:13

wOxxOm
  • 65,848
  • 11
  • 132
  • 136