2

enter image description hereI have a python code that uses WMI module of python to get windows event viewer logs. But I am unable to retrieve the PID of the process that generated the log. My code :

wmi_obj = wmi.WMI('.') #Initialize WMI object and query.
wmi_query = "SELECT * FROM Win32_NTLogEvent WHERE Logfile='System' AND EventType=1"
query_result = wmi_obj.query(wmi_query) # Query WMI object

query_result is a list of wmi objects. Each object in this list is a windows system log and I want PID of the process that generated this log. I have gone through several msdn docs but couldn't find anything useful there.

I want to retrieve the information marked in the above image.

Community
  • 1
  • 1
Umang Agrawal
  • 475
  • 1
  • 5
  • 15

1 Answers1

0

The Win32 API call to get event log items is ReadEventLog and this returns EVENTLOGRECORD structures. These do not have a field for a process identifier so unless your events have included this in the data of the event message it looks like this will not be available.

patthoyts
  • 32,320
  • 3
  • 62
  • 93
  • The first argument to ReadEventLog is a handle to the event log to be read. The OpenEventLog function returns this handle. You can use the handle to get the pid. – Marichyasana Oct 12 '16 at 12:24
  • Both the suggestion didn't solve what I was looking for. If you check the event logs in windows, under the details section for a particular log you will find the process ID that triggered that log, but I am unable to find a way to retrieve it. – Umang Agrawal Oct 17 '16 at 11:01