In the new versions of server 2008+ MS have added an "Application and Services" folder to Event Viewer,

I dont seem to be able to programaticaly access any logs in here,

My Code:

Dim strValue As String
Dim objLogs() As EventLog
Dim Logname As String = "Microsoft-Windows-Backup"
Dim objEntry As EventLogEntry
Dim objLog As EventLog     

objLogs = EventLog.GetEventLogs()
For Each objLog In objLogs
    If objLog.LogDisplayName = Logname Then Exit For
For Each entry In objLog.Entries

If you set the Logname to "Application" or "System" everything works OK, but I can't access any of the new Extended logs

With regards to a solution, I dont care how i get the information out of this event log. (I thought about just opening the file "%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Backup.evtx")

I have had the usual google but can't find anything that actually works.
(Please don't just point me to the MSDN article about access the Event log, it doesn't work for the extended logs)

Thanks in advance.

3 Years
Discussion Span
Last Post by nerden

Have you tried cycling through the code in debug to see what the log names are?

Just place a break point before the loop, step into the loop (F11) then hover over the entry variable.

(You should change it to For Each e As Entry in objLog)

Edited by Begginnerdev


Yea had a look at this,
when it hits objLogs = EventLog.GetEventLogs() if you break and mouse over the "GetEventLogs" bit it lists the logs:
Forwarded Events
Hardware Events
Key Managment Service
Microsoft Office Alerts
Windows PowerShell

Conviently skipping the Microsoft folder :(

I have still been tinkering with this and think it may have something to do with creating my own source. I have tried this but cant get it to make a folder under "Applications and Service logs"

Thanks for coming back to me though


Don't think so, I ran VS as administrator. If you run as normal user or local admin without "run as administrator" it won't access the event logs at all


Does the local administrator have privelages over the domain, or are there two levels for admin? (Domain and local)

Edited by Begginnerdev


If you run as normal user or local admin without "run as administrator" it won't access the event logs at all

Since Vista, regardless of the account you use to log into a computer, running programs are done using regular user priviledges. You can run programs using "run as administrator" or other situations where programs that require admin priveledges to run UAC will pop on on the screen asking for the elevation.

are there two levels for admin? (Domain and local)

Being a network administrator by trade, when I hear or see references to local admin, you are generally referring to a local administrator on a stand alone or domain joined computer. The Domain Administrator generally refers to the built-in Administrator account in an Active Directory domain. Within the domain you have the Administrators (Domain Local) group as well as the Domain Admins (Global) group.

The Domain Administrator account is a member of the Domain Admins account. Every computer that joins the domain will have a local Administrators group. Once the computer joins, the Domain Admins group becomes a member of the local Administrators groups on that computer. So when a member of the domain admins group logs into the domain on a domain joined computer, the effect is that the person is an administrator of that computer.

Back to the Vista reference, even though you log in with admin priviledges, you still run exectubles using regular user privs. You have to specifically elevate your priveldges to get access to senstive areas/services.


I have managed to solve this issue by cheating a little
1) Run VS as Administrator
2) create a registry key under "HKLM\SYSTEM\CurrentControlSet\services\eventlog\" with the name of the log I wanted "Microsoft-Windows-Backup" in my case (no need for any values)
I found this little trick when looking in to WMI
3) Add a reference to my project (Project>Add reference>System.Managment)
4)Using following code to implement a WMI search:

Public Function fnGetEvents()   
        Dim objEvent As ManagementObjectSearcher
        Dim objMgmt As ManagementObject

        Dim strevtCategory As String
        Dim strevtComputerName As String
        Dim strevtEventCode As String
        Dim strevtMessage As String
        Dim strevtRecordNumber As String
        Dim strevtSourceName As String
        Dim strevtTimeWritten As String
        Dim strevtEventType As String
        Dim strevtUser As String

        objEvent = New ManagementObjectSearcher("Select * from Win32_NTLogEvent " & "Where Logfile = 'Microsoft-Windows-Backup'")

        For Each objMgmt In objEvent.Get
            strevtCategory = objMgmt("Category").ToString()
            strevtComputerName = objMgmt("ComputerName").ToString()
            strevtEventCode = objMgmt("EventCode").ToString()
            strevtMessage = objMgmt("Message").ToString()
            strevtRecordNumber = objMgmt("RecordNumber").ToString()
            strevtSourceName = objMgmt("SourceName").ToString()
            strevtTimeWritten = objMgmt("TimeWritten").ToString()
            strevtEventType = objMgmt("Type").ToString()
            strevtUser = objMgmt("User").ToString()

            Console.WriteLine("Category: " & strevtCategory & vbNewLine _
 & "Computer Name: " & strevtComputerName & vbNewLine _
 & "Event Code: " & strevtEventCode & vbNewLine _
 & "Message: " & strevtMessage & vbNewLine _
 & "Record Number: " & strevtRecordNumber & vbNewLine _
 & "Source Name: " & strevtSourceName & vbNewLine _
 & "Time Written: " & strevtTimeWritten & vbNewLine _
 & "Event Type: " & strevtEventType & vbNewLine _
 & "User: " & strevtUser)


End Function

Thanks for everyones input

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.