{"id":68073,"date":"2006-01-30T10:10:00","date_gmt":"2006-01-30T10:10:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2006\/01\/30\/how-can-i-find-the-date-of-the-oldest-event-in-an-event-log\/"},"modified":"2006-01-30T10:10:00","modified_gmt":"2006-01-30T10:10:00","slug":"how-can-i-find-the-date-of-the-oldest-event-in-an-event-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-find-the-date-of-the-oldest-event-in-an-event-log\/","title":{"rendered":"How Can I Find the Date of the Oldest Event in an Event Log?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I find the date of the oldest event in an event log?

— JL<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, JL. You know, you just had to make a reference to \u201cold\u201d in your question, didn\u2019t you? Just today one of the Scripting Guys received a letter from the American Association of Retired Persons (AARP). Although the letter acknowledged that this Scripting Guy wasn\u2019t 50 years old yet (and thus wasn\u2019t eligible for membership), it did invite him to pre-register for membership; after all, the letter implied, it won\u2019t be that<\/I> much longer, will it? Thoughtfully included in the letter was a sample membership card with the Scripting Guy\u2019s name emblazoned on it. Trust us: if you\u2019ve never felt old before, then you\u2019ve never seen your name on an AARP membership card.<\/P>\n

But enough about that; after all, you aren\u2019t looking for old Scripting Guys but old events in an event log. (Lucky for you, seeing as how there aren\u2019t<\/I> any old Scripting Guys. Although we sometimes wonder about Jean.) At first this proved to be a bit of a problem, and for two reasons. For one, it\u2019s difficult to translate an idea like \u201cfind the oldest item in a collection\u201d into a WQL query; the WQL query language doesn\u2019t support keywords like MIN or MAX. Granted, you can always just grab all the events and then determine which event is the oldest, but that introduces another problem: because you can\u2019t specify a sort order in a WQL query, how will you know which event is the oldest? So many questions revolving around what ought to be a simple enough request!<\/P>\n

Ah, but where there\u2019s a will there\u2019s a way, huh? (No, not that<\/I> kind of will. We keep telling you, we\u2019re not that old!) As it turns out, each time an event is written to the event log that event is assigned a record number: the first event written to a log is assigned the number 1, the second event is assigned the number 2, etc. This remains true even when an event log is cleared. Suppose you have 1,000 events in an event log and you clear the log. Guess what record number will be assigned to the first event to be written to the cleared log? You got it: 1.<\/P>\n

Why does that matter to us? That matters because it means the oldest event in an event log will always have record number 1. In turn, that means we can find the oldest record in an event log simply by locating event 1. And we can do that<\/I> by using a script like this one:<\/P>

strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colEvents = objWMIService.ExecQuery _\n    (“Select * from Win32_NTLogEvent Where Logfile = ‘System’ ” & _\n        “AND RecordNumber = 1”)<\/p>\n
For Each objEvent in colEvents\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\nNext\n<\/PRE>\n
As you can see, this is a fairly run-of-the-mill WMI script. We start off by connecting to the WMI service on the local computer, although – as we never tire of pointing out – this script can also be run against a remote machine. We then use this WQL query to return all the events from the System event log that have a RecordNumber<\/B> equal to 1:<\/P>
Set colEvents = objWMIService.ExecQuery _\n    (“Select * from Win32_NTLogEvent Where Logfile = ‘System’ ” & _\n        “AND RecordNumber = 1”)\n<\/PRE>\n
Because record numbers must be unique we know we\u2019ll only have one item in the collection. And because the first event written to the event log will have a record number of 1, we also know that we\u2019ve located the oldest event. All that\u2019s left now is to set up a For Each loop to walk through our one-item collection and echo back the value of the TimeWritten<\/B> property:<\/P>
For Each objEvent in colEvents\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\nNext\n<\/PRE>\n
We should add that, for better or worse, TimeWritten will be returned as a UTC (Universal Time Coordinate) value. But that\u2019s all right: if you\u2019re looking for an easy way to convert that UTC value to a regular (and readable) date-time value take a look at this sample script<\/B><\/A> in the Script Center Script Repository.<\/P>\n
Now, we know what you\u2019re thinking: if it\u2019s possible to find the oldest event in an event log does that mean it\u2019s possible to find the newest<\/I> event that\u2019s been added to an event log? You bet. However, you\u2019ll have to wait until tomorrow to find out how to do that. After all, at our age one column a day is the best we can do.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I find the date of the oldest event in an event log?— JL Hey, JL. You know, you just had to make a reference to \u201cold\u201d in your question, didn\u2019t you? Just today one of the Scripting Guys received a letter from the American Association of Retired Persons (AARP). Although […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,4,5,6],"class_list":["post-68073","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-vbscript","tag-wmi"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I find the date of the oldest event in an event log?— JL Hey, JL. You know, you just had to make a reference to \u201cold\u201d in your question, didn\u2019t you? Just today one of the Scripting Guys received a letter from the American Association of Retired Persons (AARP). Although […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68073"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68073\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}