'==========================================================================
'
'
' NAME: <ReadSecurityEventLog.vbs>
'
' AUTHOR: Ed Wilson , MS
' DATE  : 4/23/2006
'
' COMMENT: <Adds the security privilege, and reads a specific event from log>
'1. Uses the addAsString method to add the privilege to the script.
'2. Uses two user defined functions: one turns date into UTC format for the 
'3. Query. It uses the setVarDate method from the sWbemDateTime object.
'4. Other function does the opposite, it turns UTC formatted date into reg.
'5. Also uses dateSerial function to convert numbers into a date type.
'==========================================================================

Option Explicit 
'On Error Resume Next
dim strComputer
dim wmiNS
dim wmiQuery
dim objWMIService
dim colItems
dim objItem
Dim IntEvent 'event code to look For
Dim dteDate		'the date to search from in log.

strComputer = "."
dteDate = DateSerial(2006,04,22)
IntEvent = "576" 'Event Code.
wmiNS = "\root\cimv2"

wmiQuery = "SELECT * FROM Win32_NTLogEvent WHERE EventCode = " & _
	IntEvent & " and Logfile = 'security' and timegenerated > " & _
	funUTC(dteDate)

Set objWMIService = GetObject("winmgmts:\\" & strComputer & wmiNS)
objWMIService.security_.Privileges.addASstring "SeSecurityPrivilege"
Set colItems = objWMIService.ExecQuery(wmiQuery)

For Each objItem In colItems
Wscript.Echo "TimeGenerated: " & FunTime(objItem.TimeGenerated)
    Wscript.Echo "message: " & objItem.message
    Wscript.Echo "EventCode: " & objItem.EventCode
    Wscript.Echo "CategoryString  : " & objItem.CategoryString  
Next

Function funUTC(mydate)
Dim dateTime
Set dateTime = CreateObject("WbemScripting.SWbemDateTime")
dateTime.SetVarDate(mydate)
funUTC= "'" & dateTime & "'"
End Function

Function FunTime(wmiTime)
Dim objSWbemDateTime 'holds an swbemDateTime object. Used to translate Time
Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
  objSWbemDateTime.Value= wmiTime
  FunTime = objSWbemDateTime.GetVarDate
End Function