WMI query - find oldest Application Log event

Question

I went through all relevant topics, but I didn't find an answer. I'm running a WMI query to retrieve the datetime of the oldest event in the Application Log. Unfortunately the query below always return 0 values, but apparently syntax is correct, because no error message is returned. Any idea why this happens? Actually c# embedded solution downloads the whole Eventviewer and since I'm connecting to remote machines, performances are horrible. Therefore I chose WMI query

SelectQuery query = new SelectQuery("select * from Win32_NtLogEvent where Logfile ='" + logFileName + "' and RecordNumber = '1'");

using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, opt)) {
    foreach (ManagementObject mo in searcher.Get()) {
         DateTime firstEventTime;
         DateTime.TryParseExact(mo["TimeGenerated"].ToString().Substring(0, 12), "yyyyMMddHHmm", null, DateTimeStyles.None, out firstEventTime);
         // if the time of the first entry of the application log is older that the dayback to check date
         // set dayback to check to first app log entry date
         logbox.writetoLogFile(this.GetType().Name, "First event time is " + firstEventTime, LogLevel.Debug);
             if (firstEventTime > endDate) {
                 endDate = firstEventTime;
                 logbox.writetoLogTextbox("First eventviewer entry has date " + firstEventTime + ". Check log will stop at this date", Color.Black);
                 logbox.writetoLogFile(this.GetType().Name, "First eventviewer entry has date " + firstEventTime + ". Check log will stop at this date", LogLevel.Info);
             }
     }
}

Unfortunately I figured it out now. Record number get not reset, therefore the event 1 has disappeared since ages. :( Any idea how I could gather this info ?

Thanks, Marco

Answer 1

RecordNumber is a unique identifier and not necessarily match with the LogFile are you using, is something like a primary key, and you get different numbers for each computer, msdn definition for RecordNumber:

• Identifies the event within the Windows NT event log file. This is specific to the log file and is used together with the log file name to uniquely identify an instance of this class.

So what you should do is get all events with specific LogFile, sort by TimeGenerated and get the older event and make another search for the number of the older event: i.e:

using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Management;

namespace WmiEventQuery
{
    class Program
    {
        static void Main(string[] args)
        {
            SelectQuery query = new SelectQuery("select * from Win32_NtLogEvent where LogFile = 'Application' ");
            //execute the query using WMI
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
            //loop through each log found
            List<EventDateTime> datetimesEvents = new List<EventDateTime>();
            foreach (ManagementObject mo in searcher.Get())
            {
                DateTime firstEventTime;
                DateTime.TryParseExact(mo["TimeGenerated"].ToString().Substring(0, 12), "yyyyMMddHHmm", null, DateTimeStyles.None, out firstEventTime);

                datetimesEvents.Add(new EventDateTime
                {
                    RecordNumber = Convert.ToInt32(mo["RecordNumber"]),
                    TimeGenerated = firstEventTime
                });
            }

            int olderRecordNumber = datetimesEvents.OrderBy(p => p.RecordNumber).FirstOrDefault().RecordNumber;

            SelectQuery queryUnique = new SelectQuery(
                System.String.Format("select * from Win32_NtLogEvent where RecordNumber = {0}", olderRecordNumber)
                );

            ManagementObjectSearcher searcherUnique = new ManagementObjectSearcher(queryUnique);

            foreach (ManagementObject mo in searcherUnique.Get())
            {
                //get the older event
                Console.WriteLine(mo["Message"]);
                Console.WriteLine(mo["RecordNumber"]);
            }

            Console.Read();

        }
    }

    public class EventDateTime
    {
        public DateTime TimeGenerated { get; set; }
        public int RecordNumber { get; set; }
    }

}