Hi Scripting Guys!

I query the eventlog with the MS Log Parser. The output contains constants
like %%2048.  These constants stands for entries in the responding message
table.

For example the msobjs.dll contains the message table for the security
eventlog.

Does anyone has an example how to get the messages from the table with a
vbscript?

Thx!
Marco

news:52D53295-C93B-4ECC-8AAE-AA34DA816918@microsoft.com...

I've extracted and sorted the messages from msobjs.dll using several
command line utilites but could not identify their associated numbers.

Access Clipboard
Access global atoms
ACCESS_SYS_SEC
AddMember
AddMember
AdjustDefaultDacl
AdjustGroups
AdjustPrivileges
Administer audit log attributes
Administer Document
Administer print server
AdministerServer
AppendData (or AddSubdirectory or CreatePipeInstance)
Assign a token to the thread
Assign Primary Token Privilege
Assign process
AssignAsPrimary
Backup Privilege
Cause thread to directly impersonate another thread
Change Hardware Environment Privilege
Change logon capabilities assigned to account
Change Notify (and Traverse) Privilege
Change privileges assigned to account
Change quotas assigned to account
Change secret value
Change system audit requirements
Change the controllers in the trusted domain
Change the Posix ID offset assigned to the trusted domain
ChangeGroupMembership
ChangePassword (with knowledge of old password)
Channel query information
Channel read message
Channel set information
Channel write message
Communicate using port
Connect to service controller
ConnectToServer
Control Access
Control profile
Create a new service
Create a privilege
Create a secret object
Create a subprocess of process
Create Child
Create desktop
Create instance of object type
Create Link
Create menu
Create new thread in process
Create object in directory
Create Pagefile Privilege
Create Permanent Object Privilege
Create special accounts (for assignment of user rights)
Create sub-directory
Create sub-key
Create window
CreateDomain
CreateGlobalGroup
CreateLocalGroup
CreateUser
DDE Share Add Items
DDE Share Advise
DDE Share Execute
DDE Share Initiate Link
DDE Share Initiate Static
DDE Share List Items
DDE Share Poke
DDE Share Read
DDE Share Request
DDE Share Write
Debug Privilege
DELETE
Delete Child
Delete Tree
DeleteChild
Device Access Bit 0
Device Access Bit 1
Device Access Bit 2
Device Access Bit 3
Device Access Bit 4
Device Access Bit 5
Device Access Bit 6
Device Access Bit 7
Device Access Bit 8
Directly impersonate this thread
Duplicate
Duplicate handle into or out of process
Enable/Disable LSA
Enumerate dependencies of service
Enumerate desktops
Enumerate printers
Enumerate services
Enumerate sub-keys
EnumerateDomains
Execute/Traverse
Exit windows
Extend size
Force process termination
Force thread termination
Full Control
Get sensitive policy information
Get thread context
GetLocalGroupMembership
Hook control
Impersonate
Include this desktop in enumerations
Include this windowstation in enumerations
Increase Memory Quota Privilege
Increment Base Priority Privilege
InitializeServer
Issue service-specific control commands
Journal (playback)
Journal (record)
List Contents
List Object
ListAccounts
ListGroups
ListMembers
ListMembers
Load/Unload Driver Privilege
Lock Memory Privilege
Lock service database for exclusive access
Lookup Names/SIDs
LookupDomain
LookupIDs
Map section for execute
Map section for read
Map section for write
MAX_ALLOWED
Modify domain trust relationships
Modify event state
Modify semaphore state
Modify State
Modify timer state
Not used
Notify about changes to keys
Pause or continue the service
Perform virtual memory operation
Print
Profile Single Process Privilege
Profile System Privilege
Query
Query account information
Query Attributes
Query directory
Query event state
Query information from service
Query key value
Query mutant state
Query process information
Query secret value
Query section state
Query semaphore state
Query service configuration information
Query service database lock state
Query State
Query status of service
Query the Posix ID offset assigned to the trusted domain
Query thread information
Query timer state
Query trusted domain name/SID
QuerySource
Read attributes
Read from process memory
Read Objects
Read Property
Read screen
ReadAccount
ReadAttributes
ReadData (or ListDirectory)
ReadEA
ReadGeneralInformation
ReadGroupMembership
ReadInformation
ReadInformation
ReadLogon
ReadOtherParameters
ReadPasswordParameters
ReadPreferences
READ_CONTROL
Remotely Shut System Down Privilege
RemoveMember
RemoveMember
Restore From Backup Privilege
Retrieve the controllers in the trusted domain
Security Privilege
Send an alert to thread
Set Attributes
Set default quota limits
Set key value
Set last-known-good state of service database
Set process information
Set process quotas
Set process termination port
Set Security Attributes
Set service configuration information
Set System Time Privilege
Set thread context
Set thread information
SetPassword (without knowledge of old password)
Shutdown System Privilege
ShutdownServer
Start the service
Stop the service
Suspend or resume thread
Switch to this desktop
SYNCHRONIZE
Take Ownership Privilege
Terminate Job
Traverse
Trusted Computer Base Privilege
Undefined Access (no effect) Bit 1
Undefined Access (no effect) Bit 1
Undefined Access (no effect) Bit 1
Undefined Access (no effect) Bit 1
Undefined Access (no effect) Bit 1
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 15
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 2
Undefined Access (no effect) Bit 3
Undefined Access (no effect) Bit 3
Undefined Access (no effect) Bit 3
Undefined Access (no effect) Bit 3
Undefined Access (no effect) Bit 3
Undefined Access ...

read more »

  This is probably more trouble than you want to get into,
but... You may be able to do it with straight script. See this
link:

http://www.jsware.net/jsware/scripts.php3#fvinfo

  That download uses only VBScript with the FileSystemObject
to extract FileVersionInfo from any PE file. Another download
on the same page extracts icons. The way they work is to
read the PE file directly to find the addresses of the resources.
If you figure out the specifics of how the message table is
stored and structured you should be able to use a similar script
to extract those. The biggest problem is finding documentation.
Microsoft's docs for PE format, and especially for resource table
format, are limited. But the general idea is that there are a number
of types of resources, all stored in a tree structure of pointers
within the file. Knowing the specific storage details allows you to
track down specific resources, essentially using VBS a a "resource
hacker".