Ok, found something .. Win32_NTLogEvent class is not capable by default to read the new set of "Application and Services" logs introduced with Win7/Server 2008.

There is a workaround creating a registry key (for each logfile its own) \:\) (provided the user running the script has sufficient access)

In your case it is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational

Which is, to say the least, kinda annoying.

Furthermore I only managed by now to get a direct request to ReadEventlog() to work for me. Like ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100) which is a pain to sort out as it returns a metric ton of data \:D

A WQL Query like this (tried of course other, simpler combinations) returns only empty strings

 Code:
if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    @error ??
endif

$events = ReadEventlog('SELECT InsertionStrings FROM Win32_NTLogEvent
                        WHERE Logfile="Microsoft-Windows-Diagnostics-Performance/Operational" AND EventCode=100')

if ubound($events,1) > -1
    "BootTime: " + split($events[0,0],@crlf)[5] ?
    "MainPathBootTime: " + split($events[0,0],@crlf)[6]   ?
    "BootPostBootTime: " + split($events[0,0],@crlf)[19]   ?
endif
get $



[Edit]
the above query is of course nonsense. A quick peek at the class in wbemtest uncovers this. Still, using the correct statements like TimeGenerated and Message returns nothing
[/Edit]

[Edit2]
Meh, InsertionStrings holds the information we're looking for. Edited code above is working now. Please Note that it will return only the latest event. Of course $events hold all available events but events[0,0] is the latest
[/Edit2]

Edited by Jochen (2017-10-18 09:47 AM)
_________________________