开发者

When querying the Win32_NTLogEvent Class from WMI with WQL is the TimeGenerated property based on Local time of the computer or GMT?

开发者 https://www.devze.com 2023-01-04 07:34 出处:网络
I am writing a C# windows service that is doing some churning through the eventlog on a few domain controllers. Some of them are Windows Server 2003 and some are Windows Server 2008. Upon the service

I am writing a C# windows service that is doing some churning through the eventlog on a few domain controllers. Some of them are Windows Server 2003 and some are Windows Server 2008. Upon the service stopping I am attempting to resume where I left off in the logs. In order to do this instead of

SELECT * FROM Win32_NTLogEvent WHERE --criteria for events I am looking for

I am doing

SELECT * FROM Win32_NTLogEvent WHERE TimeGenerated = --some date AND --criteria for events I am looking for

开发者_如何学运维

At one point I was convinced that the TimeGenerated field was in the local time of the server but now it seems that the Windows 2008 Servers are using GMT to record that time. Can anyone shed some light on if this is a real different between the way the two operating systems function or is this a configuration problem?


In addition, it seems that in versions prior to Windows Server 2008 TimeGenerated was returned in local time, but changed to GMT in Server 2008, as others have been noticing.

  • http://social.msdn.microsoft.com/Forums/en/servercorefordevelopers/thread/e933b476-5d30-4629-955d-6828ec3e8002
  • http://www.ms-news.net/f3617/win32_ntlogevent-11570228.html
  • http://84.45.57.224/win32-ntlogEvent-timegenerated-is-in-gmt_topic21473.html


Something like this may be helpful:

("Select * from Win32_NTLogEvent Where Logfile = 'Application' AND EventCode = '999' AND Message Like '%message%' AND TimeGenerated = '201202210000000000.000000+***'")

The TimeGenerated syntax is setup backwards so in the above example its yearmonthdaytimeminutesseconds.000000+\*** the preceding 000000+\*** is needed.

Hope this helps.


Windows time stamps are always recorded in UTC. They will only be converted to local time in whatever GUI program you use to look at the data, like Event Viewer or Explorer (for file times). This behavior is important to avoid random failure on daylight saving time transitions.

0

精彩评论

暂无评论...
验证码 换一张
取 消