Batch File - The specified channel could not be found.

I thought a new set of eyes looking at this might be able to see what is required.

I am basically trying to output ALL the event logs on a Local and Remote computer, although I am ONLY really interested in Local at the present time.

It outputs nicely to the screen but I can't get it to output the data to the created desktop folder. I used the variables i, j, and k to keep it simple.

Code:

@echo off

title Extract ALL Event Logs.
mode con: cols=110 lines=1250 & color 17
setlocal EnableDelayedExpansion
set "params=%*"
cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs") && fsutil dirty query %systemdrive% 1>nul 2>nul || ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /b)
%windir%\system32\reg.exe query "HKU\S-1-5-19" 1>nul 2>nul || ( echo. & echo  ERROR: This Batch file MUST be run as an Administrator. & echo. & echo         Right-click the Batch file and click ^<Run as administrator^>. & echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & goto :Exit )

for /f "usebackq tokens=3 " %%X in (`Reg Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop`) do (set UDFPRaw=%%X)
for /f "usebackq delims=" %%Y in (`echo %UDFPRaw%`) do (set UDFP=%%Y)

echo.
set /p "UserInput=>Enter Remote PC name and press <Enter>, OR, press <Enter> for Local PC: "
if "%UserInput%" equ "" set UserInput=%ComputerName%
set Out_Dir=%UDFP%\%UserInput%
if not exist %Out_Dir% (mkdir %Out_Dir% >nul 2>&1)
pushd %Out_Dir%

echo. & echo ^>Processing . . . & echo.
for /f "delims=\" %%i in ('wevtutil el /r:%UserInput%') do (echo Retreving Log --^> %%i)
for /f "tokens=1,2 delims=/" %%j in ("%%i") do (
  if %%k equ "" (
    set Out_File=%ComputerName%-%%j.evtx
    ) else (
    set Out_File=%ComputerName%-%%j-%%k.evtx
    )
  )
  wevtutil epl %%i %Out_File% /OW:True /r:%UserInput%
)
popd
echo. & echo ^>Processing COMPLETE.
echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & goto :Exit

:Exit

Thanks.

EDIT:

The ERROR message I get it . . .

Failed to export log %i.
The specified channel could not be found.

Could it be the phantom "subscription" channel? Event Viewer gives this cryptic error when selected.



p.s. - I replicated your .bat error exactly.

Thanks for the reply @f14tomcat, it is appreciated.

f14tomcat said:

Could it be the phantom "subscription" channel? Event Viewer gives this cryptic error when selected.

p.s. - I replicated your .bat error exactly.

I tried that and restarted and still got the same error message as above.

@f14tomcat
Without running the .bat file I got the same screen in Event Viewer on this Win10 Pro Notebook.

Thanks @Berton,

Berton said:

@f14tomcat
Without running the .bat file I got the same screen in Event Viewer on this Win10 Pro Notebook.

Yes, I did initially.

It shouldn't require a subscription creation to run on the Local computer anyway.

When the .bat file is run, the cmd prompt actually does list all the files, which leads me to believe that it is something in the code. As I said, I think I got to the stage where I couldn't see the wood for the trees, hence me asking for a different set of eyes to have a look.

Paul, LOGS.bat in the BSOD repository has code to extract all .evtx files. Maybe something in there can help?

When I run it I get:

Failed to export log %i.
The specified channel could not be found.

>Processing COMPLETE.

>Press ANY key to EXIT . . .

This is the failing code:

Code:

C:\Users\ztruk\Desktop\DESKTOP>for /F "tokens=1,2 delims=/" %j in ("%i") do (if %k EQU "" (set Out_File=DESKTOP-%j.evtx )  else (set Out_File=DESKTOP-%j-%k.evtx ) )

C:\Users\ztruk\Desktop\DESKTOP>(if  EQU "" (set Out_File=DESKTOP-%i.evtx )  else (set Out_File=DESKTOP-%i-.evtx ) )

C:\Users\ztruk\Desktop\DESKTOP>wevtutil epl %i DESKTOP-%i-.evtx /OW:True /r:DESKTOP
Failed to export log %i.
The specified channel could not be found.

C:\Users\ztruk\Desktop\DESKTOP>popd

C:\Users\ztruk>echo.   & echo >Processing COMPLETE.

>Processing COMPLETE.

C:\Users\ztruk>echo.   & echo >Press ANY key to EXIT . . .   & pause   1>nul  & goto :Exit

>Press ANY key to EXIT . . .

Have you overrun something? Is %i or %%i null?

Hello @Ztruker,

Ztruker said:

Paul, LOGS.bat in the BSOD repository has code to extract all .evtx files. Maybe something in there can help?

Thanks, it is appreciated.
I will have a look over the weekend.