Querying the Event Log for Stop Events

Microsoft® Windows® 2000 Scripting Guide

Tracking stop events and the details about those stop events can help you determine whether a particular problem is endemic to one computer or if it is occurring on other computers in your organization. Because stop events are recorded in the System Event log, you can create a script that periodically queries the System Event log on a computer or set of computers and checks to see whether any stop events have occurred.

Each time a stop event occurs, a record is saved with the following parameters:

  • EventType = Information

  • EventCode = 1001

  • SourceName = Save Dump

The event description will look similar to the following:

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000e2
 (0x00000000, 0x00000000, 0x00000000, 0x00000000). Microsoft Windows 2000 [v15.2195].
  A dump was saved in: C:\WINNT\MEMORY.DMP.

You can use the Win32_NTLogEvent class to periodically query the System Event Log and retrieve the details of each stop event.

Scripting Steps

Listing 8.23 contains a script that queries the System Event Log for all stop events. To carry out this task, the script must perform the following steps:

  1. Create a variable to specify the computer name.

  2. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."

  3. Use the ExecQuery method to query the Win32_NTEventLog class.

    Include a WHERE clause to limit the records retrieved only to those events found in the System Event Log that have the source name Save Dump.

  4. For each record in the collection, echo the time the event occurred and the event message.

Listing 8.23 Querying the System Event Log for Stop Events


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'System'" _
 & " AND SourceName = 'SaveDump'")
For Each objEvent in colLoggedEvents
 Wscript.Echo "Event date: " & objEvent.TimeGenerated
 Wscript.Echo "Description: " & objEvent.Message

Generating a Stop Event

Before you configure recovery options on a production computer, it is helpful to know the actual impact of these options. In particular, you will want to know the size of the dump file that will be generated and how much time it takes the computer to create the dump file and restart. To see what happens to a particular computer if a stop event occurs, you can add an entry to the registry and manually generate a stop event.


  • Changing the registry with a script can easily propagate errors. The scripting tools bypass safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. Before scripting changes to the registry, test your script thoroughly and back up the registry on every computer on which you will make changes. For more information about scripting changes to the registry, see the Registry Referenceon the Microsoft Windows 2000 Server Resource Kit companion CD or at http://www.microsoft.com/reskit.

To add an entry to the registry

  1. Start Regedit.exe.

  2. Navigate to the subkey HKLM\System\CurrentControlSet\Services\i8024prt\Parameters.

  3. Select the Parameters subkey, and then click Add Value from the Edit menu.

  4. In the Add Value dialog box, in the Value Name box type CrashOnCtrlScroll, in the Data Type box select Reg_DWORD, and then click OK.

  5. Double-click the CrashOnCtrlScroll entry. In the DWORD Editor dialog box, type 1 in the Data box and then click OK.

  6. Close Regedit.exe, and restart your computer.

After the computer has restarted, you can generate a stop event.

To manually generate a stop event

  • Press and hold the right Ctrl key (the left Ctrl key will not allow you to generate a stop event), and then press the Scroll Lock key twice.

    A stop event will occur, and a stop error will be displayed with the following message:

    *** STOP: 0x000000E2 (0x00000000, 0x00000000, 0x00000000, 0x00000000)
    The end-user manually generated the crashdump.

After generating a stop event, the computer will be inoperable until it has been restarted. After the restart, complete functionality will be restored.