Howdy. I replied offline to the author earlier in my day about what might be the problem he is running into (I was in digest mode until today and couldnt just reply to the thread - apologies), but played around with this script a little today and seem to have something that can pass credentials to a call for eventlogs and wanted to share with the list (now that I had a working sample).
Based on the API that was available for running searches on remote computers, I had to output the data into XML and did not parse the XML (a task which I leave to the original author of this thread -- using something like lxml). However, Hopefully this helps the original author see how he might be able to inject credentials into their script to get what they need. It is worthy of note that the original poster's script worked fine on my test systems (with Remote Scripting UAC disabled) which might suggest that there's a problem with how the remote server is configured and maybe "Allowing Remote Scripts to Bypass UAC" is the solution to their whole problem... See here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction Kudos to the pywin32 maintainers and the members of this list for their input. I hope this minor script helps someone. # ------------------------------- # tested using python 3.6.3 on W10x64 with domain admin credentials tested in the script import win32evtlog # requires pywin32 pre-installed import time user = "someuser" # your windows username domain = "SOMEDOMAIN" # your windows domain name (or possibly computername) passwd = "reallysecurepassword" # your unencrypted password server = 'IP_OR_FQDN' # name of the target computer to get event logs try: logtype = 'System' # 'Application' # 'Security' sess_handle = win32evtlog.EvtOpenSession(Login=(server, user, domain, passwd, win32evtlog.EvtRpcLoginAuthDefault), Timeout=0, Flags=0) query_flags = win32evtlog.EvtQueryReverseDirection | win32evtlog.EvtQueryChannelPath # while I get "*" (all the logs), this thread seems to suggest you could limit it.. however, their syntax didn't work for me # https://stackoverflow.com/questions/29827769/get-an-event-object-from-win32evtlog-evtquery-results log_handle = win32evtlog.EvtQuery(logtype, query_flags, "*", sess_handle) x = 0 count = 10 # get x events per query events = win32evtlog.EvtNext(ResultSet=log_handle, Count=count,Timeout=0, Flags=0) while events: for event in events: x += 1 print(f'b4 render: {x} --> {event}') print (f'Event Data: {win32evtlog.EvtRender(event, Flags=win32evtlog.EvtRenderEventXml)}') events = win32evtlog.EvtNext(ResultSet=log_handle, Count=count,Timeout=0, Flags=0) time.sleep(5) except Exception as e: print(f"Excepted with: {e}") #################### # minor excerpt of output: b4 render: 240 --> <PyEVT_HANDLE:22> Event Data: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2021-09-16T21:02:15.383021500Z'/><EventRecordID>296223</EventRecordID><Correlation/><Execution ProcessID='688' ThreadID='3724'/><Channel>System</Channel><Computer>somecomuter.somewhere.com</Computer><Security/></System><EventData><Data Name='param1'>WMI Performance Adapter</Data><Data Name='param2'>stopped</Data><Binary>77006D006900410070005300720076002F0031000000</Binary></EventData></Event> _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32