Inventorying Events with SCCM

If you have Microsoft System Center Configuration Manager (SCCM, or ConfigMgr, depending on who you ask), you can easily extend the inventory to gather Make Me Admin events from the event log during a hardware inventory.

This involves editing the configuration.mof file that SCCM uses, and there are plenty of articles about that already available. So for the sake of brevity, here is the text to add to your MOF file.

#pragma autorecover
#pragma namespace("\\\\.\\root\\cimv2")

[Union,
ViewSources{"SELECT EventCode,EventType,LogFile,Message,RecordNumber,SourceName,TimeGenerated FROM Win32_NTLogEvent WHERE (LogFile = 'Application') AND (SourceName = 'Make Me Admin') AND (EventCode 9000)"},
ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Make_Me_Admin_Events
{
[PropertySources{"RecordNumber"}, key]
uint32 RecordNumber;
[PropertySources{"LogFile"}, key]
string LogFile;
[PropertySources{"SourceName"}]
string SourceName;
[PropertySources{"EventCode"}]
uint16 EventCode;
[PropertySources{"EventType"}]
uint8 EventType;
[PropertySources{"Message"}]
string Message;
[PropertySources{"TimeGenerated"}]
datetime TimeGenerated;
};

Filtering on event code 9000 excludes debugging events, which most people will not have in their event logs anyway.

If you copy and paste this MOF section, make sure that the entire ViewSources line is on a single line. You may want to paste this into a standalone MOF file and check it with mofcomp -check before adding it to your configuration.mof.

Also, note that the #pragma autorecover is so that mofcomp will not complain about it not being there. So, either remove that pragma statement before adding the text to your configuration.mof, or just ignore the warning from mofcomp if you leave it out entirely.