This article is part of the few-liner series, where you can find some useful powershell examples. Of course, you need to adjust the values/paths to your needs. Also, I know there may be other ways to achieve the same results but this is not a base for an “which-command-is-better” competition. Depending on the time you read this post, there may be new commandlets making things easier but I do not regulary update this blog series.
Get events of type ERROR and WARNING from the Applications log of the last 24 hours
Get-EventLog -LogName Application -ComputerName $env:Computername | ? {(($_.EntryType -eq "Error") -or ($_.EntryType -eq "Warning")) -and ((Get-Date).AddHours(-24) -le $_.TimeGenerated)} | Select EventID,EntryType,Message,Source,TimeGenerated,UserName
Get events regarding logon/logoff/hibernate/standby/lock/unlock…
Get-WinEvent -FilterHashtable @{LogName="Security","System"} | ? { $_.ID -eq 4779 -or $_.ID -eq 4778 -or $_.ID -eq 4800 -or $_.ID -eq 4801 -or $_.ProviderName -eq "Microsoft-Windows-Kernel-Power" } | Select TimeCreated,LogName,Id,ProviderName,Message | Sort TimeCreated -Desc | fl *
Get the latest 25 ERROR and WARNING events of the Applications log and export them to a HTML file
Get-EventLog -LogName Application -ComputerName $env:Computername -Newest 25 | ? {($_.EntryType -eq "Error") -or ($_.EntryType -eq "Warning")} | Select EventID,EntryType,Message,Source,TimeGenerated,UserName | ConvertTo-Html | Out-File C:\Users\HSolo\Desktop\Out.html
Get all events for “Application and Services\Microsoft\User Experience Virtualization” log and write it to a file
Get-WinEvent -ListLog "*User Experience Virtualization*" -ErrorAction SilentlyContinue | ? { $_.RecordCount } | % { Get-WinEvent -FilterHashtable @{Logname="$($_.Logname)"} -ErrorAction SilentlyContinue } | Sort TimeCreated -Desc | FT TimeCreated, ID, ProviderName, Message -AutoSize | Out-File "$($env:USERPROFILE)\Desktop\Events.txt" -Width 2048
Get all events between two times
$computer = "localhost"; Get-WinEvent -Computername $computer -ListLog * -EA silentlycontinue | ? { $_.recordcount } | % { Write-Progress -Activity "Gathering Logs on $($computer)" -Status "$($_.Logname)"; Get-WinEvent -Computername $computer -FilterHashtable @{Logname="$($_.Logname)"; StartTime=([datetime]::ParseExact("16.02.2021 10:00:00", "dd.MM.yyyy HH:mm:ss", $null)); EndTime=([datetime]::ParseExact("16.02.2021 14:00:00", "dd.MM.yyyy HH:mm:ss", $null))} -EA SilentlyContinue } | Sort TimeCreated -Desc | FT TimeCreated, ID, ProviderName, Message -AutoSize | Out-File "$($env:USERPROFILE)\Desktop\Events.txt" -Width 1024
Enable Debug Logs
$debugLog = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration "Microsoft-Windows-OfflineFiles/Debug"; $debugLog.IsEnabled = $true; $debugLog.SaveChanges()
Determine if Hyper-V Hypervisor has started successfully (this example shows the use of 3 different filters: Hashtable, XPath and XML)
Get-WinEvent -FilterHashtable @{Logname="System";ID=1;ProviderName="Microsoft-Windows-Hyper-V-Hypervisor"} -MaxEvents 1
– or –
Get-WinEvent -LogName "System" -FilterXPath "*[System[(EventID=1)][Provider[@Name='Microsoft-Windows-Hyper-V-Hypervisor']]]"
– or –
Get-WinEvent -FilterXml '<QueryList><Query Id="1" Path="System"><Select Path="System">*[System[EventID=1][Provider[@Name="Microsoft-Windows-Hyper-V-Hypervisor"]]]</Select></Query></QueryList>'
Determine if Hyper-V Hypervisor has started successfully after last boot
Get-WinEvent -FilterXml '<QueryList><Query Id="1" Path="System"><Select Path="System">*[System[EventID=1][Provider[@Name="Microsoft-Windows-Hyper-V-Hypervisor"]]]</Select></Query><Query Id="2" Path="System"><Select Path="System">*[System[EventID=12][Provider[@Name="Microsoft-Windows-Kernel-General"]]]</Select></Query></QueryList>' -MaxEvents 10 | Select TimeCreated,ID,ProviderName
Leave a Reply
You must be logged in to post a comment.