Output of (Powershell) Get-WinEvent

Doxie · October 3, 2013

Hi,

I'm trying to make a small script to fetch information from Event Viewer.

I just find out that Win32_NTLogEvent does not support Microsoft events, and therefor i looked into Get-WinEvent.

I have found the correct command (tried it diretly in Powershell) and it works, but since i dont have to much knowledge

about it, i can´t understand how to "save" the data i get.

You can see below what i tried to do, when i use the objWMIService (which now is ; ) it worked alright, exept for the Logfile "Microsoft-Windows-Diag......" which is not supported by NTLogEvent.

I know this is working: "powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID = 100 }" directly in powershell.

But i dont know how to change the Output objItem to match the info gathered from Get-WinEvent.

If you are real pro , maybe you could also help me to add this powershell commands into the script. (same as below, but i only take data from 2 days back)

$date = (Get-Date).AddDays(-2)
$events = Get-WinEvent -FilterHashTable @{ LogName = "Microsoft-Windows-Diagnostics-Performance/Operational"; StartTime = $date; ID = 100 }

The final result, should be a .txt file with info how long time it took to boot the computer. (Or preferly a GUI window that shows it directly without opening a .txt file)

Thanks in advance

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

Local $sLogFile = @ScriptDir & "\EventLog_" & ".txt"
Local $file = FileOpen("EventLog.txt", 1)

; Check if file opened for writing OK
If $file = -1 Then
MsgBox(0, "Error", "Unable to open file.")
Exit
EndIf

$Output=""
$Output &= "Computer: " & $strComputer & @CRLF
$Output &= "==========================================" & @CRLF
;$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\")
;$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile  = 'Microsoft-Windows-Diagnostics-Performance/Operational'", "WQL", _
$colItems = Run ("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID = 100 }")
;$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
For $objItem In $colItems
$Output &= "ComputerName: " & $objItem.ComputerName & @CRLF
$strData = $objItem.Data(0)
$Output &= "Data: " & $strData & @CRLF
$Output &= "EventCode: " & $objItem.EventCode & @CRLF
$strInsertionStrings = $objItem.InsertionStrings(0)
$Output &= "InsertionStrings: " & $strInsertionStrings & @CRLF
$Output &= "Logfile: " & $objItem.Logfile & @CRLF
$Output &= "Message: " & $objItem.Message & @CRLF
$Output &= "SourceName: " & $objItem.SourceName & @CRLF
$Output &= "TimeGenerated: " & WMIDateStringToDate($objItem.TimeGenerat) & @CRLF
$Output &= "TimeWritten: " & WMIDateStringToDate($objItem.TimeWritten) & @CRLF
if FileWrite($file,$Output) = 2 then ExitLoop
$Output=""
Next
Else
Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NTLogEvent" )
Endif


Func WMIDateStringToDate($dtmDate)

Return (StringMid($dtmDate, 5, 2) & "/" & _
StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
& " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFunc

water · October 3, 2013

Something like this:

#include <Constants.au3>
$colItems = Run("powershell.exe Get-WinEvent", "", @SW_SHOW, $STDOUT_CHILD)
ConsoleWrite($colItems & @LF)
Local $line
While 1
    $line = StdoutRead($colItems)
    If @error Then ExitLoop
    If StringStripWS($line, 3) <> "" Then ConsoleWrite($line & @LF)
WEnd

Doxie · October 4, 2013

Hi Water, and thanks for your reply.

I tried your code, but i still dont get any output, just a blank console window.

Any ideas?

water · October 4, 2013

The output is written to the SciTE console. So the script only works when you press F5 in SciTE.

Doxie · October 4, 2013

You are the king Water

But... Below command is working without a problem, it list all ID 64 logs from Application

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Application'; ID=64}", "", @SW_SHOW, $STDOUT_CHILD)

When i try this line, it just say "Get-WinEvent : No events were found that match the specified selection criteria"

If i change the name in anyway, i get an error message, so i know its the correct log name. I'm also sure i have alot of ID 100 events in my log (because i can see them when i run it directly in powershell)

Even if i remove ID=100 and try to list all logs from Microsoft-Windows-Diagnostics...... i get the same message.

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100}", "", @SW_SHOW, $STDOUT_CHILD)

You have helped me alot already, but if you have any clue what i'm doing wrong..

water · October 4, 2013

You need admin rights to run the query.

#RequireAdmin
#include <Constants.au3>
$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100}", "", @SW_SHOW, $STDOUT_CHILD)
FileWriteLine(@ScriptDir & "\log.txt", $colItems)
Local $line
While 1
    $line = StdoutRead($colItems)
    If @error Then ExitLoop
    If StringStripWS($line, 3) <> "" Then FileWriteLine(@ScriptDir & "\log.txt", $line)
WEnd
Shellexecute("Notepad", @ScriptDir & "\log.txt")

Doxie · October 4, 2013

Yea i just found that out when you replied.. and the script is now working perfectly.

But i know found out that i could probably not even be able to ue it, since its not showing me the info i need.

I would need the complete "Message", but it only show the 20 first letters as you can see below.

TimeCreated ProviderName Id Message

-----------         ------------                         -- -------
2013-10-02 10:22:05 Microsoft-Window...                 100 Windows har star...
2013-10-01 16:00:06 Microsoft-Window...                 100 Windows har star...
2013-10-01 09:46:25 Microsoft-Window...                 100 Windows har star...
2013-09-30 09:09:40 Microsoft-Window...                 100 Windows har star...

A complete message, as it look in Event Viewer is:

Windows har startat:

Startens varaktighet : 136385ms

IsDegradation : false

Tidpunkt för incidenten (UTC) : ‎2013‎-‎10‎-‎01T07:43:00.718400400Z

But i guess that is the command in Powershell that prevent me from see the whole message, and not the code.

Sidenote: I wanted to make this script for our helpdesk, so when a user calls in, the helpdesk should be able to click a button and get information about the computer

-Boottime

-Space on C:

-Memory usage etc.

It was just the boottime that i needed Event viewer for.

water · October 4, 2013

I'm not too familiar with PS but I think it is PS that limits the length of the output line. Using Google leads to something like this

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100} | Format-Table -Property * -AutoSize | Out-String -Width 4096", "", @SW_SHOW, $STDOUT_CHILD)

But if you only need the boottime then please search the forum for "uptime".

This will give you something like >this.

Doxie · October 4, 2013

Format-Table did not help me that much, since it did not return the correct string.

I have found a solution that work in Powershell, but i'm not sure how to get it into the script.

$events Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100

$events | select-string -inputobject {$_.message} -pattern Windows

$colItems = Run("powershell.exe $events Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100}", "", @SW_SHOW, $STDOUT_CHILD)

Now i dont know how to call the variable $events within the same Run

Thanks for the tips regarding Uptime, i will look into that aswell.

Doxie · October 4, 2013

Added 2 pics from Powershell, first one is the command i write, and the second one is the result i get.

water · October 4, 2013

Maybe put everything into a single string?

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100} | select-string -pattern Windows", "", @SW_SHOW, $STDOUT_CHILD)

Edited October 4, 2013 by water

water · October 4, 2013

This works for me:

#RequireAdmin
#include <Constants.au3>
FileDelete(@ScriptDir & "\log.txt")
$colItems = RunWait('powershell.exe Get-WinEvent -FilterHashTable @{ LogName = ''Microsoft-Windows-Diagnostics-Performance/Operational''; ID=100} | Select-String -inputobject {$_.message} -Pattern "Windows" -SimpleMatch | Out-File ' & @ScriptDir & '\log.txt', "", @SW_SHOW, $STDOUT_CHILD)
Shellexecute("Notepad", @ScriptDir & "\log.txt")

Doxie · October 4, 2013

Seriously, i have tried similiar string a tousand times.. but when i copy/paste yours, it works.

Thanks alot man, i think i can handle the rest from here :thumbsup:

water · October 4, 2013

Glad to be of service

But I have learned a lot too. I now know why I don't like PowerShell

Sign In

Output of (Powershell) Get-WinEvent

Recommended Posts

Doxie

water

Doxie

water

Doxie

water

Doxie

water

Doxie

Doxie

water

water

Doxie

water

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta