Jump to content
Sign in to follow this  
Doxie

Output of (Powershell) Get-WinEvent

Recommended Posts

Doxie

Hi,

I'm trying to make a small script to fetch information from Event Viewer.

I just find out that Win32_NTLogEvent does not support Microsoft events, and therefor i looked into Get-WinEvent.

I have found the correct command (tried it diretly in Powershell) and it works, but since i dont have to much knowledge

about it, i can´t understand how to "save" the data i get.

You can see below what i tried to do, when i use the objWMIService (which now is ; ) it worked alright, exept for the Logfile "Microsoft-Windows-Diag......" which is not supported by NTLogEvent.

I know this is working: "powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID = 100 }" directly in powershell.

But i dont know how to change the Output objItem to match the info gathered from Get-WinEvent.

If you are real pro :) , maybe you could also help me to add this powershell commands into the script. (same as below, but i only take data from 2 days back)

$date = (Get-Date).AddDays(-2)
$events = Get-WinEvent -FilterHashTable @{ LogName = "Microsoft-Windows-Diagnostics-Performance/Operational"; StartTime = $date; ID = 100 }

The final result, should be a .txt file with info how long time it took to boot the computer. (Or preferly a GUI window that shows it directly without opening a .txt file)

Thanks in advance

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

Local $sLogFile = @ScriptDir & "\EventLog_" & ".txt"
Local $file = FileOpen("EventLog.txt", 1)

; Check if file opened for writing OK
If $file = -1 Then
MsgBox(0, "Error", "Unable to open file.")
Exit
EndIf

$Output=""
$Output &= "Computer: " & $strComputer & @CRLF
$Output &= "==========================================" & @CRLF
;$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\")
;$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile  = 'Microsoft-Windows-Diagnostics-Performance/Operational'", "WQL", _
$colItems = Run ("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID = 100 }")
;$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
For $objItem In $colItems
$Output &= "ComputerName: " & $objItem.ComputerName & @CRLF
$strData = $objItem.Data(0)
$Output &= "Data: " & $strData & @CRLF
$Output &= "EventCode: " & $objItem.EventCode & @CRLF
$strInsertionStrings = $objItem.InsertionStrings(0)
$Output &= "InsertionStrings: " & $strInsertionStrings & @CRLF
$Output &= "Logfile: " & $objItem.Logfile & @CRLF
$Output &= "Message: " & $objItem.Message & @CRLF
$Output &= "SourceName: " & $objItem.SourceName & @CRLF
$Output &= "TimeGenerated: " & WMIDateStringToDate($objItem.TimeGenerat) & @CRLF
$Output &= "TimeWritten: " & WMIDateStringToDate($objItem.TimeWritten) & @CRLF
if FileWrite($file,$Output) = 2 then ExitLoop
$Output=""
Next
Else
Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NTLogEvent" )
Endif


Func WMIDateStringToDate($dtmDate)

Return (StringMid($dtmDate, 5, 2) & "/" & _
StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
& " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFunc

Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
water

Something like this:

#include <Constants.au3>
$colItems = Run("powershell.exe Get-WinEvent", "", @SW_SHOW, $STDOUT_CHILD)
ConsoleWrite($colItems & @LF)
Local $line
While 1
    $line = StdoutRead($colItems)
    If @error Then ExitLoop
    If StringStripWS($line, 3) <> "" Then ConsoleWrite($line & @LF)
WEnd

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Doxie

Hi Water, and thanks for your reply.

I tried your code, but i still dont get any output, just a blank console window.

Any ideas?


Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
water

The output is written to the SciTE console. So the script only works when you press F5 in SciTE.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Doxie

You are the king Water :)

But... Below command is working without a problem, it list all ID 64 logs from Application

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Application'; ID=64}", "", @SW_SHOW, $STDOUT_CHILD)

When i try this line, it just say "Get-WinEvent : No events were found that match the specified selection criteria"

If i change the name in anyway, i get an error message, so i know its the correct log name. I'm also sure i have alot of ID 100 events in my log (because i can see them when i run it directly in powershell)

Even if i remove ID=100 and try to list all logs from Microsoft-Windows-Diagnostics...... i get the same message.

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100}", "", @SW_SHOW, $STDOUT_CHILD)

 

You have helped me alot already, but if you have any clue what i'm doing wrong..


Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
water

You need admin rights to run the query.

#RequireAdmin
#include <Constants.au3>
$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100}", "", @SW_SHOW, $STDOUT_CHILD)
FileWriteLine(@ScriptDir & "\log.txt", $colItems)
Local $line
While 1
    $line = StdoutRead($colItems)
    If @error Then ExitLoop
    If StringStripWS($line, 3) <> "" Then FileWriteLine(@ScriptDir & "\log.txt", $line)
WEnd
Shellexecute("Notepad", @ScriptDir & "\log.txt")

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Doxie

Yea i just found that out when you replied.. and the script is now working perfectly.

But i know found out that i could probably not even be able to ue it, since its not showing me the info i need.

I would need the complete "Message", but it only show the 20 first letters as you can see below.

 

TimeCreated         ProviderName                         Id Message           

-----------         ------------                         -- -------           
2013-10-02 10:22:05 Microsoft-Window...                 100 Windows har star...
2013-10-01 16:00:06 Microsoft-Window...                 100 Windows har star...
2013-10-01 09:46:25 Microsoft-Window...                 100 Windows har star...
2013-09-30 09:09:40 Microsoft-Window...                 100 Windows har star...

A complete message, as it look in Event Viewer is:

Windows har startat:

Startens varaktighet : 136385ms

IsDegradation : false

Tidpunkt för incidenten (UTC) : ‎2013‎-‎10‎-‎01T07:43:00.718400400Z

But i guess that is the command in Powershell that prevent me from see the whole message, and not the code.

Sidenote: I wanted to make this script for our helpdesk, so when a user calls in, the helpdesk should be able to click a button and get information about the computer

-Boottime

-Space on C:

-Memory usage etc.

It was just the boottime that i needed Event viewer for.


Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
water

I'm not too familiar with PS but I think it is PS that limits the length of the output line. Using Google leads to something like this

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100} | Format-Table -Property * -AutoSize | Out-String -Width 4096", "", @SW_SHOW, $STDOUT_CHILD)

But if you only need the boottime then please search the forum for "uptime".

This will give you something like >this.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Doxie

Format-Table did not help me that much, since it did not return the correct string.

I have found a solution that work in Powershell, but i'm not sure how to get it into the script.

$events Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100

$events | select-string -inputobject {$_.message} -pattern Windows

$colItems = Run("powershell.exe $events Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100}",  "", @SW_SHOW, $STDOUT_CHILD)

Now i dont know how to call the variable  $events within the same Run

Thanks for the tips regarding Uptime, i will look into that aswell.


Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
Doxie

Added 2 pics from Powershell, first one is the command i write, and the second one is the result i get.

post-2184-0-95693200-1380887975_thumb.jp

post-2184-0-02043400-1380887985_thumb.jp


Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
water

Maybe put everything into a single string?

$colItems = Run("powershell.exe Get-WinEvent -FilterHashTable @{ LogName = 'Microsoft-Windows-Diagnostics-Performance/Operational'; ID=100} | select-string -pattern Windows", "", @SW_SHOW, $STDOUT_CHILD)
Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
water

This works for me:

#RequireAdmin
#include <Constants.au3>
FileDelete(@ScriptDir & "\log.txt")
$colItems = RunWait('powershell.exe Get-WinEvent -FilterHashTable @{ LogName = ''Microsoft-Windows-Diagnostics-Performance/Operational''; ID=100} | Select-String -inputobject {$_.message} -Pattern "Windows" -SimpleMatch | Out-File ' & @ScriptDir & '\log.txt', "", @SW_SHOW, $STDOUT_CHILD)
Shellexecute("Notepad", @ScriptDir & "\log.txt")

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
Doxie

Seriously, i have tried similiar string a tousand times.. but when i copy/paste yours, it works. 

Thanks alot man, i think i can handle the rest from here :thumbsup:


Were ever i lay my script is my home...

Share this post


Link to post
Share on other sites
water

Glad to be of service :)

But I have learned a lot too. I now know why I don't like PowerShell ;)


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×