Udostępnij za pośrednictwem


Vista Event Logs and PowerShell

Hello Everybody

 

Sorry for the huge delay in posting anything, I promise I will never leave it so long again. 

 

I got asked a question the other day.  Can I use Get-EventLog to access all the new logs that are in Vista?

 

Which logs am I referring to you may ask. Well, there are loads of new logs that can provide a massive set of troubleshooting information. Here's a screen shot from my Vista laptop that shows some of the logs:

 

image

 

So the question is can I query the Backup, Bits-Client, DiskDiagnostic and all the other logs using the Get-Eventlog cmdlet.

 

In short no.  You can however still use PowerShell, but you need to use a command line tool that ships in Vista, wevtutil.exe.  You can find out all the logs that can be accessed using Get-Eventlog with the -list parameter. 

 

 PS C:\Users\benp> Get-EventLog -list

  Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  15,168      0 OverwriteAsNeeded       1,381 Application
  15,168      0 OverwriteAsNeeded           0 DFS Replication
  20,480      0 OverwriteAsNeeded           0 Hardware Events
     512      7 OverwriteOlder              0 Internet Explorer
     512      7 OverwriteOlder              0 Key Management Service
   8,192      0 OverwriteAsNeeded           0 Media Center
  16,384      0 OverwriteAsNeeded           0 Microsoft Office Diagnostics
  16,384      0 OverwriteAsNeeded          29 Microsoft Office Sessions

  15,168      0 OverwriteAsNeeded       4,109 System
  15,360      0 OverwriteAsNeeded          40 Windows PowerShell

 

All of the above logs are part of the standard Windows Event Log.  However, all of the the other logs in the screenshot use Windows Eventing 6.0.  Get-EventLog does not hook into Windows Eventing 6.0.

 

So how can I get at these logs using PowerShell?  Check out the sample below:

 

 PS C:\Users\benp> wevtutil.exe qe Microsoft-Windows-UAC/Operational /c:2 /f:text
Event[0]:
  Log Name: Microsoft-Windows-UAC/Operational
  Source: Microsoft-Windows-UAC
  Date: 2007-10-30T11:14:00.524
  Event ID: 1
  Task: N/A
  Level: Error
  Opcode: Info
  Keyword: N/A
  User: S-1-5-21-1721234763-462695806-1538865281-2692397
  User Name: testdom\benp
  Computer: vista.test.microsoft.com
  Description:
The process failed to handle ERROR_ELEVATION_REQUIRED during the creation of a child process.

This sample connects to the UAC Operational log and displays the newest 2 items as text.  (There is only 1 event listed, because I only have 1 entry in the log).

So yes I can access these logs using PowerShell, but no I can't use the Get-EventLog cmdlet to do it.  Check out the following link for detailed syntax for using wevtutil.exe

https://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true

Thanks to Narayanan Lakshmanan for answering the many questions I had about this.

That is all

BenP

Comments