Using PowerShell to collect information for Storage Troubleshooting (Part 1: Hotfixes and System Events)
This will be part of a series of posts on how to utilize PowerShell to easily collect system information useful for troubleshooting Storage issues.
In my first installment, we will cover the collection of currently installed Hotfixes, and collection of specific system events related to storage.
Collecting a list of installed hotfixes:
The following code sample produces a list of the installed hotfixes on the system, sorted in descending order, which can be useful when looking for a specific hotfix, or when performing configuration monitoring.
(Get-HotFix | Select HotfixID, Description, InstalledBy, InstalledOn |
Sort-Object -Property InstalledOn -Descending)
Sample hotfix output:
Note: In sample output, some text may have been omitted to improve readability. To get the complete output, you can omit the Select filter, and combine it with piping to Out-File to save as a file.
HotfixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB2539635 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2562937 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2559049 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2536276 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2556532 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2567680 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2560656 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2563894 Security Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2563227 Update NT AUTHORITY\SYSTEM 8/10/2011 12:00:00 AM
KB2555917 Security Update NT AUTHORITY\SYSTEM 7/14/2011 12:00:00 AM
KB2529073 Update NT AUTHORITY\SYSTEM 7/14/2011 12:00:00 AM
KB2507938 Security Update NT AUTHORITY\SYSTEM 7/14/2011 12:00:00 AM
KB2533623 Update NT AUTHORITY\SYSTEM 7/14/2011 12:00:00 AM
KB2532531 Security Update NT AUTHORITY\SYSTEM 7/14/2011 12:00:00 AM
Collecting system events for a specific source
First, I would recommend storing the system log in a PowerShell variable when intending to query multiple event log sources. Querying the log can be a very slow process, and by storing it in a variable, you can avoid repeating the delay for collection of the system log.
# Store the current System log in the variable TempSystemLog
$TempSystemLog = (Get-WinEvent -LogName System)
#
# Then pipe the variable to the appropriate filter
($TempSystemLog | ? {$_.ProviderName -eq "NTFS" })
($TempSystemLog | ? {$_.ProviderName -eq "Volsnap"})
($TempSystemLog | ? {$_.ProviderName -eq "Disk" })
Hint: If you add “FT –Autosize” it will display more of the message text on the screen, such as is highlighted below:
($TempSystemLog | Where-object {$_.ProviderName -eq "Disk" | FT –Autosize)
The commands above produce separate lists of all NTFS events, all Volsnap events, and all Disk events.
Sample Outputs:
NTFS Events:
TimeCreated ProviderName Id Message
----------- ------------ -- -------
6/10/2011 5:19:42 AM Ntfs 57 The system failed to flush data to the transaction log. Corruption may occur.
6/10/2011 5:19:42 AM Ntfs 57 The system failed to flush data to the transaction log. Corruption may occur.
6/10/2011 5:19:42 AM Ntfs 57 The system failed to flush data to the transaction log. Corruption may occur.
6/10/2011 5:19:41 AM Ntfs 57 The system failed to flush data to the transaction log. Corruption may occur.
Volsnap Events:
TimeCreated ProviderName Id Message
----------- ------------ -- -------
8/11/2011 7:42:50 AM volsnap 36 The shadow copies of volume F: were aborted because the shadow copy storage …
8/11/2011 7:40:21 AM volsnap 33 The oldest shadow copy of volume F: was deleted to keep disk space usage for …
8/11/2011 7:39:40 AM volsnap 33 The oldest shadow copy of volume F: was deleted to keep disk space usage for …
Disk Events:
TimeCreated ProviderName Id Message
----------- ------------ -- -------
8/1/2011 9:18:45 PM Disk 11 The driver detected a controller error on \Device\Harddisk3\DR3.
7/4/2011 6:55:49 PM Disk 11 The driver detected a controller error on \Device\Harddisk2\DR2.
7/4/2011 6:55:49 PM Disk 11 The driver detected a controller error on \Device\Harddisk2\DR2.
7/4/2011 6:55:48 PM Disk 11 The driver detected a controller error on \Device\Harddisk2\DR2.
7/4/2011 6:55:48 PM Disk 11 The driver detected a controller error on \Device\Harddisk2\DR2.
7/4/2011 6:55:47 PM Disk 11 The driver detected a controller error on \Device\Harddisk2\DR2.
7/3/2011 10:44:49 AM Disk 51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
7/3/2011 10:44:45 AM Disk 51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
7/3/2011 10:44:45 AM Disk 51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
7/3/2011 10:44:45 AM Disk 51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
As can be seen in the combined sample, you can essentially query for any event source simply by modifying the provider name below by using the “Source” name in the event log you wish.
Additional Eventlog sources of interest:
Note: This section is not intended to be an exhaustive list, which I will add to as time allows.
For users of the iSCSI Initiator, the following events sources are interesting:
-
iSCSI -
iSCSIPrt -
MSiSCSI
For users of MPIO:
-
MPIO -
MSDSM
Other Storage events of interest:
-
Partition Manager (partmgr) -
Volume Manager (volmgr) -
ClassPNP
Making the information returned more usable:
A great alternative to viewing these in the PowerShell console is to open them in GridView.
For example, to get a list of hotfixes in GridView, we’d type the following:
(Get-HotFix | Out-GridView)
Which yields a tabular GUI, which supports search criteria and sorting of data.
Example of Gridview output:
Note I’ve selected only specific properties for the example
To download a copy of this example, please see my posting in the script center here:
https://gallery.technet.microsoft.com/Collect-System-Events-5c0fbe7f
Combined PowerShell Sample:
##############################################################################
# Created by: Bruce Langworthy
# Organization: Microsoft Corporation
# Sample Name: StorageEvents.ps1
##############################################################################
# Note: This is intended primarily as an example of how to collect specific
# event types, as it will typically return too many events to be easily
# usable at the PowerShell prompt.
#
# I would suggest combining them either with Out-Gridview, or Out-File.
# For example,
# $TempSystemLog | Where-object {$_.ProviderName -eq "NTFS"} | Out-Gridview
# $TempSystemLog | Where-object {$_.ProviderName -eq "NTFS"} | Out-File
#
##############################################################################
# Get the list of installed hotfixes, and sort them my descending installation date
(Get-HotFix | Select HotfixID, Description, InstalledBy, InstalledOn |
Sort-Object -Property InstalledOn -Descending)
# Store system log, because this query is horribly time consuming
$TempSystemLog = (Get-WinEvent -LogName System)
# Obtain and display NTFS Events.
$TempSystemLog | Where-object {$_.ProviderName -eq "NTFS"}
# Obtain and display Volsnap events
$TempSystemLog | Where-object {$_.ProviderName -eq "Volsnap"}
# Obtain and display Disk Events
$TempSystemLog | Where-object {$_.ProviderName -eq "Disk"}## Comments
Anonymous
October 08, 2011
Hi Bruce that is an excellent article. I'm new in PS. I did the exercise but I have a dude. How can i filter the output to only catch the system event which their level be "warning" or "Error"? juliancastiblancop@gmail.comAnonymous
October 10, 2011
Hi Julian, If you replace the usage of the Get-Winevent cmdlet with Get-Eventlog the Get-eventlog cmdlet supports this. For example; get-eventlog -LogName System -Source ntfs -EntryType Error