Using PowerShell to collect information for Storage Troubleshooting (Part 1: Hotfixes and System Events)

This will be part of a series of posts on how to utilize PowerShell to easily collect system information useful for troubleshooting Storage issues.

In my first installment, we will cover the collection of currently installed Hotfixes, and collection of specific system events related to storage.

 

Collecting a list of installed hotfixes:

The following code sample produces a list of the installed hotfixes on the system, sorted in descending order, which can be useful when looking for a specific hotfix, or when performing configuration monitoring.

 (Get-HotFix | Select HotfixID, Description, InstalledBy, InstalledOn | 
Sort-Object -Property InstalledOn -Descending)

Sample hotfix output:

Note: In sample output, some text may have been omitted to improve readability. To get the complete output, you can omit the Select filter, and combine it with piping to Out-File to save as a file.

 HotfixID                          Description                      InstalledBy                    InstalledOn          
--------                         -----------                      -----------                     -----------          
KB2539635                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2562937                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2559049                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2536276                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2556532                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2567680                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2560656                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2563894                        Security Update                  NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2563227                        Update                           NT AUTHORITY\SYSTEM             8/10/2011 12:00:00 AM
KB2555917                        Security Update                  NT AUTHORITY\SYSTEM             7/14/2011 12:00:00 AM
KB2529073                        Update                           NT AUTHORITY\SYSTEM             7/14/2011 12:00:00 AM
KB2507938                        Security Update                  NT AUTHORITY\SYSTEM             7/14/2011 12:00:00 AM
KB2533623                        Update                           NT AUTHORITY\SYSTEM             7/14/2011 12:00:00 AM
KB2532531                        Security Update                  NT AUTHORITY\SYSTEM             7/14/2011 12:00:00 AM

Collecting system events for a specific source

First, I would recommend storing the system log in a PowerShell variable when intending to query multiple event log sources. Querying the log can be a very slow process, and by storing it in a variable, you can avoid repeating the delay for collection of the system log.

 # Store the current System log in the variable TempSystemLog 
$TempSystemLog = (Get-WinEvent -LogName System)              
#                                                            
# Then pipe the variable to the appropriate filter           
($TempSystemLog | ? {$_.ProviderName -eq "NTFS"   })         
($TempSystemLog | ? {$_.ProviderName -eq "Volsnap"})         
($TempSystemLog | ? {$_.ProviderName -eq "Disk"   })         

Hint: If you add “FT –Autosize” it will display more of the message text on the screen, such as is highlighted below:

 ($TempSystemLog | Where-object {$_.ProviderName -eq "Disk" | FT –Autosize)

The commands above produce separate lists of all NTFS events, all Volsnap events, and all  Disk events.

Sample Outputs: 

NTFS Events:

 TimeCreated           ProviderName  Id Message
-----------           ------------  -- -------
6/10/2011 5:19:42 AM  Ntfs          57 The system failed to flush data to the transaction log. Corruption may occur.
6/10/2011 5:19:42 AM  Ntfs          57 The system failed to flush data to the transaction log. Corruption may occur.
6/10/2011 5:19:42 AM  Ntfs          57 The system failed to flush data to the transaction log. Corruption may occur.
6/10/2011 5:19:41 AM  Ntfs          57 The system failed to flush data to the transaction log. Corruption may occur.

Volsnap Events:

TimeCreated           ProviderName Id Message
-----------           ------------ -- -------
8/11/2011 7:42:50 AM  volsnap      36 The shadow copies of volume F: were aborted because the shadow copy storage  …
8/11/2011 7:40:21 AM  volsnap      33 The oldest shadow copy of volume F: was deleted to keep disk space usage for …
8/11/2011 7:39:40 AM  volsnap      33 The oldest shadow copy of volume F: was deleted to keep disk space usage for … 

Disk Events:

TimeCreated          ProviderName Id Message
-----------          ------------ -- -------
8/1/2011 9:18:45 PM  Disk         11 The driver detected a controller error on \Device\Harddisk3\DR3.                
7/4/2011 6:55:49 PM  Disk         11 The driver detected a controller error on \Device\Harddisk2\DR2.                
7/4/2011 6:55:49 PM  Disk         11 The driver detected a controller error on \Device\Harddisk2\DR2.                
7/4/2011 6:55:48 PM  Disk         11 The driver detected a controller error on \Device\Harddisk2\DR2.                
7/4/2011 6:55:48 PM  Disk         11 The driver detected a controller error on \Device\Harddisk2\DR2.                
7/4/2011 6:55:47 PM  Disk         11 The driver detected a controller error on \Device\Harddisk2\DR2.                
7/3/2011 10:44:49 AM Disk         51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
7/3/2011 10:44:45 AM Disk         51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
7/3/2011 10:44:45 AM Disk         51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.
7/3/2011 10:44:45 AM Disk         51 An error was detected on device \Device\Harddisk3\DR3 during a paging operation.

As can be seen in the combined sample, you can essentially query for any event source simply by modifying the provider name below by using the “Source” name in the event log you wish.

Additional Eventlog sources of interest:

Note: This section is not intended to be an exhaustive list, which I will add to as time allows.

For users of the iSCSI Initiator, the following events sources are interesting:

  •  iSCSI
    
  •  iSCSIPrt
    
  • MSiSCSI
    
For users of MPIO:
  •  MPIO
    
  •  MSDSM
    
 Other Storage events of interest:
  •  Partition Manager (partmgr)
    
  •  Volume Manager (volmgr)
    
  •  ClassPNP
    

Making the information returned more usable:

A great alternative to viewing these in the PowerShell console is to open them in GridView.

For example, to get a list of hotfixes in GridView, we’d type the following:

(Get-HotFix | Out-GridView)

Which yields a tabular GUI, which supports search criteria and sorting of data.

Example of Gridview output:

Note I’ve selected only specific properties for the example

image

To download a copy of this example, please see my posting in the script center here:

https://gallery.technet.microsoft.com/Collect-System-Events-5c0fbe7f

Combined PowerShell Sample:

##############################################################################

# Created by:   Bruce Langworthy

# Organization: Microsoft Corporation

# Sample Name: StorageEvents.ps1     
##############################################################################

# Note: This is intended primarily  as an example of how to collect specific

#        event types, as it will typically return too many events to be easily

#       usable at the PowerShell prompt.

#

#       I would suggest combining them either with Out-Gridview, or Out-File.

#       For example,

#       $TempSystemLog | Where-object {$_.ProviderName -eq "NTFS"} | Out-Gridview

#       $TempSystemLog | Where-object {$_.ProviderName -eq "NTFS"} | Out-File

#

##############################################################################

# Get the list of installed hotfixes, and sort them my descending installation date    
    (Get-HotFix | Select HotfixID, Description, InstalledBy, InstalledOn |

     Sort-Object -Property InstalledOn -Descending)

    
# Store system log, because this query is horribly time consuming

    $TempSystemLog = (Get-WinEvent -LogName System)

# Obtain and display NTFS Events.

    $TempSystemLog | Where-object {$_.ProviderName -eq "NTFS"}

       
# Obtain and display Volsnap events

    $TempSystemLog | Where-object {$_.ProviderName -eq "Volsnap"}

# Obtain and display Disk Events       
    $TempSystemLog | Where-object {$_.ProviderName -eq "Disk"}## Comments

  • Anonymous
    October 08, 2011
    Hi Bruce that is an excellent article.  I'm new in PS.  I did the exercise but I have a dude. How can i filter the output to only catch the system event which their level be "warning" or "Error"? juliancastiblancop@gmail.com

  • Anonymous
    October 10, 2011
    Hi Julian, If you replace the usage of the Get-Winevent cmdlet with Get-Eventlog the Get-eventlog cmdlet supports this. For example; get-eventlog -LogName System -Source ntfs -EntryType Error