Help
Did you know that Windows PowerShell can help you manage your event log? This excerpt from Tulloch, Northrup, et al.'s Windows® 7 Resource Kit will show you how.
New in Windows 7 is the capability of using Windows PowerShell for managing event logs and gathering event information. A number of new Windows PowerShell cmdlets provide functionality, as follows:
Clear-EventLog Deletes all entries from specified event logs on the local or remote computers
Get-EventLog Gets the events in a specified event log or a list of the event logs on a computer
Get-EventSubscriber Gets the event subscribers in the current session
Get-WinEvent Gets events from event logs and event tracing log files on local and remote computers
Limit-EventLog Sets the event log properties that limit the size of the event log and the age of its entries
New-Event Creates a new event
New-EventLog Creates a new event log and a new event source on a local or remote computer
Register-EngineEvent Subscribes to events that are generated by the Windows PowerShell engine and by the New-Event cmdlet
Register-ObjectEvent Subscribes to the events that are generated by a .NET object
Register-WmiEvent Subscribes to an event generated by a WMI object
Remove-EventLog Deletes an event log or unregisters an event source
Show-Eventlog Displays the event logs of the local or a remote computer in Event Viewer
Wait-Event Waits until a particular event is raised before continuing to run
For example, to get information concerning the "classic" (Windows) event logs on the computer, use the get-eventlog cmdlet as follows.
PS C:\Windows\system32> get-eventlog -list
Max(K) Retain OverflowAction Entries Log
------ ------ ------------- ------- ---
20,480 0 OverwriteAsNeeded 899 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
8,192 0 OverwriteAsNeeded 0 Media Center
20,480 0 OverwriteAsNeeded 1,473 Security
20,480 0 OverwriteAsNeeded 3,125 System
15,360 0 OverwriteAsNeeded 36 Windows PowerShellTo display the most recent three events from the System log, use the following command.
PS C:\Windows\system32> get-eventlog -newest 3 -logname System
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- --------
3125 Jun 28 11:55 Information Service Control M... 1073748860 The Application
Information service entered the...
3124 Jun 28 11:41 Information Service Control M... 1073748860 The Diagnostic
System Host service entered the ...
3123 Jun 28 11:37 Information Service Control M... 1073748860 The Microsoft
Software Shadow Copy Provider ser...To display all critical ("Error") events in the System log, use the following command.
PS C:\Windows\system32> get-eventlog -logname System -entrytype Error
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- --------
1707 Jun 17 08:38 Error EventLog 2147489656 The previous system
shutdown at 4:41:12 PM on ?...
1688 Jun 16 16:22 Error Server 3221227977 The server could
not bind to the transport \Dev...
1680 Jun 16 16:22 Error Server 3221227977 The server could
not bind to the transport \Dev...
1675 Jun 16 16:16 Error NETLOGON 5783 The session setup
to the Windows NT or Windows ...
1669 Jun 16 15:43 Error RasSstp 1 CoId={746056B2-
DA98-451B-BF59-6371A598B450}:The...
1662 Jun 16 15:07 Error Server 3221227977 The server could
not bind to the transport \Dev...
1659 Jun 16 15:06 Error RasSstp 1 CoId={40BE02A6-
FB36-4FC4-BA37-8F996CCEF143}:The...
1656 Jun 16 15:06 Error RasSstp 1 CoId={600CDFFC-
90F9-4C85-990F-95F45582ADEE}:The...To display detailed information concerning the NETLOGON event displayed above, specify the index number for that event in the following command.
PS C:\Windows\system32> get-eventlog -logname System -index 1675 | format-list -property *
EventID : 5783
MachineName : SEA-CLI-49.contoso.com
Data : {}
Index : 1675
Category : (0)
CategoryNumber : 0
EntryType : Error
Message : The session setup to the Windows NT or Windows 2000 Domain
Controller \\SEA-DC1.contoso.com for the
domain CONTOSO is not responsive. The current RPC call from
Netlogon on \\SEA-CLI-49 to
\\SEA-DC1.contoso.com has been cancelled.
Source : NETLOGON
ReplacementStrings : {\\SEA-DC1.contoso.com, CONTOSO, SEA-CLI-49}
InstanceId : 5783
TimeGenerated : 6/16/2009 4:16:45 PM
TimeWritten : 6/16/2009 4:16:45 PM
UserName :
Site :
Container :The get-winevent cmdlet provides even more functionality for displaying event log and event information. For example, to view detailed information concerning the Application log on the computer, use the following command.
PS C:\Windows\system32> get-winevent -listlog Application | format-list -property *
FileSize : 1118208
IsLogFull : False
LastAccessTime : 6/8/2009 6:10:23 PM
LastWriteTime : 6/28/2009 11:01:10 AM
OldestRecordNumber : 1
RecordCount : 899
LogName : Application
LogType : Administrative
LogIsolation : Application
IsEnabled : True
IsClassicLog : True
SecurityDescriptor : O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)
(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
LogFilePath : %SystemRoot%\System32\Winevt\Logs\Application.evtx
MaximumSizeInBytes : 20971520
LogMode : Circular
OwningProviderName :
ProviderNames : {.NET Runtime, .NET Runtime Optimization Service,
Application, Application Error...}
ProviderLevel :
ProviderKeywords :
ProviderBufferSize : 64
ProviderMinimumNumberOfBuffers : 0
ProviderMaximumNumberOfBuffers : 64
ProviderLatency : 1000
ProviderControlGuid :Note
MORE INFO For more information on using Windows PowerShell for event monitoring, see the help for these cmdlets in the Windows PowerShell Cmdlet Help Topics at http://technet.micro...y/dd347701.aspx.
This official Microsoft RESOURCE KIT delivers in-depth technical guidance from those who know the technology best—Microsoft MVPs and the Windows 7 team. Covers new features, deployment, administration, security, and other essential topics.
