Hey, Scripting Guy! The Scripting Wife Uses Windows PowerShell to Read from the Windows Event Log
Microsoft Scripting Guy Ed Wilson here. The wind is blowing with a steady stream that knocks the flowers from the trees, and breathes life into inanimate objects in the neighbor’s front lawns. The wind chimes on the porch play a strangely dissonant melody composed by an unseen musician who attacks his performance with all the gusto of Beethoven’s ninth symphony. It is too intemperate to work outside this morning, and therefore I am sitting in the kitchen with my laptop propped on a stack of unread snail spam catching up with my friends on Facebook while I enjoy a cup of English Breakfast tea and a freshly baked cinnamon apple scone that was lovingly prepared by the Scripting Wife. I head over to the stove to retrieve what by some counts might be considered my fourth scone, when the Scripting Wife catches me red handed, scone in hand, and a somewhat guilty look adorning my still sleepy face.
“And what do you think you are doing?” she demanded with no hint of mirth in her voice.
“I am getting a scone,” I said matter-of-factly.
“Don’t you think you have had enough? I really do not believe they are on your diet,” she said with understanding.
“I did not want to insult you by making you think I did not like them,” I said using my Fat Albert imitation.
“I see,” she said not buying my excuse. “You are an adult, so do what you want, but don’t come crying to me if you don’t lose any weight this week.”
“You are right,” I said putting the scone back on the plate. “It will probably taste better tomorrow after it has had a chance to decant for a while.”
“Since you are not doing anything, perhaps you would like to show me how to use Windows PowerShell to read from the Windows Event Log,” she suggested.
“But of course. I would be happy to,” I said in a voice vaguely reminiscent of Steve Martin. “Go grab your laptop, and we will get started.”
“Okay, open the Windows PowerShell ISE, and in the command pane, use the Get-Command cmdlet to find all the Windows PowerShell cmdlets that are related to event logs. Type Get-Command –noun *event* because all the cmdlets might not actually have the word eventlog in them. So you do not have to keep wrestling with the script pane, go ahead and hide it by clicking the little green up arrow in the right hand corner of the script pane. If you later need the script pane, you will see that the little green up arrow has changed to a little green down arrow—click that,” I said.
“Dude, do you ever stop to take a breath? I guess you learned circular breathing when you were majoring in saxophone at the university. Okay, I have the list of cmdlets,” she said while angling her laptop for me to view.
“Smart aleck. Let’s use the Get-WinEvent cmdlet to query the application log and retrieve five events. It is a new cmdlet that was introduced in Windows PowerShell 2.0. Type Get-WinEvent –logname application –maxevents 5 and then press ENTER,” I said.
“It don’t work. It gives me an error. It says it only works on Windows Vista or later,” she said while turning her laptop so I could see the screen.
“Cool, I said. That makes sense because Get-WinEvent accesses the new Windows Vista style event logs. But I thought it would also work on Windows XP. I am sorry. A thousand apologies! Okay, clear the screen of the error message by typing cls, and pressing ENTER. Let’s use the Get-Eventlog cmdlet. Type Get-ev in the command pane and press TAB a couple times until Get-Eventlog appears. Press the SPACEBAR one time, type a hyphen and press TAB until the –LogName parameter appears (it should be the first one to appear). Type application, press the SPACEBAR, type a hyphen, and then press TAB a couple of times until the –newest parameter appears. Now type 5 to retrieve the newes
t five events. Press ENTER to run the command. Your command should look like this when it is completed: Get-EventLog –LogName application –Newest 5,” I said.
“Well that is easy enough,” she said while sliding out of the way to let me take a look at her results.
“What if I want to see all the events that occurred after April 17, 2010? How would I do that?” she asked.
“Well that is easy. We just use the –after parameter and type a date. Press the up arrow to retrieve your Get-EventLog –LogName application –Newest 5 command, and delete the –Newest 5 part of the command. Now, type –a and press TAB; the –after parameter should appear. Type a date such as 4/17/2010 and press ENTER. The command should look like this: Get-EventLog –LogName application –After 4/17/2010,” I said. “Let me see your results when you are done.”
“That is pretty easy,” she said.
“I see that you have several messages with a source of UserEnv. We can combine parameters to focus on certain messages from a specific time. Press the up arrow until you retrieve your previous Get-EventLog –LogName application –After 4/17/2010 command. Go to the end of the command, type a –s and press TAB. This should expand the –Source parameter so you can add UserEnv for your source parameter. The command should look like this when you are done: Get-EventLog –LogName application –After 4/17/2010 –Source UserEnv,” I said.
“Ok. I got it. Can I run it?” she patiently asked.
“Of course you can. Let me know if it works,” I added helpfully.
“Yep. Here you go,” she said.
“Why don’t you click the Help button, type Get-EventLog in the search box, and read about using the Get-EventLog cmdlet. The Help topic has several examples you can practice as well,” I said.
“Is this a polite way of telling me to buzz off?” she asked pouting.
“Yep,” I replied.
If you want to know exactly what we will be looking at tomorrow, follow us on Twitter or Facebook. If you have any questions, send e-mail to us at firstname.lastname@example.org or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson and Craig Liebendorfer, Scripting Guys