November 19th, 2013

Use PowerShell to Review the Setup Event Log

Doctor Scripto
Scripter

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to review the setup event log.

Microsoft Scripting Guy, Ed Wilson, is here. The ticket sales for Windows PowerShell Saturday in Charlotte, North Carolina have been going pretty well. Stay tuned for some pretty exciting news—we may be adding a fourth track to the event. The reason is that there were so many excellent sessions proposed and we had a hard time choosing. In some cases, we really could not make a decision. So we may be running four tracks. This is great news, but also sort of bad news if you were hoping to catch all of the sessions. But of course, even if there were only two tracks, you would not be able to catch all of the sessions. The great thing is that there is a nice variety of sessions. Some are beginner, some are advanced, and some are, well, just plain cool. You will not want to miss out on this event.

The first thing you need to know about using Windows PowerShell to review the setup event log, is that I am not talking about Windows Setup. It seems like I have been reviewing Windows Setup log files forever. Nope. We are not going to review the Windows Setup log. What I am talking about is an event log that happens to be called “setup.” This log is shown here:

Image of log

This view into the Event viewer is (in my mind) misleading. Because under Windows Logs, I have the traditional event logs: Application, Security, and System. These logs have been around since Windows first came out. In fact, it was a question on my MCSE exam for Windows NT 3.51.

So I open the Windows PowerShell console, and attempt to read from the Setup event log by using the Get-Eventlog cmdlet (which only works with traditional event logs), and it fails. This command is shown here:

Get-EventLog -LogName setup

When I use Get-EventLog to look for event logs, I see that the Setup log is missing.

Get-EventLog –List

The failed command says that the Setup log does not exist on my computer. Dude, I just saw it in the Event Viewer! Here are the commands and the output:

Image of command output

The case of the missing log

Remember, there are two cmdlets to work with the two different types of Windows Event logs. The first cmdlet, created in the Windows PowerShell 1.0 days, works with traditional event logs. It is called Get-EventLog. The second cmdlet, created in Windows PowerShell 2.0 days, is called Get-WinEvent, and it will query traditional (classic) event logs in addition to the more modern types of event logs (modern in the sense that they were created four versions of Windows ago in the Windows Vista days).

I use the Get-WinEvent cmdlet to see if I can find the Setup log. It works. Here is the command and the output:

PS C:\> Get-WinEvent -ListLog setup

LogMode   MaximumSizeInBytes RecordCount LogName

——-   —————— ———– ——-

Circular             1052672          58 Setup

I want to find a bit more information, so I pipe the output to the Format-List cmdlet as shown here:

Image of command output

Groovy. So I will have to use the Get-WinEvent cmdlet to query this log file. No problem. None whatsoever. In fact, I wrote an entire series of Hey, Scripting Guy! Blog posts about using Get-WinEvent.

By following the post Use PowerShell Cmdlet to Filter Event Log for Easy Parsing as a guideline (there is great info in the post about creating filter hash tables), I write a query to parse the Setup log and to return only items that state they need a reboot. This command is shown here:

Get-WinEvent -FilterHashtable @{logname = ‘setup’; id = 4}

Image of command output

The output is pretty cool, but unfortunately, it does not tell me why the reboot is necessary. In addition, I already know the ID and the level because I selected the ID in my filter query. So I pipe the output to Format-Table and wrap the output. I also tighten up the output. Here is my command:

Get-WinEvent -FilterHashtable @{logname = ‘setup’; id = 4} |

Format-Table timecreated, message -AutoSize -Wrap

Here is the results:

Image of command output

This is a better output for me, but I find myself looking to see what packages are installed. I notice they are all KB-type packages. So, I decide to pipe the results to Select-String, and to filter out only matches that begin with KB and are followed by some numbers. Here is the command I come up with:

Get-WinEvent -FilterHashtable @{logname = ‘setup’; id = 4} | select message |

Select-String -Pattern ‘kb\d*’ -AllMatches | select matches

Note  I use a simple RegEx pattern here. For more information about Windows PowerShell and Regular Expressions refer to this collection of Hey, Scripting Guy! Blog posts.

The output is exactly what I wanted to see, as shown here:

Image of command output

Join me tomorrow when I will talk more about using Windows PowerShell for troubleshooting.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Author

The "Scripting Guys" is a historical title passed from scripter to scripter. The current revision has morphed into our good friend Doctor Scripto who has been with us since the very beginning.

0 comments

Discussion are closed.

Feedback