{"id":13131,"date":"2011-08-02T00:01:00","date_gmt":"2011-08-02T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/08\/02\/use-the-powershell-select-string-cmdlet-to-parse-wmi-output\/"},"modified":"2011-08-02T00:01:00","modified_gmt":"2011-08-02T00:01:00","slug":"use-the-powershell-select-string-cmdlet-to-parse-wmi-output","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-the-powershell-select-string-cmdlet-to-parse-wmi-output\/","title":{"rendered":"Use the PowerShell Select-String Cmdlet to Parse WMI Output"},"content":{"rendered":"

Summary<\/strong>: Learn how to use the Windows PowerShell Select-String cmdlet to easily parse WMI output.<\/p>\n

 <\/p>\n

\"Hey,Hey, Scripting Guy! I have a quick question: is it possible to parse the output of some of the WMI commands? I know they return objects, but some of the commands return sooooo much data. I would like a quick and easy way to look for specific things such as errors or failures, without a lot of fuss and muss. Is this possible?<\/p>\n

—DD<\/p>\n

 <\/p>\n

\"Hey,Hello DD,<\/p>\n

Microsoft Scripting Guy Ed Wilson here. And, yes, it is possible. When working with WMI classes, I normally use the Where-Object<\/b> cmdlet to perform a filter, or I will use WMI itself to perform the filter. In general, if I am working interactively from the Windows PowerShell prompt, my first choice is to use the Where-Object<\/b> cmdlet (the alias is ?<\/b>) simply because it is more natural to me and is easier to type. But it is not as fast. For example, if I am working with the Win32_ReliabilityRecords<\/b> WMI class, it can return a lot of data. If I am only looking for status messages that contain the word failed<\/i> in them, I might pipe the results to the Where-Object<\/b> cmdlet. The command is shown here (gwmi<\/b> is the alias for the Get-WmiObject<\/b> cmdlet, and ?<\/b> is the alias for the Where-Object<\/b> cmdlet):<\/p>\n

gwmi win32_reliabilityrecords | ? { $_.message -match “failed” }<\/p>\n

The command and the associated output are shown here.<\/p>\n

\"Image<\/a><\/p>\n

As you can see in the preceding figure, a lot of information is returned. These are all objects, so I have the opportunity to do additional processing, if I want to do so. However, what if I do not want to do additional processing? In fact, what if all I want to do is see messages that contained the word failed<\/i> in them? In this case, I might turn to the Select-String<\/b> cmdlet. The syntax of such a command is shown following this paragraph. This command uses the gwmi<\/b> alias for the Get-WmiObject<\/b> cmdlet. There is no default alias for the Select-String<\/b> cmdlet. In yesterday’s Hey, Scripting Guy! Blog post<\/a>, I showed how to create an alias called grep<\/b> to make it easier to use the Select-String<\/b> cmdlet from an interactive Windows PowerShell prompt.<\/p>\n

gwmi win32_reliabilityrecords | select-string “failed” -InputObject {$_.message}<\/p>\n

The command and associated output are shown in the following figure.<\/p>\n

\"Image<\/a><\/p>\n

As shown in the preceding figure, the output is much more succinct and easier to read. So how does the command work? I use the Get-WmiObject<\/b> cmdlet to query for all records from the Reliability Provider. The Reliability Provider supports the Win32_ReliabilityRecords<\/b> WMI class. I pipe all of these records to the Select-String<\/b> cmdlet. The Select-String<\/b> cmdlet uses the pattern “failed”<\/b> and searches each incoming message<\/b> property. Here is the trick: I must use curly brackets along with the $_<\/b> automatic variable to read inside the message<\/b> property. Normally I would use simple parentheses to force the evaluation, but that does not work here. Leaving the inputobject<\/b> value unadorned does not work either.<\/p>\n

What about speed? I decided to use the Measure-Command<\/b> cmdlet to measure the performance of the two commands. The two commands are shown here:<\/p>\n

measure-command {gwmi win32_reliabilityrecords | ? { $_.message -match “failed” } }<\/p>\n

measure-command {gwmi win32_reliabilityrecords | select-string “failed” -InputObject {$_.message} }<\/p>\n

As seen in the following figure, the first command (using the Where-Object <\/b>cmdlet) takes about 10.1 seconds. The second command (using the Select-String<\/b> cmdlet) takes about 10.5 seconds. So the first command is a bit faster.<\/p>\n

\"Image<\/a><\/p>\n

Unfortunately, the WMI Reliability Provider does not appear to support the WMI like<\/b> operator. Therefore, the following command fails.<\/p>\n

PS C:\\> gwmi win32_reliabilityrecords -filter “message -like ‘%failed%'”<\/p>\n

Get-WmiObject : Invalid query<\/p>\n

At line:1 char:5<\/p>\n

+ gwmi <<<<  win32_reliabilityrecords -filter “message -like ‘%failed%'”<\/p>\n

    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException<\/p>\n

    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObject Command<\/p>\n

By selecting only the message<\/b> property, the query speeds a little. The output is better formatted as well:<\/p>\n

PS C:\\> gwmi win32_reliabilityrecords -Property message | ? {$_.message -match “failed” } <\/p>\n

 <\/p>\n

__GENUS          : 2<\/p>\n

__CLASS          : Win32_ReliabilityRecords<\/p>\n

__SUPERCLASS     :<\/p>\n

__DYNASTY        :<\/p>\n

__RELPATH        :<\/p>\n

__PROPERTY_COUNT : 1<\/p>\n

__DERIVATION     : {}<\/p>\n

__SERVER         :<\/p>\n

__NAMESPACE      :<\/p>\n

__PATH           :<\/p>\n

Message          : Installation Failure: Windows failed to install the following update with error<\/p>\n

                   0x80070643: Definition Update for Windows Defender – KB915597 (Definition 1.99.1<\/p>\n

                   460.0).<\/p>\n

 <\/p>\n

__GENUS          : 2<\/p>\n

__CLASS          : Win32_ReliabilityRecords<\/p>\n

__SUPERCLASS     :<\/p>\n

__DYNASTY        :<\/p>\n

__RELPATH        :<\/p>\n

__PROPERTY_COUNT : 1<\/p>\n

__DERIVATION     : {}<\/p>\n

__SERVER         :<\/p>\n

__NAMESPACE      :<\/p>\n

__PATH           :<\/p>\n

Message          : Installation Failure: Windows failed to install the following update with error<\/p>\n

                   0x80070643: Definition Update for Microsoft Forefront code named Stirling Beta v<\/p>\n

                   ersion – KB977939 (Definition 1.95.257.0).<\/p>\n

 <\/p>\n

The time of the previous query is shown here:<\/p>\n

PS C:\\> Measure-command {gwmi win32_reliabilityrecords -Property message | ? {$_.message -match “failed”} } <\/p>\n

 <\/p>\n

Days              : 0<\/p>\n

Hours             : 0<\/p>\n

Minutes           : 0<\/p>\n

Seconds           : 8<\/p>\n

Milliseconds      : 911<\/p>\n

Ticks             : 89110704<\/p>\n

TotalDays         : 0.000103137388888889<\/p>\n

TotalHours        : 0.00247529733333333<\/p>\n

TotalMinutes      : 0.14851784<\/p>\n

TotalSeconds      : 8.9110704<\/p>\n

TotalMilliseconds : 8911.0704<\/p>\n

 <\/p>\n

If I want to return only the message<\/b> property and not the WMI System properties, I can pipe the results to the Select-Object<\/b> cmdlet and choose only the message<\/b> property. This command and associated output are shown here:<\/p>\n

PS C:\\> gwmi win32_reliabilityrecords -Property message | ? {$_.message -match “failed” } | select message <\/p>\n

message<\/p>\n

——-<\/p>\n

Installation Failure: Windows failed to install the following update with error 0x80070643: Defi…<\/p>\n

Installation Failure: Windows failed to install the following update with error 0x80070643: Defi…<\/p>\n

 <\/p>\n

As can be seen above, however, the message<\/b> field is truncated. Therefore, to display the entire message property, it is necessary to use the expandproperty <\/i>parameter. This is shown here:<\/p>\n

PS C:\\> gwmi win32_reliabilityrecords -Property message | ? {$_.message -match “failed” } | select –<\/p>\n

ExpandProperty message<\/p>\n

Installation Failure: Windows failed to install the following update with error 0x80070643: Definit<\/p>\n

ion Update for Windows Defender – KB915597 (Definition 1.99.1460.0).<\/p>\n

Installation Failure: Windows failed to install the following update with error 0x80070643: Definit<\/p>\n

ion Update for Microsoft Forefront code named Stirling Beta version – KB977939 (Definition 1.95.257<\/p>\n

.0).<\/p>\n

At this point, it is a bit faster and certainly easier to go back to using the Select-String<\/b> cmdlet. It might make sense to modify it to return only the message<\/b> property. This revised command and associated output are shown here:<\/p>\n

PS C:\\> gwmi win32_reliabilityrecords -property message | select-string “failed” -InputObject {$_.me<\/p>\n

ssage}<\/p>\n

 <\/p>\n

Installation Failure: Windows failed to install the following update with error 0x80070643: Definit<\/p>\n

ion Update for Windows Defender – KB915597 (Definition 1.99.1460.0).<\/p>\n

Installation Failure: Windows failed to install the following update with error 0x80070643: Definit<\/p>\n

ion Update for Microsoft Forefront code named Stirling Beta version – KB977939 (Definition 1.95.257<\/p>\n

.0).<\/p>\n

 <\/p>\n

PS C:\\><\/p>\n

  <\/p>\n

Well, DD, that is about all there is to using the Select-String<\/b> cmdlet to parse WMI data. Join me tomorrow when we will continue our discussion about parsing output.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Learn how to use the Windows PowerShell Select-String cmdlet to easily parse WMI output.   Hey, Scripting Guy! I have a quick question: is it possible to parse the output of some of the WMI commands? I know they return objects, but some of the commands return sooooo much data. I would like a […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[3,4,281,45,77],"class_list":["post-13131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-scripting-guy","tag-scripting-techniques","tag-select-string","tag-windows-powershell","tag-writing"],"acf":[],"blog_post_summary":"

Summary: Learn how to use the Windows PowerShell Select-String cmdlet to easily parse WMI output.   Hey, Scripting Guy! I have a quick question: is it possible to parse the output of some of the WMI commands? I know they return objects, but some of the commands return sooooo much data. I would like a […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/13131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=13131"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/13131\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=13131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=13131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=13131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}