{"id":13331,"date":"2011-07-13T00:01:00","date_gmt":"2011-07-13T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/07\/13\/use-powershell-to-troubleshoot-software-installation\/"},"modified":"2011-07-13T00:01:00","modified_gmt":"2011-07-13T00:01:00","slug":"use-powershell-to-troubleshoot-software-installation","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-troubleshoot-software-installation\/","title":{"rendered":"Use PowerShell to Troubleshoot Software Installation"},"content":{"rendered":"

Summary<\/strong>: Use Windows PowerShell to troubleshoot software installation.<\/p>\n

 <\/p>\n

\"Hey,Hey, Scripting Guy! I am having a problem troubleshooting the installation of an MSI package. I am using Group Policy to deploy the MSI package, and on some computers, it seems to work, but on other computers it fails. After having read your most recent series of articles about troubleshooting Windows, I thought I could use a trace log, but after spending more than an hour trying to click all of those little folders (why is there no search on the log name?), I could not find a trace log that seemed to make sense. Anyway, I guess I am asking you how to troubleshoot remote installation of a MSI package. Hope you can help.<\/p>\n

—LT<\/p>\n

 <\/p>\n

\"Hey,Hello LT,<\/p>\n

Microsoft Scripting Guy Ed Wilson here. This morning, the Scripting Wife and I got to do something we have been looking forward to for nearly two months. When we were at Tech\u2219Ed 2011 in Atlanta, we got to meet a couple of scripters that work for a company that has a headquarters in the Charlotte area. We exchanged email, and this morning the Scripting Wife and I went to their office and made a three-hour “Introduction to Windows PowerShell” presentation. It was a lot of fun. One of the questions they had was related to troubleshooting remote systems.<\/p>\n

LT, you are not alone in your queries. In addition to the customer I was talking to this morning, there was also a comment on Monday’s blog post<\/a> from Klaus Schulte<\/a> (winner of the Beginner division of the 2011 Scripting Games) asking about troubleshooting installation packages.<\/p>\n

LT, there is a search for trace logs. It is called Windows PowerShell. I have given up attempting to navigate through the hundreds of logs in all the different folders (there are 492 logs on my Windows 7 Ultimate workstation). Instead, if I am searching for a log related to something, I use Windows PowerShell.<\/p>\n

In Saturday’s Weekend Scripter article<\/a>, I talked about working with Event Tracing for Windows (ETW) logs. I discussed how to enable and disable the logs, and how to use the Get-WinEvent<\/b> cmdlet to find and to read the trace. Monday, I continued the ETW discussion<\/a> by examining the datetime<\/b> stamp that is generated for each event. Yesterday, I explored parsing the message property<\/a> of the WMI Activity Trace log.<\/p>\n

If I do not supply a value to the listlog <\/i>parameter, an error appears. If I provide the name of a specific log, certain information about the log returns. If I use the *<\/b> wildcard character, information about every log on the system is displayed in the Windows PowerShell console. If I use a more comprehensive wildcard character pattern, I can limit the number of logs that return. An example of searching for trace logs that relate to install<\/b> <\/i>is shown here:<\/p>\n

PS C:\\Windows\\system32> Get-WinEvent -ListLog *install* -force | select logname<\/p>\n

 <\/p>\n

LogName                                                                                                                                     <\/p>\n

——-                                                                                                                                      <\/p>\n

Microsoft-Windows-AxInstallService\/Log                                                                                                       <\/p>\n

Microsoft-Windows-WPD-ClassInstaller\/Analytic                                                                                               <\/p>\n

Microsoft-Windows-WPD-ClassInstaller\/Operational                                                                                             <\/p>\n

 <\/p>\n

I can use the same technique to search for logs that relate to msi<\/b>.<\/i> In the following output, only one log relates to MSI, but it is associated with AppLocker. Therefore, it will not pick up any trace information from a generic MSI installation:<\/i><\/p>\n

PS C:\\Windows\\system32> Get-WinEvent -ListLog *msi* -force | select logname<\/p>\n

 <\/p>\n

LogName                                                                                                                                     <\/p>\n

——-                                                                                                                                     <\/p>\n

Microsoft-Windows-AppLocker\/MSI and Script                  <\/p>\n

 <\/p>\n

At times, either I cannot find a trace log that I like, or I grow impatient from the search and then use one of my favorite tricks: query all the logs at once. Sure, it is inefficient, but if I am working locally, it is not a big deal. However, it can take a very<\/i> long time for the command to complete (on my workstation, it takes nearly four minutes to complete the command). The thing to keep in mind is that after the first portion of time—it might be seconds or a minute or so depending on how much data you are returning and how recent your time filter is—new information will no longer be returned to the screen. This is the time when the command is continuing to process log files, but there is no longer any data to return even though the filter coming after the command to return all the event logs is still working. The (inefficient) command to return log files that have a timestamp that occurs later than “7\/11\/11 10:35:08 pm” follows this paragraph. To make the information display a bit better, I send the information to a table. In the following command the Get-WinEvent<\/b> cmdlet returns all information from all log files. The returned entries are piped to the Where-Object<\/b> cmdlet (?<\/b> Is an alias for the Where-Object<\/b> cmdlet), which filters log entries after a specific time. The results are piped to the Format-Table<\/b> cmdlet (ft<\/b> is an alias for Format-Table<\/b> cmdlet), and three properties are selected. The command is shown here:<\/p>\n

Get-WinEvent | ? {$_.TimeCreated -gt “7\/11\/11 10:35:08 pm” } | ft logname, id, message<\/p>\n

 <\/p>\n

The following figure illustrates running the command in the Windows PowerShell ISE and displays the associated output.<\/p>\n

\"Image<\/a><\/p>\n

If I want to tighten up the output and create a more efficient use of the space in my output pane in the Windows PowerShell ISE, I can add the autosize <\/i>parameter to the Format-Table<\/b> cmdlet. In addition, I can display the entire message if I use the wrap<\/i> parameter. However, when I add these parameters to the previous command, it will take the most of the time (five minutes or so) the command runs before displaying output. This is because to calculate the amount of space to allocate for the columns, Windows PowerShell needs to look at all of the data. This reduces the efficiency of the streaming behavior that I took advantage of earlier. The revised command is shown here:<\/p>\n

Get-WinEvent | ? {$_.TimeCreated -gt “7\/11\/11 10:35:08 pm” } | ft logname, id, message -AutoSize –wrap<\/p>\n

Clearly, a more efficient method of working with log files is required. <\/p>\n

For more information about using the FilterHashTable<\/i> parameter, see Use a PowerShell Cmdlet to Filter Event Log for Easy Parsing<\/a> and Use PowerShell to Parse Saved Event Logs for Errors<\/a>. For more information about improving the performance of event log queries, see How to Improve the Performance of a PowerShell Event Log Query<\/a>. For issues surrounding working remotely with Windows Vista and Windows XP event logs, refer to Discover How to Filter Remote Event Log Entries in Windows Vista<\/a>. <\/p>\n

The following table is copied from my Use PowerShell to Parse Saved Event Logs for Errors<\/a> Hey, Scripting Guy! Blog post from January 2011.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Event Log Viewer name<\/strong><\/p>\n<\/td>\n

\n

FilterHashTable parameter key name<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

Log Name<\/p>\n<\/td>\n

\n

LogName<\/p>\n<\/td>\n<\/tr>\n

\n

Source<\/p>\n<\/td>\n

\n

ProviderName<\/p>\n<\/td>\n<\/tr>\n

\n

Event ID<\/p>\n<\/td>\n

\n

ID<\/p>\n<\/td>\n<\/tr>\n

\n

Level<\/p>\n<\/td>\n

\n

Level<\/p>\n<\/td>\n<\/tr>\n

\n

User<\/p>\n<\/td>\n

\n

UserID<\/p>\n<\/td>\n<\/tr>\n

\n

Op Code<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Logged<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Task Category<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Keywords<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Computer<\/p>\n<\/td>\n

\n

N\/A use –ComputerName<\/i> parameter<\/p>\n<\/td>\n<\/tr>\n

\n

Details<\/p>\n<\/td>\n

\n

Data<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

If I attempt to use my trick of using the Get-Winevent<\/b> cmdlet to list all log entries, and I use a FilterHashTable<\/b> to attempt to filter based on time at the Get-Winevent<\/b> cmdlet instead of on the other side of the pipeline, an error returns that states I must specify either a log, provider, or path. The command and associated error appear here:<\/p>\n

PS C:\\Windows\\system32> Get-WinEvent -FilterHashTable @{StartTime = “7\/11\/11 10:35:08 pm”}<\/p>\n

Get-WinEvent : You must specify at least one Log, Provider or Path key-value pair.<\/p>\n

At line:1 char:13<\/p>\n

+ Get-WinEvent <<<<  -FilterHashTable @{StartTime = “7\/11\/11 10:35:08 pm”}<\/p>\n

    + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], Exception<\/p>\n

    + FullyQualifiedErrorId : LogProviderOrPathNeeded,Microsoft.PowerShell.Commands.GetWinEventCommand<\/p>\n

 <\/p>\n

I decide to modify the command to use a wildcard character for the logname<\/b> key for the FilterHashTable<\/b>.<\/i> The command works great and returns data nearly immediately:<\/p>\n

Get-WinEvent -FilterHashtable @{StartTime = “7\/11\/11 10:35:08 pm”; LogName = “*”}<\/p>\n

 <\/p>\n

The nice thing about the above command is it returns information from multiple logs and multiple providers. This is useful, for example, when troubleshooting installation problems that may be unrelated to the actual installer. To check a specific installation, it may be useful to filter based on not only the time, but also on the provider. For MSI installed software, the provider is the msiInstaller<\/b> provider. The following command is broken at the pipe character for readability purposes. In reality it is a single command:<\/p>\n

Get-WinEvent -FilterHashtable @{StartTime = “7\/11\/11 10:35:08 pm”; ProviderName = “msiInstaller”} |<\/p>\n

ft logname, id, message -AutoSize –wrap<\/p>\n

The command and associated output appear in the following figure.<\/p>\n

\"Image<\/a><\/p>\n

 <\/p>\n

LT, that is all there is to using Windows PowerShell to look at Windows Installer logging. Troubleshooting Windows week will continue tomorrow.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Use Windows PowerShell to troubleshoot software installation.   Hey, Scripting Guy! I am having a problem troubleshooting the installation of an MSI package. I am using Group Policy to deploy the MSI package, and on some computers, it seems to work, but on other computers it fails. After having read your most recent series […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,42,51,98,31,60,3,4,134,45],"class_list":["post-13331","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-events-and-monitoring","tag-getting-started","tag-logs-and-monitoring","tag-operating-system","tag-performance","tag-scripting-guy","tag-scripting-techniques","tag-troubleshooting","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Use Windows PowerShell to troubleshoot software installation.   Hey, Scripting Guy! I am having a problem troubleshooting the installation of an MSI package. I am using Group Policy to deploy the MSI package, and on some computers, it seems to work, but on other computers it fails. After having read your most recent series […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/13331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=13331"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/13331\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=13331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=13331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=13331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}