{"id":2546,"date":"2013-11-19T00:01:00","date_gmt":"2013-11-19T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/11\/19\/use-powershell-to-review-the-setup-event-log\/"},"modified":"2013-11-19T00:01:00","modified_gmt":"2013-11-19T00:01:00","slug":"use-powershell-to-review-the-setup-event-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-review-the-setup-event-log\/","title":{"rendered":"Use PowerShell to Review the Setup Event Log"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to review the setup event log.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. The ticket sales for Windows PowerShell Saturday in Charlotte, North Carolina<\/a> have been going pretty well. Stay tuned for some pretty exciting news—we may be adding a fourth track to the event. The reason is that there were so many excellent sessions proposed and we had a hard time choosing. In some cases, we really could not make a decision. So we may be running four tracks. This is great news, but also sort of bad news if you were hoping to catch all of the sessions. But of course, even if there were only two tracks, you would not be able to catch all of the sessions. The great thing is that there is a nice variety of sessions. Some are beginner, some are advanced, and some are, well, just plain cool. You will not want to miss out on this event.<\/p>\n

The first thing you need to know about using Windows PowerShell to review the setup event log, is that I am not talking about Windows Setup. It seems like I have been reviewing Windows Setup log files forever. Nope. We are not going to review the Windows Setup log. What I am talking about is an event log that happens to be called “setup.” This log is shown here:<\/p>\n

\"Image<\/a><\/p>\n

This view into the Event viewer is (in my mind) misleading. Because under Windows Logs, I have the traditional event logs: Application, Security, and System. These logs have been around since Windows first came out. In fact, it was a question on my MCSE exam for Windows NT 3.51.<\/p>\n

So I open the Windows PowerShell console, and attempt to read from the Setup event log by using the Get-Eventlog<\/strong> cmdlet (which only works with traditional event logs), and it fails. This command is shown here:<\/p>\n

Get-EventLog -LogName setup<\/p>\n

When I use Get-EventLog<\/strong> to look for event logs, I see that the Setup log is missing.<\/p>\n

Get-EventLog –List<\/p>\n

The failed command says that the Setup log does not exist on my computer. Dude, I just saw it in the Event Viewer! Here are the commands and the output:<\/p>\n

\"Image<\/a><\/p>\n

The case of the missing log<\/h2>\n

Remember, there are two cmdlets to work with the two different types of Windows Event logs. The first cmdlet, created in the Windows PowerShell 1.0 days, works with traditional event logs. It is called Get-EventLog<\/strong>. The second cmdlet, created in Windows PowerShell 2.0 days, is called Get-WinEvent<\/strong>, and it will query traditional (classic) event logs in addition to the more modern types of event logs (modern in the sense that they were created four versions of Windows ago in the Windows Vista days).<\/p>\n

I use the Get-WinEvent<\/strong> cmdlet to see if I can find the Setup log. It works. Here is the command and the output:<\/p>\n

PS C:\\> Get-WinEvent -ListLog setup<\/p>\n

LogMode   MaximumSizeInBytes RecordCount LogName<\/p>\n

——-   —————— ———– ——-<\/p>\n

Circular             1052672          58 Setup<\/p>\n

I want to find a bit more information, so I pipe the output to the Format-List<\/strong> cmdlet as shown here:<\/p>\n

\"Image<\/a><\/p>\n

Groovy. So I will have to use the Get-WinEvent<\/strong> cmdlet to query this log file. No problem. None whatsoever. In fact, I wrote an entire series of Hey, Scripting Guy! Blog posts about using Get-WinEvent<\/a>.<\/p>\n

By following the post Use PowerShell Cmdlet to Filter Event Log for Easy Parsing<\/a> <\/em>as a guideline (there is great info in the post about creating filter hash tables), I write a query to parse the Setup log and to return only items that state they need a reboot. This command is shown here:<\/p>\n

Get-WinEvent -FilterHashtable @{logname = ‘setup’; id = 4}<\/p>\n

\"Image<\/a><\/p>\n

The output is pretty cool, but unfortunately, it does not tell me why the reboot is necessary. In addition, I already know the ID and the level because I selected the ID in my filter query. So I pipe the output to Format-Table<\/strong> and wrap the output. I also tighten up the output. Here is my command:<\/p>\n

Get-WinEvent -FilterHashtable @{logname = ‘setup’; id = 4} |<\/p>\n

Format-Table timecreated, message -AutoSize -Wrap<\/p>\n

Here is the results:<\/p>\n

\"Image<\/a><\/p>\n

This is a better output for me, but I find myself looking to see what packages are installed. I notice they are all KB-type packages. So, I decide to pipe the results to Select-String<\/strong>, and to filter out only matches that begin with KB and are followed by some numbers. Here is the command I come up with:<\/p>\n

Get-WinEvent -FilterHashtable @{logname = ‘setup’; id = 4} | select message |<\/p>\n

Select-String -Pattern ‘kb\\d*’ -AllMatches | select matches<\/p>\n

Note <\/strong> I use a simple RegEx pattern here. For more information about Windows PowerShell and Regular Expressions refer to this collection of Hey, Scripting Guy! Blog posts<\/a>.<\/p>\n

The output is exactly what I wanted to see, as shown here:<\/p>\n

\"Image<\/a><\/p>\n

Join me tomorrow when I will talk more about using Windows PowerShell for troubleshooting.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong> <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to review the setup event log. Microsoft Scripting Guy, Ed Wilson, is here. The ticket sales for Windows PowerShell Saturday in Charlotte, North Carolina have been going pretty well. Stay tuned for some pretty exciting news—we may be adding a fourth track to the […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[462,3,4,134,461,45],"class_list":["post-2546","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-powershell-4-0","tag-scripting-guy","tag-scripting-techniques","tag-troubleshooting","tag-windows-8-1","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to review the setup event log. Microsoft Scripting Guy, Ed Wilson, is here. The ticket sales for Windows PowerShell Saturday in Charlotte, North Carolina have been going pretty well. Stay tuned for some pretty exciting news—we may be adding a fourth track to the […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2546"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2546\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}