{"id":3240,"date":"2013-07-14T00:01:00","date_gmt":"2013-07-14T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/07\/14\/weekend-scripter-use-powershell-to-get-boot-up-trace-events\/"},"modified":"2013-07-14T00:01:00","modified_gmt":"2013-07-14T00:01:00","slug":"weekend-scripter-use-powershell-to-get-boot-up-trace-events","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-get-boot-up-trace-events\/","title":{"rendered":"Weekend Scripter: Use PowerShell to Get Boot-Up Trace Events"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to get boot-up trace events.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. This morning I am sipping the last of my English Breakfast tea with a little lemon grass and a crushed cinnamon stick. Not sure how I ran out of English Breakfast tea, but I did. Oh well. I still have Darjeeling tea—I just normally do not drink it first thing in the morning. I guess it is time to place an order to my favorite tea broker.<\/p>\n

Anyway…<\/p>\n

Anyone who knows anything about Windows knows that the three traditional event logs (System, Application, and Security) are not the be-all and end-all of logging and event gathering. For over six years, we have also had Event Tracing for Windows (ETW)<\/a>. Luckily, Windows PowerShell 2.0 introduced the Get-WinEvent<\/strong> cmdlet, which permits access to these trace logs.<\/p>\n

Note<\/strong>  If you actually have a boot performance issue, you may want to read Jeff Stokes’ blog post How to collect a good boot trace on Windows 7<\/a>.<\/p>\n

Picking up boot up trace events<\/h2>\n

One thing to keep in mind, is that some of the trace event logs require Admin rights. Windows PowerShell does not bypass security, rather it honors it. Therefore, if I need to access trace logs that require Admin rights, the easiest way to do this is to launch Windows PowerShell with Admin rights. If I do not, I see errors, such as these:<\/p>\n

\"Image<\/a><\/p>\n

I right-click the Windows PowerShell ISE icon, and select Run as administrator<\/strong>:<\/p>\n

\"Image<\/a><\/p>\n

Now that I have the Windows PowerShell ISE running with Admin rights, it is time to write the script.<\/p>\n

I first obtain the boot-up time. This code is shown here:<\/p>\n

$bootTime = (Get-CimInstance win32_Operatingsystem).lastbootuptime<\/p>\n

“Boot time is $($bootTime)”<\/p>\n

Now I use the Get-WinEvent<\/strong> cmdlet to obtain a list of all of the event trace logs. I then use the Foreach<\/strong> command to walk through the collection as shown here:<\/p>\n

Foreach($log in Get-WinEvent -ListLog *)<\/p>\n

In my script block, I first display the name of each log:<\/p>\n

“Events from $($log.Logname) event log”<\/p>\n

Now I use the Get-WinEvent<\/strong> cmdlet to get all the log entries. I use the –ea 0<\/strong> parameter because an error arises if the event log does not have entries. The command is shown here:<\/p>\n

Get-WinEvent -LogName $log.Logname -ea 0 <\/p>\n

In the following script, I pipe the entries to a Where-Object<\/strong> command and filter out five minutes after boot time:<\/p>\n

where {$_.timecreated -gt $bootTime -and $_.timecreated -lt $bootTime.AddMinutes(5)}<\/p>\n

Here is the completed script:<\/p>\n

$bootTime = (Get-CimInstance win32_Operatingsystem).lastbootuptime<\/p>\n

“Boot time is $($bootTime)”<\/p>\n

Foreach($log in Get-WinEvent -ListLog *)<\/p>\n

 {<\/p>\n

  “Events from $($log.Logname) event log”<\/p>\n

  Get-WinEvent -LogName $log.Logname -ea 0 |<\/p>\n

  where {$_.timecreated -gt $bootTime -and $_.timecreated -lt $bootTime.AddMinutes(5)}<\/p>\n

  }<\/p>\n

The script is a bit slow in running, and I could certainly improve the efficiency by moving the time filter to the left of the pipeline (inside the Get-WinEvent<\/strong> cmdlet). As it is written, it gets every entry from every log, and then it filters it. This is inefficient. What keeps it from being a real performance dog is the pipeline.<\/p>\n

If this was a script that I wanted to run more than once, I would most certainly “fix” it and improve the performance. But for a quick script that took less than five minutes to write, it is fine. The results from running the script are shown here:<\/p>\n

\"Image<\/a><\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to get boot-up trace events. Microsoft Scripting Guy, Ed Wilson, is here. This morning I am sipping the last of my English Breakfast tea with a little lemon grass and a crushed cinnamon stick. Not sure how I ran out of English Breakfast tea, […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,61,45],"class_list":["post-3240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to get boot-up trace events. Microsoft Scripting Guy, Ed Wilson, is here. This morning I am sipping the last of my English Breakfast tea with a little lemon grass and a crushed cinnamon stick. Not sure how I ran out of English Breakfast tea, […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=3240"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3240\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=3240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=3240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=3240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}