{"id":3245,"date":"2013-07-13T00:01:00","date_gmt":"2013-07-13T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/07\/13\/weekend-scripter-use-powershell-to-get-startup-event-log-entries\/"},"modified":"2013-07-13T00:01:00","modified_gmt":"2013-07-13T00:01:00","slug":"weekend-scripter-use-powershell-to-get-startup-event-log-entries","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-get-startup-event-log-entries\/","title":{"rendered":"Weekend Scripter: Use PowerShell to Get Startup Event Log Entries"},"content":{"rendered":"<p><strong style=\"font-size: 12px\">Summary<\/strong><span style=\"font-size: 12px\">: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to query event logs for entries created during startup.<\/span><\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. One of the things that annoys me is when something changes on my laptop, and I know that I did not do anything to directly cause the change. Obviously, I did something&mdash;but maybe not directly. For example, if I install a piece of software, and it also installs two or three startup services that go off and do this, that, or the other, without providing me the opportunity to choose, then I have changed something, but not directly.<\/p>\n<p>In fact, I would say that poorly designed, and badly behaved software, is the chief cause of me reinstalling Windows on my laptop. Whereas, I used to reinstall Windows every six months, I had have gotten away from that habit in recent years. However, all of these unintended started up services and applications, are killing the performance of my laptop. It is so bad now that I boot my laptop, and then I go do stuff. I come back, log on, and then go off and do more stuff. It is either that, or wait for about 15 minutes after logon before my laptop finally settles down enough to get some work done.<\/p>\n<p>Now I do not really have to wipe and reinstall (although that is always an option). I can use the tools built-in to Windows to troubleshoot and to diagnose the culprits. For me, the chief diagnostic tool is Windows PowerShell.<\/p>\n<h2>Query multiple event logs<\/h2>\n<p>One of the best ways to troubleshoot anything in the Windows environment is to examine the appropriate event log. Unfortunately, with dozens of event logs, it is often a trick to know which log to examine. This is where Windows PowerShell shines. There are two cmdlets to work with event logs:<\/p>\n<ul>\n<li><strong>Get-EventLog<\/strong>: Accesses classic event logs (such as Application, System, and Security)<\/li>\n<li><strong>Get-WinEvent<\/strong>: Accesses more modern logging and tracing<\/li>\n<\/ul>\n<p>Today I am going to use the <strong>Get-EventLog<\/strong> cmdlet and look at the classic event logs. There are more than three classic event logs. In fact, I can use the <strong>Get-EventLog<\/strong> cmdlet to list all available classic event logs. To do this, I supply the <strong>&ndash;List<\/strong> switch to the <strong>Get-EventLog<\/strong> cmdlet as shown here:<\/p>\n<p style=\"padding-left: 30px\">Get-EventLog &ndash;List<\/p>\n<p>The command and the output associated with the command are shown in the following image:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/0211.hsg-7-13-13-01.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/0211.hsg-7-13-13-01.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<h2>Nearly a dozen classic event logs<\/h2>\n<p>So on my laptop, there are nearly a dozen classic event logs. On other computers, I have even more classic event logs. Note that the Security<em> <\/em>event log does not supply any information. This is because the Windows PowerShell prompt where I took the screenshot was not elevated with Admin credentials; and Admin credentials are required to read the Security event log.<\/p>\n<p>If there can be as few as three or more than a dozen class event logs, how do I know which ones to query for information related to startup events? I might think that the Media Center log does not have anything, but then again it might. What if when I installed the Media Center registration code on my laptop, thereby enabling Media Center, it created some strange startup process that enumerates media files and adds them to the catalog? I am just guessing, but stranger things have happened. So I do not want to exclude that log.<\/p>\n<h2>The easy way to query all classic event logs<\/h2>\n<p>The easy way to query all classic event logs is to obtain a list of all the logs, and then feed it to the <strong>Get-EventLog <\/strong>cmdlet to do the query. But first, I need to get the startup time of my system, so I know where to begin my search. To get the startup time of my system, I can easily query WMI for the information. This is shown here:<\/p>\n<p style=\"padding-left: 30px\">$bootTime = (Get-CimInstance win32_Operatingsystem).lastbootuptime&nbsp;<\/p>\n<p>Now that I have the boot-up time of my computer, I can use it in a query. I want to filter event log entries that occur beginning at boot-up time, and for events that occur up to five minutes after boot. I might need to adjust this later, but this will give me something with which to work.<\/p>\n<p>Because the <strong>$boottime<\/strong> variable contains an actual <strong>DateTime <\/strong>object, I can call methods on the <strong>DateTime <\/strong>object. I want to use the <strong>AddMinutes<\/strong><em> <\/em>method to add five minutes to control my outer limit for event log entries. Here is the <strong>Get-EventLog<\/strong> query for this:<\/p>\n<p style=\"padding-left: 30px\">Get-EventLog -LogName $log.Log -After $bootTime -Before $bootTime.AddMinutes(5) -ea 0<\/p>\n<p>So where does the <strong>EventLog<\/strong> name come from? I get it from the <strong>Get-EventLog<\/strong> <strong>&ndash;List<\/strong> command. I put this inside a <strong>Foreach<\/strong> loop. Here is that part of the command:<\/p>\n<p style=\"padding-left: 30px\">Foreach($log in Get-Eventlog -list)<\/p>\n<p>The complete script is shown here:<\/p>\n<p style=\"padding-left: 30px\">$bootTime = (Get-CimInstance win32_Operatingsystem).lastbootuptime<\/p>\n<p style=\"padding-left: 30px\">&#8220;Boot time is $($bootTime)&#8221;<\/p>\n<p style=\"padding-left: 30px\">Foreach($log in Get-Eventlog -list)<\/p>\n<p style=\"padding-left: 30px\">&nbsp;{<\/p>\n<p style=\"padding-left: 30px\">&nbsp; &#8220;Events from $($log.Log) event log&#8221;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; Get-EventLog -LogName $log.Log -After $bootTime -Before $bootTime.AddMinutes(5) -ea 0<\/p>\n<p style=\"padding-left: 30px\">&nbsp; }<\/p>\n<p>When I run the script, the following output appears in the output pane of the Windows PowerShell ISE.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5504.hsg-7-13-13-02.png\"><img decoding=\"async\" title=\"Image of command output\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5504.hsg-7-13-13-02.png\" alt=\"Image of command output\" \/><\/a><\/p>\n<p>Well, I am going to spend some time looking over this output, and I will probably play with it later. Talk to you tomorrow.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to query event logs for entries created during startup. Microsoft Scripting Guy, Ed Wilson, is here. One of the things that annoys me is when something changes on my laptop, and I know that I did not do anything to directly cause the change. [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,42,3,61,45],"class_list":["post-3245","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-events-and-monitoring","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to query event logs for entries created during startup. Microsoft Scripting Guy, Ed Wilson, is here. One of the things that annoys me is when something changes on my laptop, and I know that I did not do anything to directly cause the change. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=3245"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3245\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=3245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=3245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=3245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}