{"id":73141,"date":"2015-09-25T00:01:00","date_gmt":"2015-09-25T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/09\/25\/a-tale-of-two-powershell-cmdlets\/"},"modified":"2019-02-18T09:35:07","modified_gmt":"2019-02-18T16:35:07","slug":"a-tale-of-two-powershell-cmdlets","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/a-tale-of-two-powershell-cmdlets\/","title":{"rendered":"A Tale of Two PowerShell Cmdlets"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to explore classic event logs.<\/span><\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. When you get to version five of anything, you already begin to see signs on strain and pain. I mean, take Windows NT 5.0, for example. Oh yeah. That one was delayed for about five years, and it eventually became Windows 2000.<\/p>\n<p>Part of the reason is that no matter how good the original version or vision was, things change. Priorities change. And more often than not, computers and technology change. Often, it is easier to create a new tool, than to retrofit an old tool. But you can&rsquo;t just give up on the old tool, so you end up with two (or more) tools that do the same job, only differently.<\/p>\n<p>In Windows PowerShell, there are at least five ways of querying event logs. I am not going to catalogue them here, nor am I going to mention them all. but if you have been scripting for very long, you can probably figure them out for yourself. This is because several techniques that you may have used in other scripting languages (such as VBScript) remain valid in Windows PowerShell.<\/p>\n<p>But even &ldquo;native&rdquo; Windows PowerShell has two clearly defined ways of querying event logs:<\/p>\n<ul>\n<li>The <b>Get-EventLog<\/b> cmdlet<\/li>\n<li>The rather obscurely named <b>Get-WinEvent<\/b> cmdlet<\/li>\n<\/ul>\n<p>To really make things confusing, we also have <b>Get-Event<\/b>, and it has absolutely nothing to do with event logs.<\/p>\n<p>The reason that <b>Get-WinEvent<\/b> is obscurely named is because <b>Get-EventLog<\/b> came out in Windows PowerShell&nbsp;1.0; and therefore, it grabbed the best cmdlet name for querying event logs. The <b>Get-WinEvent<\/b> cmdlet could have been called <b>Get-MoreEventLogs<\/b>, but cmdlet names prefer the singular, and it would have really sounded strange if was named <b>Get-MoreEventLog<\/b>. The issue with <b>Get-WinEvent<\/b> as a name is that it sounds like it has more to do with eventing (as a subsystem) than with event logs.<\/p>\n<p>Oh, well. What&rsquo;s the difference anyway? Well, if you think about it, why did we create a second cmdlet to query event logs? For the record, <b>Get-WinEvent<\/b> came out in Windows PowerShell&nbsp;2.0. It is a very powerful cmdlet. It can query not only the classic event logs, but also the Event Tracing for Windows (ETW) logs. This makes it a highly valuable tool for diagnostics.<\/p>\n<p>Now, you just might be thinking, &quot;Yeah, but&hellip;,&quot; and you would be right. Whenever we say &quot;powerful&quot; and &quot;flexible,&quot; we can also insert the ominous word &quot;complicated.&quot; And that is the problem.<\/p>\n<p>For example, if I want to get events from the application log that occurred on September 24, 2015, I can easily type use the <b>Get-EventLog<\/b> cmdlet. Tab expansion works great, and it will take me about a second to type the query. The command is shown here:<\/p>\n<p style=\"margin-left:30px\">Get-EventLog -LogName application -After &quot;9\/24\/15&quot; -Before &quot;9\/25\/15&quot;<\/p>\n<p>But to get the same information using the <b>Get-WinEvent<\/b> cmdlet requires using a rather complicated filter hash table. To do this, I have to have reference to the full <b>Get-Help<\/b> output so I know the keyword parameters. I come up with the following command:<\/p>\n<p style=\"margin-left:30px\">Get-WinEvent -FilterHashtable @{Logname=&#039;application&#039;;starttime=&#039;9\/24\/15&#039;;endtime=&#039;9\/25\/15&#039;}<\/p>\n<p>Both commands work, but the second is much more difficult to compose. One thing that is cool about this command is that it automatically sorts the output by provider name. This can be useful when troubleshooting errors. The output is shown in the following image:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-25-15-01.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-25-15-01.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>On the other hand, the <b>Get-WinEvent<\/b> command is more than four times faster than the corresponding <b>Get-EventLog<\/b> command. To find this, I use the <b>Measure-Command<\/b> cmdlet, and here is the output:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-25-15-02.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-9-25-15-02.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>The great thing is that we have two cmdlets for querying event logs. One is super easy to use, and one is super fast. One is rather basic, and one is very powerful. Which do I need? Well, I need both! And that is the great thing about a mature product&hellip;choices!<\/p>\n<p>Join me tomorrow when I will talk about more cool stuff.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson, Microsoft Scripting Guy<\/b><span style=\"font-size:12px\">&nbsp;<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to explore classic event logs. Microsoft Scripting Guy, Ed Wilson, is here. When you get to version five of anything, you already begin to see signs on strain and pain. I mean, take Windows NT 5.0, for example. Oh yeah. That one was delayed [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[618,3,45],"class_list":["post-73141","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-logging-and-events","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to explore classic event logs. Microsoft Scripting Guy, Ed Wilson, is here. When you get to version five of anything, you already begin to see signs on strain and pain. I mean, take Windows NT 5.0, for example. Oh yeah. That one was delayed [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/73141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=73141"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/73141\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=73141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=73141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=73141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}