- $Events = Invoke-Command -Session $s -ScriptBlock {
- Get-WinEvent -FilterHashTable @{LogName = "System"; Level=1; StartTime=((Get-Date).AddDays(-2))} | Sort-Object TimeCreated | ForEach-Object {
- $Event = $_
- Get-WinEvent -FilterHashTable @{
- LogName = "System";
- Level=1,2,3,4;
- StartTime=(Get-Date $Event.TimeCreated).AddMinutes(-10);
- EndTime=(Get-Date $Event.TimeCreated).AddMinutes(1)}
- }} | Select-Object LevelDisplayName, Message, TimeCreated, ProviderName, Id -Unique | sort TimeCreated
Mimic event viewer filtering with Get-WinEvent
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Mimic event viewer filtering with Get-WinEvent
I'm trying to find my critical shutdowns, then find the events 10 mins prior and 1 min post. Is something like below a good start?
Re: Mimic event viewer filtering with Get-WinEvent
busy systems shouldn’t be an issue as we all have new HW w/ NVME disks. I think I’m engineering this wrong but it’s nice to know I’m on the right track.
I was also reminded the evtx ( I think ) are store in Windows directory so I might just invoke them directly instead of toying with the registry .. decisions, decisions.
I was also reminded the evtx ( I think ) are store in Windows directory so I might just invoke them directly instead of toying with the registry .. decisions, decisions.
Re: Mimic event viewer filtering with Get-WinEvent
EVTXs are XML files stored in the file systems. They cannot be accessed or queried directly. The Registry has absolutely nothing to do with the event logging system. There is no faster way to extract records from those databases.
The speed of extraction depends mostly on the rate event records are generated. All queries are run at a lower priority. Not much you can do about that. If the system is busy the query will be noticeably slower.
We usually run large event queries at night or off hours. Also, you can ship records as they are created via a scheduled log replication task. Ship to a workstation or maintenance server. This would be the preferred method for any repetitive query.
The speed of extraction depends mostly on the rate event records are generated. All queries are run at a lower priority. Not much you can do about that. If the system is busy the query will be noticeably slower.
We usually run large event queries at night or off hours. Also, you can ship records as they are created via a scheduled log replication task. Ship to a workstation or maintenance server. This would be the preferred method for any repetitive query.
Re: Mimic event viewer filtering with Get-WinEvent
I misspoke about the registry.
We'll detect the event and use an existing process to copy the needed files from C:\Windows\System32\winevt\Logs and grab the .dmp files for debugging.
We'll detect the event and use an existing process to copy the needed files from C:\Windows\System32\winevt\Logs and grab the .dmp files for debugging.
Re: Mimic event viewer filtering with Get-WinEvent
It is impossible to understand what you are asking or saying. DMP files are not in that folder. That folder is owned by the system event process and does not contain any files useful for debugging.
Get-WinEvent only reads loaded event log files. What does that have to do with debugging? Debugging what?
Get-WinEvent only reads loaded event log files. What does that have to do with debugging? Debugging what?
Re: Mimic event viewer filtering with Get-WinEvent
I need to show the rookies the event logs, how to filter them, and finally the corresponding dmp files I’ll load into WinDbg.
It’s okay, on to the next issue . I appreciate you helping me with this effort as always.
It’s okay, on to the next issue . I appreciate you helping me with this effort as always.