Search Event Log – 2012 PowerShell Scripting Games Beginner Event #9

The details of the event scenario and the design points for Beginner Event #9 of the 2012 PowerShell Scripting Games can be found on the “Hey, Scripting Guys! Blog”.

Find Veto Shutdown Events in the Application Event Log. A screenshot was provided that contains EventID 10001 and Winsrv as the source. Write a one liner to display the date of occurrence and the application name. Your command should be efficient. Complexity will cost you points.

As noted in the comments section of this scenario, you can generate one of these events by opening notepad and then attempting a shutdown. Click cancel to save the document and then cancel on the force shutdown message. The one thing the comment didn’t state is that you must type something into notepad and it must be unsaved, that’s how you’ll end up with these prompts otherwise your machine will just shutdown without any prompts.

This one was fairly tricky and simple at the same time. I went back and forth between using Get-EventLog and Get-WinEvent, but decided that Get-EventLog would be less complex which was one of the design points.

Here’s one of the Get-WinEvent commands I worked on. The -FilterXPath parameter seems to be something that there isn’t much documentation on. The only decent documentation I found on this parameter was in Chapter 23 of Lee Holmes’s (@Lee_Holmes) “Windows PowerShell Cookbook, Second Edition” book.

Once I figured out what the full name of the “Source” was and that only the veto events generated InstanceID 10001 in that particular source, this one wasn’t too difficult. Here’s the script I submitted:

In hindsight, I should have piped to Select-Object instead of Format-Table since the results would have been the same and it’s always preferable to return an object. Boe Prox (@proxb) wrote a blog: “Scripting Games 2012: Know When To Use Format-Table” that discusses this subject in detail. His blog teaches you why to Filter | Select | Sort.

This screenshot shows you how much more efficient the Get-WinEvent command (.177 seconds) is than the Get-EventLog command (7.74 seconds) and that’s only with two of these events in the log. The difference seems to be even greater with more log entries.

View my entry for this event on the PowerShell Code Repository site.

µ

1 Comment

  1. matt benton @ruddawg26

    Outstanding write up, what i think is funny is that i lost a star it seems (only comment I got on the script) because i used select-object instead of the format-object. The comment said this script is simpler and that was the only difference. But I agree with you (especially after reading Boe Prox’s blog). Congrats on all your scripts, you got a head of me too early that i couldn’t catch up. I got close though.

    Reply

Leave a Reply

%d bloggers like this: