Search Event Log – 2012 PowerShell Scripting Games Beginner Event #9

The details of the event scenario and the design points for Beginner Event #9 of the 2012 PowerShell Scripting Games can be found on the Hey, Scripting Guys! Blog.

Find Veto Shutdown Events in the Application Event Log. A screenshot was provided that contains EventID 10001 and Winsrv as the source. Write a one liner to display the date of occurrence and the application name. Your command should be efficient. Complexity will cost you points.

As noted in the comments section of this scenario, you can generate one of these events by opening notepad and then attempting a shutdown. Click cancel to save the document and then cancel on the force shutdown message. The one thing the comment didn't state is that you must type something into notepad and it must be unsaved, that's how you'll end up with these prompts otherwise your machine will just shutdown without any prompts.

This one was fairly tricky and simple at the same time. I went back and forth between using Get-EventLog and Get-WinEvent, but decided that Get-EventLog would be less complex which was one of the design points.

Here's one of the Get-WinEvent commands I worked on. The FilterXPath parameter seems to be something that there isn't much documentation on. The only decent documentation I found on this parameter was in Chapter 23 of Lee Holmes's (@Lee_Holmes) Windows PowerShell Cookbook, Second Edition book.

1Get-Winevent -ProviderName Microsoft-Windows-Winsrv -FilterXPath "*[System[(EventID=10001)]]" |
2Select TimeCreated, @{l='AppName, ResponseTime';e={$_.Properties[0].Value, $_.Properties[1].Value}}

2012sg-be9-11.png

Once I figured out what the full name of the "Source" was and that only the veto events generated InstanceID 10001 in that particular source, this one wasn't too difficult. Here's the script I submitted:

1Get-EventLog -LogName Application -Source Microsoft-Windows-Winsrv -InstanceId 10001 |
2Format-Table TimeGenerated, ReplacementStrings

2012sg-be9-21.png

In hindsight, I should have piped to Select-Object instead of Format-Table since the results would have been the same and it's always preferable to return an object. Boe Prox (@proxb) wrote a blog: Scripting Games 2012: Know When To Use Format-Table that discusses this subject in detail. His blog teaches you why to Filter | Select | Sort.

This screenshot shows you how much more efficient the Get-WinEvent command (.177 seconds) is than the Get-EventLog command (7.74 seconds) and that's only with two of these events in the log. The difference seems to be even greater with more log entries.

2012sg-be9-32.png

µ