Search Event Log – 2012 PowerShell Scripting Games Beginner Event #9
The details of the event scenario and the design points for Beginner Event #9 of the 2012 PowerShell Scripting Games can be found on the Hey, Scripting Guys! Blog.
Find Veto Shutdown Events in the Application Event Log. A screenshot was provided that contains EventID 10001 and Winsrv as the source. Write a one liner to display the date of occurrence and the application name. Your command should be efficient. Complexity will cost you points.
As noted in the comments section of this scenario, you can generate one of these events by opening notepad and then attempting a shutdown. Click cancel to save the document and then cancel on the force shutdown message. The one thing the comment didn't state is that you must type something into notepad and it must be unsaved, that's how you'll end up with these prompts otherwise your machine will just shutdown without any prompts.
This one was fairly tricky and simple at the same time. I went back and forth between using
Get-EventLog
and Get-WinEvent
, but decided that Get-EventLog
would be less complex which was
one of the design points.
Here's one of the Get-WinEvent
commands I worked on. The FilterXPath
parameter seems to be
something that there isn't much documentation on. The only decent documentation I found on this
parameter was in Chapter 23 of Lee Holmes's (@Lee_Holmes)
Windows PowerShell Cookbook, Second Edition
book.
1Get-Winevent -ProviderName Microsoft-Windows-Winsrv -FilterXPath "*[System[(EventID=10001)]]" |
2Select TimeCreated, @{l='AppName, ResponseTime';e={$_.Properties[0].Value, $_.Properties[1].Value}}
Once I figured out what the full name of the "Source" was and that only the veto events generated InstanceID 10001 in that particular source, this one wasn't too difficult. Here's the script I submitted:
1Get-EventLog -LogName Application -Source Microsoft-Windows-Winsrv -InstanceId 10001 |
2Format-Table TimeGenerated, ReplacementStrings
In hindsight, I should have piped to Select-Object
instead of Format-Table
since the results
would have been the same and it's always preferable to return an object. Boe Prox
(@proxb) wrote a blog:
Scripting Games 2012: Know When To Use Format-Table
that discusses this subject in detail. His blog teaches you why to Filter | Select | Sort.
This screenshot shows you how much more efficient the Get-WinEvent
command (.177 seconds) is than
the Get-EventLog
command (7.74 seconds) and that's only with two of these events in the log. The
difference seems to be even greater with more log entries.
µ