Mimic event viewer filtering with Get-WinEvent

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 2 years and 1 month old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
localpct
Posts: 397
Last visit: Thu Oct 27, 2022 5:57 am

Mimic event viewer filtering with Get-WinEvent

Post by localpct »

I'm trying to find my critical shutdowns, then find the events 10 mins prior and 1 min post. Is something like below a good start?
  1. $Events = Invoke-Command -Session $s -ScriptBlock {
  2. Get-WinEvent -FilterHashTable @{LogName = "System"; Level=1; StartTime=((Get-Date).AddDays(-2))} | Sort-Object TimeCreated | ForEach-Object {
  3. $Event = $_
  4. Get-WinEvent -FilterHashTable @{
  5. LogName = "System";
  6. Level=1,2,3,4;
  7. StartTime=(Get-Date $Event.TimeCreated).AddMinutes(-10);
  8. EndTime=(Get-Date $Event.TimeCreated).AddMinutes(1)}
  9. }} | Select-Object LevelDisplayName, Message, TimeCreated, ProviderName, Id -Unique | sort TimeCreated
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Mimic event viewer filtering with Get-WinEvent

Post by jvierra »

Looks OK but might run very slow on busy systems. The end sort should be unnecessary as you are doing a time-linear query already.
User avatar
localpct
Posts: 397
Last visit: Thu Oct 27, 2022 5:57 am

Re: Mimic event viewer filtering with Get-WinEvent

Post by localpct »

busy systems shouldn’t be an issue as we all have new HW w/ NVME disks. I think I’m engineering this wrong but it’s nice to know I’m on the right track.

I was also reminded the evtx ( I think ) are store in Windows directory so I might just invoke them directly instead of toying with the registry .. decisions, decisions.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Mimic event viewer filtering with Get-WinEvent

Post by jvierra »

EVTXs are XML files stored in the file systems. They cannot be accessed or queried directly. The Registry has absolutely nothing to do with the event logging system. There is no faster way to extract records from those databases.

The speed of extraction depends mostly on the rate event records are generated. All queries are run at a lower priority. Not much you can do about that. If the system is busy the query will be noticeably slower.

We usually run large event queries at night or off hours. Also, you can ship records as they are created via a scheduled log replication task. Ship to a workstation or maintenance server. This would be the preferred method for any repetitive query.
User avatar
localpct
Posts: 397
Last visit: Thu Oct 27, 2022 5:57 am

Re: Mimic event viewer filtering with Get-WinEvent

Post by localpct »

I misspoke about the registry.
We'll detect the event and use an existing process to copy the needed files from C:\Windows\System32\winevt\Logs and grab the .dmp files for debugging.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Mimic event viewer filtering with Get-WinEvent

Post by jvierra »

It is impossible to understand what you are asking or saying. DMP files are not in that folder. That folder is owned by the system event process and does not contain any files useful for debugging.

Get-WinEvent only reads loaded event log files. What does that have to do with debugging? Debugging what?
User avatar
localpct
Posts: 397
Last visit: Thu Oct 27, 2022 5:57 am

Re: Mimic event viewer filtering with Get-WinEvent

Post by localpct »

I need to show the rookies the event logs, how to filter them, and finally the corresponding dmp files I’ll load into WinDbg.

It’s okay, on to the next issue :). I appreciate you helping me with this effort as always.
This topic is 2 years and 1 month old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked