Welcome to TechNet Blogs Sign in | Join | Help
Vista Event Logs and PowerShell
Hello Everybody
 
Sorry for the huge delay in posting anything, I promise I will never leave it so long again. 
 
I got asked a question the other day.  Can I use Get-EventLog to access all the new logs that are in Vista?
 
Which logs am I referring to you may ask. Well, there are loads of new logs that can provide a massive set of troubleshooting information. Here's a screen shot from my Vista laptop that shows some of the logs:
 
image
 
So the question is can I query the Backup, Bits-Client, DiskDiagnostic and all the other logs using the Get-Eventlog cmdlet.
 
In short no.  You can however still use PowerShell, but you need to use a command line tool that ships in Vista, wevtutil.exe.  You can find out all the logs that can be accessed using Get-Eventlog with the -list parameter. 
 
PS C:\Users\benp> Get-EventLog -list

  Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  15,168      0 OverwriteAsNeeded       1,381 Application
  15,168      0 OverwriteAsNeeded           0 DFS Replication
  20,480      0 OverwriteAsNeeded           0 Hardware Events
     512      7 OverwriteOlder              0 Internet Explorer
     512      7 OverwriteOlder              0 Key Management Service
   8,192      0 OverwriteAsNeeded           0 Media Center
  16,384      0 OverwriteAsNeeded           0 Microsoft Office Diagnostics
  16,384      0 OverwriteAsNeeded          29 Microsoft Office Sessions

  15,168      0 OverwriteAsNeeded       4,109 System
  15,360      0 OverwriteAsNeeded          40 Windows PowerShell
 
All of the above logs are part of the standard Windows Event Log.  However, all of the the other logs in the screenshot use Windows Eventing 6.0.  Get-EventLog does not hook into Windows Eventing 6.0.
 
So how can I get at these logs using PowerShell?  Check out the sample below:
 
PS C:\Users\benp> wevtutil.exe qe Microsoft-Windows-UAC/Operational /c:2 /f:text
Event[0]:
  Log Name: Microsoft-Windows-UAC/Operational
  Source: Microsoft-Windows-UAC
  Date: 2007-10-30T11:14:00.524
  Event ID: 1
  Task: N/A
  Level: Error
  Opcode: Info
  Keyword: N/A
  User: S-1-5-21-1721234763-462695806-1538865281-2692397
  User Name: testdom\benp
  Computer: vista.test.microsoft.com
  Description:
The process failed to handle ERROR_ELEVATION_REQUIRED during the creation of a child process.

This sample connects to the UAC Operational log and displays the newest 2 items as text.  (There is only 1 event listed, because I only have 1 entry in the log).

So yes I can access these logs using PowerShell, but no I can't use the Get-EventLog cmdlet to do it.  Check out the following link for detailed syntax for using wevtutil.exe

http://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true

Thanks to Narayanan Lakshmanan for answering the many questions I had about this.

That is all


BenP

Posted: Tuesday, October 30, 2007 3:40 PM by benp

Comments

No Comments

Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker