http://blogs.technet.com/benp/archive/tags/vista/default.aspxTags: vistaen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/benp/archive/2007/10/30/vista-event-logs-and-powershell.aspxTue, 30 Oct 2007 17:40:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2288602benp1http://blogs.technet.com/benp/comments/2288602.aspxhttp://blogs.technet.com/benp/commentrss.aspx?PostID=2288602http://blogs.technet.com/benp/rsscomments.aspx?PostID=2288602<DIV class=csharpcode-wrapper> <DIV>Hello Everybody</DIV> <DIV>&nbsp;</DIV> <DIV>Sorry for the huge delay in posting anything, I promise I will never leave it so long again.&nbsp; </DIV> <DIV>&nbsp;</DIV> <DIV>I got asked a question the other day.&nbsp; Can I use Get-EventLog to access all the new logs that are in Vista?</DIV> <DIV>&nbsp;</DIV> <DIV>Which logs am I referring to you may ask. Well, there are loads of new logs that can provide a massive set of troubleshooting information. Here's a screen shot from my Vista laptop that shows some of the logs:</DIV> <DIV>&nbsp;</DIV> <DIV><A href="http://blogs.technet.com/blogfiles/benp/WindowsLiveWriter/VistaEventLogsandPowerShell_CA29/image_2.png" mce_href="http://blogs.technet.com/blogfiles/benp/WindowsLiveWriter/VistaEventLogsandPowerShell_CA29/image_2.png"><IMG style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: 0px" height=672 alt=image src="http://blogs.technet.com/blogfiles/benp/WindowsLiveWriter/VistaEventLogsandPowerShell_CA29/image_thumb.png" width=698 border=0 mce_src="http://blogs.technet.com/blogfiles/benp/WindowsLiveWriter/VistaEventLogsandPowerShell_CA29/image_thumb.png"></A> </DIV> <DIV>&nbsp;</DIV> <DIV>So the question is can I query the Backup, Bits-Client, DiskDiagnostic and all the other logs using the Get-Eventlog cmdlet.</DIV> <DIV>&nbsp;</DIV> <DIV>In short no.&nbsp; You can however still use PowerShell, but you need to use a command line tool that ships in Vista, wevtutil.exe.&nbsp; You can find out all the logs that can be accessed using Get-Eventlog with the -list parameter.&nbsp; </DIV> <DIV>&nbsp;</DIV> <DIV> <DIV><PRE style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 8pt; PADDING-BOTTOM: 0px; MARGIN: 0em; OVERFLOW: visible; WIDTH: 100%; COLOR: black; BORDER-TOP-STYLE: none; LINE-HEIGHT: 12pt; PADDING-TOP: 0px; FONT-FAMILY: Consolas, 'Courier New', Courier, Monospace; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BACKGROUND-COLOR: #f4f4f4; BORDER-BOTTOM-STYLE: none">PS C:\Users\benp<SPAN style="COLOR: #0000ff">&gt;</SPAN> <STRONG>Get-EventLog -list</STRONG> Max(K) Retain OverflowAction Entries Name ------ ------ -------------- ------- ---- 15,168 0 OverwriteAsNeeded 1,381 Application 15,168 0 OverwriteAsNeeded 0 DFS Replication 20,480 0 OverwriteAsNeeded 0 Hardware Events 512 7 OverwriteOlder 0 Internet Explorer 512 7 OverwriteOlder 0 Key Management Service 8,192 0 OverwriteAsNeeded 0 Media Center 16,384 0 OverwriteAsNeeded 0 Microsoft Office Diagnostics 16,384 0 OverwriteAsNeeded 29 Microsoft Office Sessions 15,168 0 OverwriteAsNeeded 4,109 System 15,360 0 OverwriteAsNeeded 40 Windows PowerShell</PRE></DIV></DIV></DIV> <DIV class=csharpcode-wrapper>&nbsp;</DIV> <DIV class=csharpcode-wrapper>All of the above logs are part of the standard Windows Event Log.&nbsp; However, all of the the other logs in the screenshot use Windows Eventing 6.0.&nbsp; Get-EventLog does not hook into Windows Eventing 6.0.</DIV> <DIV class=csharpcode-wrapper>&nbsp;</DIV> <DIV class=csharpcode-wrapper>So how can I get at these logs using PowerShell?&nbsp; Check out the sample below:</DIV> <DIV class=csharpcode-wrapper>&nbsp;</DIV> <DIV> <DIV><PRE style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 8pt; PADDING-BOTTOM: 0px; MARGIN: 0em; OVERFLOW: visible; WIDTH: 100%; COLOR: black; BORDER-TOP-STYLE: none; LINE-HEIGHT: 12pt; PADDING-TOP: 0px; FONT-FAMILY: Consolas, 'Courier New', Courier, Monospace; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BACKGROUND-COLOR: #f4f4f4; BORDER-BOTTOM-STYLE: none">PS C:\Users\benp<SPAN style="COLOR: #0000ff">&gt;</SPAN> <STRONG>wevtutil.exe qe Microsoft-Windows-UAC/Operational /c:2 /f:text</STRONG> Event[0]: Log Name: Microsoft-Windows-UAC/Operational Source: Microsoft-Windows-UAC Date: 2007-10-30T11:14:00.524 Event ID: 1 Task: N/A Level: Error Opcode: Info Keyword: N/A User: S-1-5-21-1721234763-462695806-1538865281-2692397 User Name: testdom\benp Computer: vista.test.microsoft.com Description: The process failed to handle ERROR_ELEVATION_REQUIRED during the creation of a child process.</PRE></DIV></DIV> <P>This sample connects to the UAC Operational log and displays the newest 2 items as text.&nbsp; (There is only 1 event listed, because I only have 1 entry in the log).</P> <P>So yes I can access these logs using PowerShell, but no I can't use the Get-EventLog cmdlet to do it.&nbsp; Check out the following link for detailed syntax for using wevtutil.exe</P> <P><A title=http://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true href="http://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true" mce_href="http://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true">http://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true</A></P> <P>Thanks to Narayanan Lakshmanan for answering the many questions I had about this.</P> <P>That is all</P> <P><BR>BenP</P><img src="http://blogs.technet.com/aggbug.aspx?PostID=2288602" width="1" height="1">PowerShellwevtutil.exeget-eventlogvista