All posts by Adam

cmdlet, Import, LocalizedData

Import-LocalizedData

NAME
    Import-LocalizedData

SYNOPSIS
    Imports language-specific data into scripts and Functions based on the UI culture that is selected for the operating system.

SYNTAX
    Import-LocalizedData [-BindingVariable] <string> [[-UICulture] <string>] [-BaseDirectory <string>] [-FileName <string>] [-SupportedCommand <string[]>] [<CommonParameters>]

DESCRIPTION
    The Import-LocalizedData cmdlet dynamically retrieves strings from a subdirectory whose name matches the UI language set for the current user of the operating system. It is designed to enable scripts to display user messages in the UI language selected by the current user.

    Import-LocalizedData imports data from .psd1 files in language-specific subdirectories of the script directory and saves them in a local Variable that is specified in the command. The cmdlet selects the subdirectory and file based on the value of the $PSUICulture automatic Variable. When you use the local Variable in the script to display a user message, the message appears in the user’s UI language.

    You can use the parameters of Import-LocalizedData to specify an alternate UI culture, path, and file name, to add supported commands, and to suppress the error message that appears if the .psd1 files are not found.

    The Import-LocalizedData cmdlet supports script internationalization in Windows PowerShell 2.0. This initiative aims to better serve users worldwide by making it easy for scripts to display user messages in the UI language of the current user. For more information about this and about the format of the .psd1 files, see about_script_internationalization.

PARAMETERS
    -BaseDirectory <string>
        Specifies the base directory where the .psd1 files are located. The default is the directory where the script is located. Import-LocalizedData searches for the .psd1 file for the script in a language-specific subdirectory of the base directory.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -BindingVariable <string>
        Specifies a Variable into which the text strings are imported. Enter a Variable name without a dollar sign ($).

        When using Import-LocalizedData to replace default text strings specified in the DATA section of a script, assign the DATA section to a Variable and enter the name of the DATA section Variable in the value of the BindingVariable parameter. Then, when Import-LocalizedData saves the imported content in the BindingVariable, the imported data will replace the default text strings. If you are not specifying default text strings, you can select any Variable name.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -FileName <string>
        Specifies the name of the .psd1 file to be imported. Enter a file name without the .psd1 file name extension.

        The default is the name of the script. For example, if the script is FindFiles.ps1, Import-LocalizedData searches for FindFiles.psd1. You can use this parameter to direct Import-LocalizedData to search for a different .psd1 file.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -SupportedCommand <string[]>
        Specifies cmdlets and Functions that generate only data.

        Use this parameter to include cmdlets and Functions that you have written or tested. For more information, see about_script_internationalization.

        Required?                    false
        Position?                    named
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? false

    -UICulture <string>
        Specifies an alternate UI culture. The default is the value of the $PsUICulture automatic Variable. Enter a UI culture in “<language>-<region>” format, such as en-US, de-DE, or ar-SA.

        The value of the UICulture parameter determines the language-specific subdirectory (within the base directory) from which Import-LocalizedData gets the .psd1 file for the script.

        The cmdlet searches for a subdirectory with the same name as the value of the UICulture parameter or the $PsUICulture automatic Variable, such as “de-DE” or “ar-SA”. If it cannot find the directory, or the directory does not contain a .psd1 file for the script, it searches for a subdirectory with the name of the language code, such as “de” or “ar”. If it cannot find the subdirectory or .psd1 file, the command fails and the data is displayed in the default language specified in the script.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        You cannot pipe input to this cmdlet.

OUTPUTS
    System.Collections.Hashtable
        Import-LocalizedData saves the hash table in the Variable that is specified by the value of the BindingVariable parameter.

NOTES

        Before using Import-LocalizedData, localize your user messages. Format the messages for each locale (UI culture) in a hash table of key/value pairs, and save the hash table in a file with the same name as the script and a .psd1 file name extension. Create a directory under the script directory for each supported UI culture, and then save the .psd1 file for each UI culture in the directory with the UI culture name.

        For example, localize your user messages for the de-DE locale and format them in a hash table. Save the hash table in a <ScriptName>.psd1 file. Then create a de-DE subdirectory under the script directory, and save the de-DE <ScriptName>.psd1 file in the de-DE subdirectory. Repeat this method for each locale that you support.

        Import-LocalizedData performs a structured search for the localized user messages for a script.

        Import-LocalizedData begins the search in the directory where the script file is located (or the value of the BaseDirectory parameter). It then searches within the base directory for a subdirectory with the same name as the value of the $PsUICulture Variable (or the value of the UICulture parameter), such as “de-DE” or “ar-SA”. Then, it searches in that subdirectory for a .psd1 file with the same name as the script (or the value of the FileName parameter).

        If Import-LocalizedData cannot find a subdirectory with the name of the UI culture, or the subdirectory does not contain a .psd1 file for the script, it searches for a .psd1 file for the script in a subdirectory with the name of the language code, such as “de” or “ar”. If it cannot find the subdirectory or .psd1 file, the command fails, the data is displayed in the default language in the script, and an error message is displayed explaining that the data could not be imported. To suppress the message and fail gracefully, use the ErrorAction common parameter with a value of SilentlyContinue.

        If Import-LocalizedData finds the subdirectory and the .psd1 file, it imports the hash table of user messages into the value of the BindingVariable parameter in the command. Then, when you display a message from the hash table in the Variable, the localized message is displayed.

        For more information, see about_script_internationalization.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Import-LocalizedData -BindingVariable messages

    Description
    ———–
    This command imports text strings into the $messages Variable. It uses all of the default values for the cmdlet parameters.

    If the command is included in the Archives.ps1 script in the C:\test directory, and the value of the $PsUICulture automatic Variable is zh-CN, Import-LocalizedData imports the Archives.psd1 file in the C:\test\zh-CN directory.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Import-LocalizedData -BindingVariable msgTbl -UICulture ar-SA -FileName Simple -BaseDirectory C:\Data\Localized

    Description
    ———–
    This command imports text strings into the $msgTbl Variable of a script.

    It uses the UICulture parameter to direct the cmdlet to import data from the Simple.psd1 file in the ar-SA subdirectory of C:\Data\Localized.

    ————————– EXAMPLE 3 ————————–

    C:\PS># In C:\Test\en-US\test.psd1:

    ConvertFrom-StringData @’
     # English strings
    Msg1 = “The Name parameter is missing from the command.”
    Msg2 = “This command requires the credentials of a member of the Administrators group on the computer.”
    Msg3 = “Use $_ to represent the object that is being processed.”
    ‘@

    # In C:\Test\Test.ps1

    Import-LocalizedData -BindingVariable messages
    Write-Host $messages.msg2

    # In Windows PowerShell

    C:\PS> .\test.ps1
    This command requires the credentials of a member of the Administrators group on the computer.

    Description
    ———–
    This example shows how to use localized data in a simple script.

    The first part of the example shows the contents of the Test.psd1 file. It contains a ConvertFrom-StringData command that converts a series of named text strings into a hash table. The test.psd1 file is located in the en-US subdirectory of the C:\Test directory that contains the script.

    The second part of the example shows the contents of the Test.ps1 script. It contains an Import-LocalizedData command that imports the data from the matching .psd1 file into the $Messages Variable and a Write-Host command that writes one of the messages in the $Messages Variable to the host program.

    The last part of the example runs the script. The output shows that it displays the correct user message in the UI language set for the current user of the operating system.

    ————————– EXAMPLE 4 ————————–

    C:\PS># In TestScript.ps1

    $UserMessages = DATA {
        ConvertFrom-StringData @’
        # English strings
            Msg1 = “Enter a name.”
            Msg2 = “Enter your employee ID.”
            Msg3 = “Enter your building number.”
    ‘@ }

    Import-LocalizedData -BindingVariable UserMessages

    $UserMessages.Msg1
    …

    Description
    ———–
    This example shows how to use Import-LocalizedData to replace default text strings defined in the DATA section of a script.

    In this example, the DATA section of the TestScript.ps1 script contains a ConvertFrom-StringData command that converts the contents of the DATA section to a hash table and stores in the value of the $UserMessages Variable.

    The script also includes an Import-LocalizedData command, which imports a hash table of translated text strings from the TestScript.psd1 file in the subdirectory specified by the value of the $PsUICulture Variable. If the command finds the .psd1 file, it saves the translated strings from the file in the value of the same $UserMessages Variable, overwriting the hash table saved by the DATA section logic.

    The third command displays the first message in the $UserMessages Variable.

    If the Import-LocalizedData command finds a .psd1 file for the $PsUICulture language, the value of the $UserMessages Variable contains the translated text strings. If the command fails for any reason, the command displays the default text strings defined in the DATA section of the script.

    ————————– EXAMPLE 5 ————————–

    C:\PS># In Day1.ps1
    Import-LocalizedData -BindingVariable Day
    Day.MessageDate

    # In Day2.ps1
    Import-LocalizedData -BindingVariable Day -ErrorAction:silentlycontinue
    Day.MessageDate

    C:\PS> .\Day1.ps1

    Import-LocalizedData : Cannot find PowerShell data file ‘Day1.psd1’ in directory ‘C:\ps-test\fr-BE\’ or any parent culture directories.
    At C:\ps-test\Day1.ps1:17 char:21
    + Import-LocalizedData <<<< Day
    Today is Tuesday

    C:\PS> .\Day2.ps1

    Today is Tuesday

    Description
    ———–
    This example shows how to suppress the error messages that appear when Import-LocalizedData cannot find the directories that match the user’s UI culture or cannot find a .psd1 file for the script in those directories.

    You can use the ErrorAction common parameter with a value of “SilentlyContinue” to suppress the error message. This is especially useful when you have provided user messages in a default or “fallback” language, and no error message is needed.

    This example compares two scripts, Day1.ps1 and Day2.ps1, that include an Import-LocalizedData command. The scripts are identical, except that Day2 uses the ErrorAction common parameter with a value of SilentlyContinue.

    The sample output shows the results of running both scripts when the UI culture is set to fr-BE and there are no matching files or directories for that UI culture. Day1.ps1 displays an error message and English output. Day2.ps1 just displays the English output.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113342
    about_script_internationalization

cmdlet, Csv, Import

Import-Csv

NAME
    Import-Csv

SYNOPSIS
    Converts object properties in a comma-separated value (CSV) file into CSV versions of the original objects.

SYNTAX
    Import-Csv [[-Delimiter] <char>] [-Path] <string[]> [-Header <string[]>] [<CommonParameters>]

    Import-Csv -UseCulture [-Path] <string[]> [-Header <string[]>] [<CommonParameters>]

DESCRIPTION
    The Import-Csv cmdlet creates objects from CSV Variable-length files that are generated by the Export-Csv cmdlet.

    You can use the parameters of the Import-Csv cmdlet to specify the column header row, which determines the property names of the resulting objects; to specify the item delimiter; or to direct Import-Csv to use the list separator for the current culture as the item delimiter.

    The objects that Import-Csv creates are CSV versions of the original objects. The property values of the CSV objects are string versions of the property values of the original objects. The CSV versions of the objects do not have any methods.

    You can also use the ConvertTo-Csv and ConvertFrom-Csv cmdlets to convert objects to CSV strings (and back). These cmdlets are the same as the Export-Csv and Import-Csv cmdlets, except that they do not save the CSV strings in a file.

PARAMETERS
    -Delimiter <char>
        Specifies the delimiter that separates the property values in the CSV file. The default is a comma (,). Enter a character, such as a colon (:). To specify a semicolon (;), enclose it in quotation marks.

        If you specify a character other than the actual string delimiter in the file, Import-Csv cannot create objects from the CSV strings. Instead, it returns the strings.

        Required?                    false
        Position?                    2
        Default value                ,
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Header <string[]>
        Specifies an alternate column header row for the imported file. The column header determines the names of the properties of the object that Import-Csv creates.

        Enter a comma-separated list of the column headers. Enclose each item in quotation marks (single or double). Do not enclose the header string in quotation marks. If you enter fewer column headers than there are columns, the remaining columns will have no header. If you enter more headers than there are columns, the extra headers are ignored.

        When using the Header parameter, delete the original header row from the CSV file. Otherwise, Import-Csv creates an extra object from the items in the header row.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Path <string[]>
        Specifies the path to the CSV file to import. You can also pipe a path to Import-Csv.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

    -UseCulture [<SwitchParameter>]
        Use the list separator for the current culture as the item delimiter. The default is a comma (,).

        To find the list separator for a culture, use the following command: (Get-Culture).TextInfo.ListSeparator. If you specify a character other than the delimiter used in the CSV strings, ConvertFrom-Csv cannot create objects from the CSV strings. Instead, it returns the strings.

        Required?                    true
        Position?                    named
        Default value                Comma
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String
        You can pipe a string that contains a path to Import-Csv.

OUTPUTS
    Object.
        Import-Csv returns the objects described by the content in the CSV file.

NOTES

        Because the imported objects are CSV versions of the object type, they are not recognized and formatted by the Windows PowerShell type formatting entries that format the non-CSV versions of the object type.

        In the CSV file, each object is represented by a comma-separated list of the property values of the object. The property values are converted to strings (by using the ToString() method of the object), so they are generally represented by the name of the property value. Export-Csv does not export the methods of the object.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-Process | Export-Csv processes.csv

    C:\PS> $p = Import-Csv processes.csv

    C:\PS> $p | Get-Member

     TypeName: CSV:System.Diagnostics.Process

    Name                     MemberType Definition
    —-                     ———- ———-
    Equals                     Method     System.Boolean Equals(Object obj)
    GetHashCode                Method     System.Int32 GetHashCode()
    GetType                    Method     System.Type GetType()
    ToString                 Method     System.String ToString()
    BasePriority             NoteProperty System.String BasePriority=8
    Company                    NoteProperty System.String Company=Microsoft Corporation
    …

    C:\PS> $p | Out-GridView

    Description
    ———–
    This example shows how to export and then import a CSV file of Microsoft .NET Framework objects.

    The first command uses the Get-Process cmdlet to get the process on the local computer. It uses a pipeline operator (|) to send the process objects to the Export-Csv cmdlet, which exports the process objects to the Processes.csv file in the current directory.

    The second command uses the Import-Csv cmdlet to import the processes in the Import-Csv file. Then it saves the resulting process objects in the $p Variable.

    The third command uses a pipeline operator to pipe the imported objects to the Get-Member cmdlets. The result shows that they are CSV:System.Diagnostic.Process objects, not the System.Diagnostic.Process objects that Get-Process returns.

    Also, because there is no entry type in the formatting files for the CSV version of the process objects, these objects are not formatted in the same way that standard process objects are formatted.

    To display the objects, use the formatting cmdlets, such as Format-Table and Format-List, or pipe the objects to Out-GridView.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-Process | Export-Csv processes.csv -Delimiter :

    C:\PS> $p = Import-Csv processes.csv -Delimiter :

    Description
    ———–
    This example shows how to use the Delimiter parameter of Import-Csv. In this example, the processes are exported to a file that uses a colon (:) as a delimiter.

    When importing, the Import-Csv file uses the Delimiter parameter to indicate the delimiter that is used in the file.

    ————————– EXAMPLE 3 ————————–

    C:\PS>$p = Import-Csv processes.csv -UseCulture

    C:\PS> (Get-Culture).textinfo.listseparator

    ,

    Description
    ———–
    This example shows how to use the UseCulture parameter of Import-Csv.

    The first command imports the objects in the Processes.csv file into the $p Variable. It uses the UseCulture parameter to direct Import-Csv to use the list separator defined for the current culture.

    The second command displays the list separator for the current culture. It uses the Get-Culture cmdlet to get the current culture. It uses the dot (.) method to get the TextInfo property of the current culture and the ListSeparator property of the object in TextInfo. In this example, the command returns a comma.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Start-Job -scriptblock { Get-Process } | Export-Csv jobs.csv

    C:\PS> $header = “MoreData”,”StatusMessage”,”Location”,”Command”,”State”,”Finished”,”InstanceId”,”SessionId”,”Name”,”ChildJobs”,”Output”,”Error”,”Progress”,”Verbose”,”Debug”,”Warning”,”StateChanged”

    # Delete header from file
    C:\PS> $a = (Get-Content jobs.csv)
    C:\PS> $a = $a[0], $a[2..($a.count – 1)]
    C:\PS> $a > jobs.csv

    C:\PS> $j = Import-Csv jobs.csv -Header $header

    C:\PS> $j

    MoreData     : True
    StatusMessage :
    Location     : localhost
    Command     : Get-Process
    State         : Running
    Finished     : System.Threading.ManualResetEvent
    InstanceId    : 135bdd25-40d6-4a20-bd68-05282a59abd6
    SessionId     : 1
    Name         : Job1
    ChildJobs     : System.Collections.Generic.List`1[System.Management.Automation.Job]
    Output        : System.Management.Automation.PSDataCollection`1[System.Management.Automation.PSObject]
    Error         : System.Management.Automation.PSDataCollection`1[System.Management.Automation.ErrorRecord]
    Progress     : System.Management.Automation.PSDataCollection`1[System.Management.Automation.ProgressRecord]
    Verbose     : System.Management.Automation.PSDataCollection`1[System.String]
    Debug         : System.Management.Automation.PSDataCollection`1[System.String]
    Warning     : System.Management.Automation.PSDataCollection`1[System.String]
    StateChanged :

    Description
    ———–
    This example shows how to use the Header parameter of Import-Csv to change the names of properties in the resulting imported object.

    The first command uses the Start-Job cmdlet to start a background job that runs a Get-Process command on the local computer. A pipeline operator (|) sends the resulting job object to the Export-Csv cmdlet, which converts the job object to CSV format. An assignment operator (=) saves the resulting CSV in the Jobs.csv file.

    The second command saves a header in the $header Variable. Unlike the default header, this header uses “MoreData” instead of “HasMoreData” and “State” instead of “JobStateInfo”.

    The next three commands delete the original header (the second line) from the Jobs.csv file.

    The sixth command uses the Import-Csv cmdlet to import the Jobs.csv file and convert the CSV strings into a CSV version of the job object. The command uses the Header parameter to submit the alternate header. The results are stored in the $j Variable.

    The seventh command displays the object in the $j Variable. The resulting object has “MoreData” and “State” properties, as shown in the command output.

    ————————– EXAMPLE 5 ————————–

    C:\PS>”.\processes.csv” | Import-Csv

    Description
    ———–
    This command imports the objects from the Processes.csv file.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113341
    Export-Csv
    ConvertTo-Csv
    ConvertFrom-Csv

cmdlet, Counter, Import

Import-Counter

NAME
    Import-Counter

SYNOPSIS
    Imports performance counter log files (.blg, .csv, .tsv) and creates the objects that represent each counter sample in the log.

SYNTAX
    Import-Counter [-Path] <string[]> [-Counter <string[]>] [-EndTime <DateTime>] [-MaxSamples <Int64>] [-StartTime <DateTime>] [<CommonParameters>]

    Import-Counter [-Path] <string[]> -ListSet <string[]> [<CommonParameters>]

    Import-Counter [-Path] <string[]> -Summary <switch> [<CommonParameters>]

DESCRIPTION
    The Import-Counter cmdlet imports performance counter data from performance counter log files and creates objects for each counter sample in the file. The PerformanceCounterSampleSet objects that it creates are identical to the objects that Get-Counter returns when it collects performance counter data.

    You can import data from comma-separated value (.csv), tab-separated value ( .tsv), and binary performance log (.blg) performance log files. If you are using .blg files, you can import multiple files (up to 32 different files) in each command. And, you can use the parameters of Import-Counter to filter the data that you import.

    Along with Get-Counter and Export-Counter, this feature lets you collect, export, import, combine, filter, manipulate, and re-export performance counter data within Windows PowerShell.

PARAMETERS
    -Counter <string[]>
        Imports data only for the specified performance counters. By default, Import-Counter imports all data from all counters in the input files. Enter one or more counter paths. Wildcards are permitted in the Instance part of the path.

        Each counter path has the following format. Notice that the ComputerName value is required in the path, even on the local computer.
             “\\<ComputerName>\<CounterSet>(<Instance>)\<CounterName>”

        For example:
                “\\Server01\Processor(2)\% User Time”
                “\Processor(*)\% Processor Time

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? true

    -EndTime <DateTime>
        Imports only counter data with a timestamp less than or equal to the specified date and time. Enter a DateTime object, such as one created by the Get-Date cmdlet. By default, Import-Counter imports all counter data in the files specified by the Path parameter.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ListSet <string[]>
        Gets the performance counter sets that are represented in the exported files. Commands with this parameter do not import any data.

        Enter one or more counter set names. Wildcards are permitted. To get all counter sets in the file, type “Import-Counter -listset *”.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? true

    -MaxSamples <Int64>
        Specifies the maximum number of samples of each counter to import. By default, Get-Counter imports all of the data in the files specified by the Path parameter.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Path <string[]>
        Specifies the file paths of the files to be imported. This parameter is required.

        Enter the path and file name of a, .csv,, .tsv, or .blg file that you exported by using the Export-Counter cmdlet. You can specify only one .csv or .tsv file, but you can specify multiple .blg files (up to 32) in each command. You can also pipe file path strings (in quotation marks) to Import-Counter.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? true

    -StartTime <DateTime>
        Imports only counter data with a timestamp greater than or equal to the specified date and time. Enter a DateTime object, such as one created by the Get-Date cmdlet. By default, Import-Counter imports all counter data in the files specified by the Path parameter.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Summary <switch>
        Gets a summary of the imported data, instead of getting individual counter data samples.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String
        You can pipe performance counter log paths to Import-Counter.

OUTPUTS
    Microsoft.PowerShell.Commands.GetCounter.PerformanceCounterSampleSet, Microsoft.PowerShell.Commands.GetCounter.CounterSet, Microsoft.PowerShell.Commands.GetCounter.CounterFileInfo
        By default, Import-Counter returns a Microsoft.PowerShell.Commands.GetCounter.PerformanceCounterSampleSet. If you use the ListSet parameter, Import-Command returns a Microsoft.PowerShell.Commands.GetCounter.CounterSet object. If you use the Summary parameter, Import-Command returns a Microsoft.PowerShell.Commands.GetCounter.CounterFileInfo object.

NOTES

        The Import-Counter cmdlet does not have a ComputerName parameter. However, if the computer is configured for Windows PowerShell remoting, you can use the Invoke-Command cmdlet to run an Import-Counter command on a remote computer.

    ————————– EXAMPLE 1 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This command imports all of the counter data from the ProcessorData.csv file into the $data Variable.

    C:\PS> $data = Import-Counter -Path ProcessorData.csv

    ————————– EXAMPLE 2 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This command imports only the Processor(_total)\Interrupts\sec counter data from the ProcessorData.blg file into the $i Variable.

    C:\PS> $i = Import-Counter -Path ProcessorData.blg -Counter “\\SERVER01\Processor(_Total)\Interrupts/sec”

    ————————– EXAMPLE 3 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This example shows how to select data from a performance counter log file (.blg) and then export the selected data to a .csv file.

    The first four commands get the counter paths from the file and save them in a Variable. The last two commands import selected data and then export only the selected data.

    The first command uses Import-Counter to import all of the performance counter data from the ProcessorData.blg files. The command saves the data in the $data Variable.

    C:\PS> $data = Import-Counter .\processordata.blg

    The second command displays the counter paths in the $data Variable. The display is shown in the command output.

    C:\PS> $data[0].countersamples | Format-Table path

    Path
    —-
    \\SERVER01\Processor(_Total)\DPC Rate
    \\SERVER01\Processor(1)\DPC Rate
    \\SERVER01\Processor(0)\DPC Rate
    \\SERVER01\Processor(_Total)\% Idle Time
    \\SERVER01\Processor(1)\% Idle Time
    \\SERVER01\Processor(0)\% Idle Time
    \\SERVER01\Processor(_Total)\% C3 Time
    \\SERVER01\Processor(1)\% C3 Time
    …

    The third command gets the counter paths that end in “Interrupts/sec” and saves the paths in the $IntCtrs Variable.

    C:\PS> $IntCtrs = $data[0].countersamples | where {$_.path -like “*interrupts/sec”} | foreach {$_.path}

    The fourth command displays the selected counter paths.

    C:\PS> $IntCtrs

    \\SERVER01\Processor(_Total)\Interrupts/sec
    \\SERVER01\Processor(1)\Interrupts/sec
    \\SERVER01\Processor(0)\Interrupts/sec

    The fifth command uses the Import-Counter cmdlet to import the data. It uses the Counter parameter with the $IntCtrs Variable to import only data for the counter paths in $IntCtrs.

    C:\PS> $i = Import-Counter -Path .\processordata.blg -Counter $intCtrs

    The sixth command uses the Export-Counter cmdlet to export the data.

    C:\PS> $i | Export-Counter -Path .\interrupts.csv -format CSV

    ————————– EXAMPLE 4 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This example shows how to display all the counter paths in a group of imported counter sets.

    The first command uses the ListSet parameter to get all of the counter sets that are represented in a counter data file.

    C:\PS> Import-Counter -Path processordata.csv -listset *

    CounterSetName     : Processor
    MachineName        : \\SERVER01
    CounterSetType     : MultiInstance
    Description        :
    Paths             : {\\SERVER01\Processor(*)\DPC Rate, \\SERVER01\Processor(*)\% Idle Time, \\SERVER01
                         \Processor(*)\% C3 Time, \\SERVER01\Processor(*)\% Interrupt Time…}
    PathsWithInstances : {\\SERVER01\Processor(_Total)\DPC Rate, \\SERVER01\Processor(1)\DPC Rate, \\SERVER01
                         \Processor(0)\DPC Rate, \\SERVER01\Processor(_Total)\% Idle Time…}
    Counter            : {\\SERVER01\Processor(*)\DPC Rate, \\SERVER01\Processor(*)\% Idle Time, \\SERVER01
                         \Processor(*)\% C3 Time, \\SERVER01\Processor(*)\% Interrupt Time…}

    The second command gets all of the counter paths from the list set.

    C:\PS> Import-Counter -Path processordata.csv -listset * | foreach {$_.paths}

    \\SERVER01\Processor(*)\DPC Rate
    \\SERVER01\Processor(*)\% Idle Time
    \\SERVER01\Processor(*)\% C3 Time
    \\SERVER01\Processor(*)\% Interrupt Time
    \\SERVER01\Processor(*)\% C2 Time
    \\SERVER01\Processor(*)\% User Time
    \\SERVER01\Processor(*)\% C1 Time
    \\SERVER01\Processor(*)\% Processor Time
    \\SERVER01\Processor(*)\C1 Transitions/sec
    \\SERVER01\Processor(*)\% DPC Time
    \\SERVER01\Processor(*)\C2 Transitions/sec
    \\SERVER01\Processor(*)\% Privileged Time
    \\SERVER01\Processor(*)\C3 Transitions/sec
    \\SERVER01\Processor(*)\DPCs Queued/sec
    \\SERVER01\Processor(*)\Interrupts/sec

    ————————– EXAMPLE 5 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This example imports only the counter data that has a time stamp between the starting an ending ranges specified in the command.

    The first command lists the time stamps of all of the data in the ProcessorData.blg file.

     C:\PS> Import-Counter -Path .\disk.blg | Format-Table timestamp

    The second and third commands save particular time stamps in the $start and $end Variables. The strings are cast to DateTime objects.

     C:\PS> $start = [datetime]”7/9/2008 3:47:00 PM”
     C:\PS> $end = [datetime]”7/9/2008 3:47:59 PM”

    The fourth command uses Import-Counter to get only counter data that has a time stamp between the start and end times (inclusive). The command uses the StartTime and EndTime parameters to specify the range.

     C:\PS> $t-data = Import-Counter -Path disk.blg -StartTime $start -EndTime $end

    ————————– EXAMPLE 6 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This example shows how to import the five oldest and five newest samples from a performance counter log file.

    The first command uses the Import-Counter cmdlet to import data from the Disk.blg file. The command uses the MaxSamples parameter to limit the import to five counter samples. This command gets the first (oldest) five samples in the file.

    C:\PS> Import-Counter -Path disk.blg -MaxSamples 5

    The second command uses array notation and the Windows PowerShell range operator (..) to get the last five counter samples from the file. These are the five newest samples.

    C:\PS> (Import-Counter -Path disk.blg)[-1 .. -5]

    ————————– EXAMPLE 7 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This command uses the Summary parameter to get a summary of the counter data from the Memory.blg file.

    C:\PS> Import-Counter D:\Samples\memory.blg -summary

    OldestRecord            NewestRecord            SampleCount
    ————            ————            ———–
    7/10/2008 2:59:18 PM    7/10/2008 3:00:27 PM    1000

    ————————– EXAMPLE 8 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This example updates a performance counter log file.

    The first command uses the ListSet parameter of Import-Counter to get the counters in OldData.blg, an existing counter log file. The command uses a pipeline operator (|) to send the data to a ForEach-Object command that gets only the values of the PathsWithInstances property of each object.

    C:\PS> $counters = Import-Counter olddata.blg -ListSet * | foreach {$_.PathsWithInstances}

    The second command uses those same counters in a new Get-Counter command to get a current sample, and export it to the NewData.blg file.

    C:\PS> Get-Counter -Counter $counters -MaxSamples 20 | Export-Counter c:\Logs\newdata.blg

    ————————– EXAMPLE 9 ————————–

    C:\PS># Import-Counter

    Description
    ———–
    This command imports performance log data from two logs and saves the data in the $counters Variable. The command uses a pipeline operator to send performance log paths to Import-Counter.

    C:\PS> $counters = “d:\test\pdata.blg”, “d:\samples\netlog.blg” | Import-Counter

    Notice that each path is enclosed in quotation marks and that the paths are separated from each other by a comma.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=138338
    Get-Counter
    Export-Counter

Clixml, cmdlet, Import

Import-Clixml

NAME
    Import-Clixml

SYNOPSIS
    Imports a CLIXML file and creates corresponding objects within Windows PowerShell.

SYNTAX
    Import-Clixml [-Path] <string[]> [<CommonParameters>]

DESCRIPTION
    The Import-Clixml cmdlet imports a CLIXML file with data that represents Microsoft .NET Framework objects and creates the objects in Windows PowerShell.

PARAMETERS
    -Path <string[]>
        Specifies the location of the XML files to be converted into Windows PowerShell objects.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String
        You can pipe a string that contains a path to Import-Clixml.

OUTPUTS
    PSObject
        Import-Clixml returns objects that have been deserialized from the stored XML files.

NOTES

        When specifying multiple values for a parameter, use commas to separate the values. For example, “<parameter-name> <value1>, <value2>”.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-Process | Export-Clixml pi.xml

    C:\PS> $processes = Import-Clixml pi.xml

    Description
    ———–
    This command uses the Export-Clixml cmdlet to save a serialized copy of the process information returned by Get-Process. It then uses Import-Clixml to retrieve the contents of the serialized file and re-create an object that is stored in the $processes Variable.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113340

Alias, cmdlet, Import

Import-Alias

NAME
    Import-Alias

SYNOPSIS
    Imports an Alias list from a file.

SYNTAX
    Import-Alias [-Path] <string> [-Force] [-PassThru] [-Scope <string>] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
    The Import-Alias cmdlet imports an Alias list from a file.

PARAMETERS
    -Force [<SwitchParameter>]
        Allows the cmdlet to import an Alias that is already defined and is read only. You can use the following command to display information about the currently-defined Aliases:

        Get-Alias | Select-Object name,Options
        The value of the Options property will include “ReadOnly” if the corresponding Alias is read only.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -PassThru [<SwitchParameter>]
        Returns an object representing the Alias. By default, this cmdlet does not generate any output.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Path <string>
        Specifies the path to a file that includes exported Alias information. Wildcards are allowed but they must resolve to a single name.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

    -Scope <string>
        Specifies the scope into which the Aliases are imported. Valid values are “Global”, “Local”, or “Script”, or a number relative to the current scope (0 through the number of scopes, where 0 is the current scope and 1 is its parent). “Local” is the default. For more information, see about_scopes.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Confirm [<SwitchParameter>]
        Prompts you for confirmation before executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -WhatIf [<SwitchParameter>]
        Describes what would happen if you executed the command without actually executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String
        You can pipe a string that contains a path to Import-Alias.

OUTPUTS
    None or System.Management.Automation.AliasInfo
        When you use the Passthru parameter, Import-Alias returns a System.Management.Automation.AliasInfo object that represents the Alias. Otherwise, this cmdlet does not generate any output.

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>Import-Alias test.txt

    Description
    ———–
    This command imports Alias information from a file named test.txt.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113339
    Export-Alias
    Get-Alias
    New-Alias
    Set-Alias

cmdlet, Group, Object

Group-Object

NAME
    Group-Object

SYNOPSIS
    Groups objects that contain the same value for specified properties.

SYNTAX
    Group-Object [-AsHashTable] [-AsString] [[-Property] <Object[]>] [-CaseSensitive] [-Culture <string>] [-InputObject <psobject>] [-NoElement] [<CommonParameters>]

DESCRIPTION
    The Group-Object cmdlet displays objects in groups based on the value of a specified property. Group-Object returns a table with one row for each property value and a column that displays the number of items with that value.

    If you specify more than one property, Group-Object first groups them by the values of the first property, and then, within each property group, it groups by the value of the next property.

PARAMETERS
    -AsHashTable [<SwitchParameter>]
        Returns the group as a hash table. The keys of the hash table are the property values by which the objects are grouped. The values of the hash table are the objects that have that property value.

        By itself, the AsHashTable parameter returns each hash table in which each key is an instance of the grouped object. When used with the AsString parameter, the keys in the hash table are strings.

        Required?                    false
        Position?                    named
        Default value                GroupInfo object
        Accept pipeline input?     false
        Accept wildcard characters? false

    -AsString [<SwitchParameter>]
        Converts the hash table keys to strings. By default, the hash table keys are instances of the grouped object. This parameter is valid only when used with the AsHashTable parameter.

        Required?                    false
        Position?                    named
        Default value                GroupInfo objects
        Accept pipeline input?     false
        Accept wildcard characters? false

    -CaseSensitive [<SwitchParameter>]
        Makes the grouping case-sensitive. Without this parameter, the property values of objects in a group might have different cases.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Culture <string>
        Specifies the culture to use when comparing strings.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -InputObject <psobject>
        Specifies the objects to group. Enter a Variable that contains the objects, or type a command or expression that gets the objects.

        When you use the InputObject parameter to submit a collection of objects to Group-Object, Group-Object receives one object that represents the collection. As a result, it creates a single group with that object as its member.

        To group the objects in a collection, pipe the objects to Group-Object.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

    -NoElement [<SwitchParameter>]
        Omits the members of a group from the results.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Property <Object[]>
        Specifies the properties for grouping. The objects are arranged into groups based on the value of the specified property.

        The value of the Property parameter can be a new calculated property. To create a calculated, property, create a hash table with an Expression key that specifies a string or script block value.

        Required?                    false
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.Management.Automation.PSObject
        You can pipe any object to Group-Object

OUTPUTS
    Microsoft.PowerShell.Commands.GroupInfo or System.Collections.Hashtable
        When you use the AsHashTable parameter, Group-Object returns a hash table. Otherwise, it returns a GroupInfo object.

NOTES

        You can also use the GroupBy parameter of the formatting cmdlets (such as Format-Table [m2] and Format-List [m2]) to group objects. Unlike Group-Object, which creates a single table with a row for each property value, the GroupBy parameters create a table for each property value with a row for each item that has the property value.

        Group-Object does not require that the objects being grouped be of the same Microsoft .NET Framework type. When grouping objects of different .NET Framework types, Group-Object uses the following rules:

        — Same Property Names and Types: If the objects have a property with the specified name, and the property values have the same .NET Framework type, the property values are grouped by using the same rules that would be used for objects of the same type.

        — Same Property Names, Different Types: If the objects have a property with the specified name, but the property values have a different .NET Framework type in different objects, Group-Object uses the .NET Framework type of the first occurrence of the property as the .NET Framework type for that property group. When an object has a property with a different type, the property value is converted to the type for that group. If the type conversion fails, the object is not included in the group.

        — Missing Properties: Objects that do not have a specified property are considered ungroupable. Ungroupable objects appear in the final GroupInfo object output in a group named AutomationNull.Value.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-ChildItem *.doc | Group-Object -Property length

    Description
    ———–
    This command gets the files in the current location that have a .doc extension and groups them by size.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-ChildItem | Sort-Object -Property extension | Group-Object -Property extension

    Description
    ———–
    This command gets the files in the current location, sorts them by file name extension, and then groups them by file name extension. Note that the files are sorted before they are grouped.

    ————————– EXAMPLE 3 ————————–

    C:\PS>1..35 | Group-Object -Property {$_ % 2},{$_ % 3}

    Description
    ———–
    This example shows how to use script blocks as the value of the Property parameter.

    This command displays the integers from 1 to 35, grouped by the remainder left when they are divided by 2 or 3.

    ————————– EXAMPLE 4 ————————–

    C:\PS>$events = Get-Eventlog -logname system -newest 1000

    C:\PS> $events | Group-Object -Property eventID

    Count Name                     Group
    —– —-                     —–
     44 Information             {System.Diagnostics.EventLogEntry,
        5 Error                     {System.Diagnostics.EventLogEntry,
        1 Warning                 {System.Diagnostics.EventLogEntry}

    Description
    ———–
    These commands display the 1,000 most recent entries in the System event log, grouped by Event ID.

    The first command uses the Get-EventLog cmdlet to retrieve the events and the assignment operator (=) to save them in the $events Variable.

    The second command uses a pipeline operator (|) to send the events in the $events Variable to the Group-Object cmdlet. The command uses the Property parameter to specify that the events should be grouped according to the value of their EventID property.

    In the output, the Count column represents the number of entries in each group, the Name column represents the EventID values that define a group, and the Group column represents the objects in each group.

    ————————– EXAMPLE 5 ————————–

    C:\PS>Get-Process | Group-Object -Property priorityclass

    Count Name                Group
    —– —-                —–
     55 Normal             {System.Diagnostics.Process (AdtAgent), System.Diagnostics.Process (alg), System.Dia…
        1                     {System.Diagnostics.Process (Idle)}
        3 High                {System.Diagnostics.Process (Newproc), System.Diagnostics.Process (winlogon), System.D…
        2 BelowNormal         {System.Diagnostics.Process (winperf),

    C:\PS>Get-Process | Group-Object -Property company -NoElement
    Count Name
    —– —-
     55 Normal
        1
        3 High
        2 BelowNormal

    Description
    ———–
    This example demonstrates the effect of the NoElement parameter. These commands group the processes on the computer by priority class.

    The first command uses the Get-Process cmdlet to get the processes on the computer. It uses a pipeline operator (|) to send the results to Group-Object, which groups the objects by the value of the PriorityClass property of the process.

    The second command is identical to the first, except that it uses the NoElement parameter to eliminate the members of the group from the output. The result is a table with only the count and property value name.

    The results are shown in the following sample output.

    ————————– EXAMPLE 6 ————————–

    C:\PS>Get-Eventlog -logname system -newest 1000 | Group-Object -Property {$_.TimeWritten – $_.TimeGenerated}

    Description
    ———–
    This command demonstrates how to provide the value of the Property parameter as a script block.

    This command displays the most recent 1,000 entries from the system event log, grouped according to the time between when they were generated and when they were written to the log.

    The command uses the Get-EventLog cmdlet to get the event log entries. It uses a pipeline operator (|) to send the entries to the Group-Object cmdlet. The value of the Property parameter is specified as a script block (an expression in braces). The result of evaluating the script block is the time between when the log entry was generated and when it was written to the log. That value is used to group the 1,000 most recent events.

    ————————– EXAMPLE 7 ————————–

    C:\PS>Get-ChildItem | Group-Object extension -NoElement

    Count Name
    —– —-
     21
     82 .txt
        9 .cmd
        5 .log
     12 .xml
        5 .htm
     36 .ps1
        1 .psc1
        3 .exe
        6 .csv
        1 .psd1
        2 .bat

    Description
    ———–
    This command groups the items in the current directory by file name extension. It uses the NoElement parameter to omit the members of the group.

    The results are shown in the following sample output.

    ————————– EXAMPLE 8 ————————–

    C:\PS>”a”, “b”, “c”, “c”, “d” | Get-Unique

    a
    b
    c
    d

    C:\PS> “a”, “b”, “c”, “c”, “d” | Group-Object -NoElement | where {$_.Count -gt 1}
    Count Name
    —– —-
        2 c

    C:\PS> Get-Process | Group-Object -Property Name -NoElement | where {$_.count -gt 1}
    Count Name
    —– —-
        2 csrss
        5 svchost
        2 winlogon
        2 wmiprvse

    Description
    ———–
    This example shows how to find the unique and non-unique (repeated) property values in a collection.

    The first command gets the unique elements of an array by piping the array to the Get-Unique cmdlet.

    The second command gets the non-unique elements of an array. It pipes the array to the Group-Object cmdlet, which groups the objects by value. The resulting groups are piped to the Where-Object cmdlet, which selects objects with groups with more than one member.

    The third command shows a practical use for this technique. It uses the same method to find processes on the computer that have the same process name.

    The results are shown in the following sample output.

    ————————– EXAMPLE 9 ————————–

    C:\PS>$a = Get-Command get-*, set-* -type cmdlet | Group-Object -Property verb -AsHashTable -AsString

    C:\PS> $a

    Name    Value
    —-    —–
    Get     {Get-PSCallStack, Get-PSBreakpoint, Get-PSDrive, Get-PSSession…}
    Set     {Set-Service, Set-StrictMode, Set-PSDebug, Set-PSSessionConfiguration…}

    C:\PS> $a.get

    CommandType     Name                 Definition
    ———–     —-                 ———-
    Cmdlet         Get-PSCallStack     Get-PSCallStack [-Verbose] [-Debug] [-ErrorAction <ActionPrefer…
    Cmdlet         Get-PSBreakpoint     Get-PSBreakpoint [[-Id] <Int32[]>] [-Verbose] [-Debug] [-ErrorA…
    Cmdlet         Get-PSDrive         Get-PSDrive [[-Name] <String[]>] [-Scope <String>] [-PSProvider…
    …

    Description
    ———–
    This example uses the AsHashTable and AsString parameters to return the groups in a hash table, that is, as a collection of key-value pairs.

    In the resulting hash table, each property value is a key, and the group elements are the values. Because each key is a property of the hash table object, you can use dot notation to display the values.

    The first command gets the Get and Set cmdlets in the session, groups them by verb, returns the groups as a hash table, and saves the hash table in the $a Variable.

    The second command displays the hash table in $a. There are two key-value pairs, one for the Get cmdlets and one for the Set cmdlets.

    The third command uses dot notation to display the values of the Get key in $a. The values are CmdletInfo object. The AsString parameter does not convert the objects in the groups to strings.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113338

cmdlet, Get, WSManInstance

Get-WSManInstance

NAME
    Get-WSManInstance

SYNOPSIS
    Displays management information for a resource instance specified by a Resource URI.

SYNTAX
    Get-WSManInstance -SelectorSet <hashtable> [-ApplicationName <string>] [-ComputerName <string>] [-Credential <PSCredential>] [-Fragment <string>] [-Port <int>] [-UseSSL] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

    Get-WSManInstance [-ApplicationName <string>] [-BasePropertiesOnly <switch>] [-ComputerName <string>] [-Credential <PSCredential>] [-Enumerate] [-filter <string>] [-Port <int>] [-References <switch>] [-ReturnType <string>] [-Shallow <switch>] [-UseSSL] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

    Get-WSManInstance -ConnectionURI <Uri> -SelectorSet <hashtable> [-Fragment <string>] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

    Get-WSManInstance -ConnectionURI <Uri> [-BasePropertiesOnly <switch>] [-Enumerate] [-filter <string>] [-References <switch>] [-ReturnType <string>] [-Shallow <switch>] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

DESCRIPTION
    The Get-WSManInstance cmdlet retrieves an instance of a management resource that is specified by a resource URI. The information that is retrieved can be a complex XML information set (an object) or a simple value. This cmdlet is the equivalent to the standard WS-Management Get command.

    This cmdlet uses the WS-Management connection/transport layer to retrieve information.

PARAMETERS
    -ApplicationName <string>
        Specifies the application name in the connection. The default value of the ApplicationName parameter is “WSMAN”. The complete identifier for the remote endpoint is in the following format:

             <transport>://<server>:<port>/<ApplicationName>

        For example:

             http://server01:8080/WSMAN

        Internet Information Services (IIS), which hosts the session, forwards requests with this endpoint to the specified application. This default setting of “WSMAN” is appropriate for most uses. This parameter is designed to be used when numerous computers establish remote connections to one computer that is running Windows PowerShell. In this case, IIS hosts Web Services for Management (WS-Management) for efficiency.

        Required?                    false
        Position?                    named
        Default value                WSMan
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Authentication <Authentication>
        Specifies the authentication mechanism to be used at the server. Possible values are:

        – Basic: Basic is a scheme in which the user name and password are sent in clear text to the server or proxy.
        – Default : Use the authentication method implemented by the WS-Management protocol. This is the default.
        – Digest: Digest is a challenge-response scheme that uses a server-specified data string for the challenge.
        – Kerberos: The client computer and the server mutually authenticate by using Kerberos Certificates.
        – Negotiate: Negotiate is a challenge-response scheme that negotiates with the server or proxy to determine the scheme to use for authentication. For example, this parameter value allows negotiation to determine whether the Kerberos protocol or NTLM is used.
        – CredSSP: Use Credential Security Service Provider (CredSSP) authentication, which allows the user to delegate credentials. This option is designed for commands that run on one remote computer but collect data from or run additional commands on other remote computers.

        Caution: CredSSP delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

        Required?                    false
        Position?                    named
        Default value                Default
        Accept pipeline input?     false
        Accept wildcard characters? false

    -BasePropertiesOnly <switch>
        Enumerates only the properties that are part of the base class that is specified by the ResourceURI parameter. This parameter has no effect if the Shallow parameter is specified.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ComputerName <string>
        Specifies the computer against which you want to run the management operation. The value can be a fully qualified domain name, a NetBIOS name, or an IP address. Use the local computer name, use localhost, or use a dot (.) to specify the local computer. The local computer is the default. When the remote computer is in a different domain from the user, you must use a fully qualified domain name must be used. You can pipe a value for this parameter to the cmdlet.

        Required?                    false
        Position?                    named
        Default value                localhost
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ConnectionURI <Uri>
        Specifies the connection endpoint. The format of this string is:

             <Transport>://<Server>:<Port>/<ApplicationName>

        The following string is a properly formatted value for this parameter:

             http://Server01:8080/WSMAN

        The URI must be fully qualified.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Credential <PSCredential>
        Specifies a user account that has permission to perform this action. The default is the current user. Type a user name, such as “User01”, “Domain01\User01”, or “User@Domain.com”. Or, enter a PSCredential object, such as one returned by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Dialect <Uri>
        Specifies the dialect to use in the filter predicate. This can be any dialect that is supported by the remote service. The following Aliases can be used for the dialect URI:

        – WQL: http://schemas.microsoft.com/wbem/wsman/1/WQL
        – Selector: http://schemas.microsoft.com/wbem/wsman/1/wsman/SelectorFilter
        – Association: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter

        Required?                    false
        Position?                    named
        Default value                http://schemas.microsoft.com/wbem/wsman/1/WQL
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Enumerate [<SwitchParameter>]
        Returns all of the instances of a management resource.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -filter <string>
        Specifies the filter expression for the enumeration. If you use this parameter, you must also specify the Dialect parameter.

        The valid values of this parameter depend on the dialect that is specified in the Dialect parameter. For example, if the Dialect parameter is set to WQL, the Filter parameter must contain a string, and the string must contain a valid WQL query such as the following query:

             “Select * from Win32_Service where State != Running”

        If the Dialect parameter is set to Association, the Filter parameter must contain a string, and the string must contain a valid filter, such as the following filter:

        -filter:Object=EPR[;AssociationClassName=AssocClassName][;ResultClassName=ClassName][;Role=RefPropertyName][;ResultRole=RefPropertyName]}

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Fragment <string>
        Specifies a section inside the instance that is to be updated or retrieved for the specified operation. For example, to get the status of a spooler service, specify “-Fragment Status”.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -OptionSet <hashtable>
        Passes a set of switches to a service to modify or refine the nature of the request. These are similar to switches used in command-line shells because they are service specific. Any number of options can be specified.

        The following example demonstrates the syntax that passes the values 1, 2, and 3 for the a, b, and c parameters:

             -OptionSet @{a=1;b=2;c=3}

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

    -Port <int>
        Specifies the port to use when the client connects to the WinRM service. When the transport is HTTP, the default port is 80. When the transport is HTTPS, the default port is 443. When you use HTTPS as the transport, the value of the ComputerName parameter must match the server’s Certificate common name (CN). However, if the SkipCNCheck parameter is specified as part of the SessionOption parameter, then the Certificate common name of the server does not have to match the host name of the server. The SkipCNCheck parameter should be used only for trusted computers.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -References <switch>
        Indicates that association instances (not associated instances) should be retrieved. You can use this parameter only when the Dialect parameter is set to a value of “Association”.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ResourceURI <Uri>
        Contains the Uniform Resource Identifier (URI) of the resource class or instance. The URI is used to identify a specific type of resource, such as disks or processes, on a computer.

        A URI consists of a prefix and a path to a resource. For example:

             http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_LogicalDisk
             http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_NumericSensor

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

    -ReturnType <string>
        Specifies the type of data to be returned. The valid values are:

            Object (the default)
            EPR
            ObjectAndEPR

        If Object is specified or if this parameter is not used, only objects are returned. If EPR (endpoint reference) is specified, only the endpoint references of the objects are returned. Endpoint references contain information about the resource URI and the selectors for the instance. If ObjectAndEPR is specified, both the object and its associated endpoint references are returned.

        Required?                    false
        Position?                    named
        Default value                Object
        Accept pipeline input?     false
        Accept wildcard characters? false

    -SelectorSet <hashtable>
        Specifies a set of value pairs that are used to select particular management resource instances. The SelectorSet parameter is used when more than one instance of the resource exists. The value of the SelectorSet parameter must be a hash table.

        The following example shows how to enter a value for this parameter:

            -SelectorSet @{Name=”WinRM”;ID=”yyy”}

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -SessionOption <hashtable>
        Defines a set of extended options for the WS-Management session. Enter a SessionOption object that you create by using the New-WSManSessionOption cmdlet. For more information about the options that are available, see New-WSManSessionOption.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Shallow <switch>
        Causes only instances of the base class that is specified in the resource URI to be returned. If this switch is not specified, instances of the base class that is specified in the URI and in all its derived classes is returned.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -UseSSL [<SwitchParameter>]
        Specifies that the Secure Sockets Layer (SSL) protocol should be used to establish a connection to the remote computer. By default, SSL is not used.

        WS-Management encrypts all the Windows PowerShell content that is transmitted over the network. The UseSSL parameter lets you specify the additional protection of HTTPS instead of HTTP. If SSL is not available on the port that is used for the connection and you specify this parameter, the command fails.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        This command does not accept any input.

OUTPUTS
    System.Xml.XmlElement
        The Get-WSManInstance cmdlet generates an XMLElement object.

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-WSManInstance wmicimv2/win32_service -SelectorSet @{name=”winrm”} -ComputerName server01

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_Service_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : true
    Caption                 : Windows Remote Management (WS-Management)
    CheckPoint             : 0
    CreationClassName     : Win32_Service
    Description             : Windows Remote Management (WinRM) service implements the WS-Management protocol for remote
                             management. WS-Management is a standard web services protocol used for remote software and
                             hardware management. The WinRM service listens on the network for WS-Management requests
                             and processes them. The WinRM Service needs to be configured with a listener using the
                             winrm.cmd command line tool or through Group Policy in order for it to listen over the
                             network. The WinRM service provides access to WMI data and enables event collection. Event
                             collection and subscription to events require that the service is running. WinRM messages
                             use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is
                             preconfigured to share a port with IIS on the same machine. The WinRM service reserves the
                             /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any
                             websites hosted on IIS do not use the /wsman URL prefix.
    DesktopInteract         : false
    DisplayName             : Windows Remote Management (WS-Management)
    ErrorControl            : Normal
    ExitCode                : 0
    InstallDate             : InstallDate
    Name                    : winrm
    PathName                : C:\Windows\System32\svchost.exe -k NetworkService
    ProcessId             : 948
    ServiceSpecificExitCode : 0
    ServiceType             : Share Process
    Started                 : true
    StartMode             : Auto
    StartName             : NT AUTHORITY\NetworkService
    State                 : Running
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : SERVER01
    TagId                 : 0
    WaitHint                : 0

    Description
    ———–
    This command returns all of the information that Windows Management Instrumentation (WMI) exposes about the WinRM service on the remote server01 computer.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-WSManInstance wmicimv2/win32_service -SelectorSet @{name=”spooler”} -Fragment status -ComputerName server01

    XmlFragment=OK

    Description
    ———–
    This command returns only the status of the Spooler service on the remote server01 computer.

    ————————– EXAMPLE 3 ————————–

    C:\PS>Get-WSManInstance -enumerate wmicimv2/win32_process

    OSName                     : Microsoft Windows Vista Ultimate |C:\Windows|\Device\Harddisk0\Partition3
    OtherOperationCount        : 11441
    OtherTransferCount         : 428570
    PageFaults                 : 27346
    PageFileUsage             : 16428
    ParentProcessId            : 604
    PeakPageFileUsage         : 17588
    PeakVirtualSize            : 93876224
    PeakWorkingSetSize         : 12472
    Priority                 : 8
    PrivatePageCount         : 16822272
    ProcessId                 : 1160
    QuotaNonPagedPoolUsage     : 14
    QuotaPagedPoolUsage        : 126
    QuotaPeakNonPagedPoolUsage : 16
    QuotaPeakPagedPoolUsage    : 159
    ReadOperationCount         : 29568
    ReadTransferCount         : 1660581404
    SessionId                 : 0
    Status                     : Status
    TerminationDate            : TerminationDate
    ThreadCount                : 23
    UserModeTime             : 763156892
    VirtualSize                : 80846848
    WindowsVersion             : 6.0.6001
    WorkingSetSize             : 11624448
    WriteOperationCount        : 1913
    WriteTransferCount         : 6825768

    xsi                        : http://www.w3.org/2001/XMLSchema-instance
    p                         : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Process
    cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
    type                     : p:Win32_Process_Type
    lang                     : en-US
    Caption                    : svchost.exe
    CommandLine                : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    CreationClassName         : Win32_Process
    CreationDate             : CreationDate
    CSCreationClassName        : Win32_ComputerSystem
    CSName                     : COMPUTER01
    Description                : svchost.exe
    ExecutablePath             : C:\Windows\System32\svchost.exe
    ExecutionState             : ExecutionState
    Handle                     : 1192
    HandleCount                : 832

    …

    Description
    ———–
    This command returns all the instances of the WMI Win32_Process class on the local computer.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Get-WSManInstance -enumerate wmicimv2/win32_service -returntype epr

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_Service_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : false
    Caption                 : Visual Studio 2008 Remote Debugger
    CheckPoint             : 0
    CreationClassName     : Win32_Service
    Description             : Allows members of the Administrators group to remotely debug server applications using Visual
                             Studio 2008. Use the Visual Studio 2008 Remote Debugging Configuration Wizard to enable this
                             service.
    DesktopInteract         : false
    DisplayName             : Visual Studio 2008 Remote Debugger
    ErrorControl            : Ignore
    ExitCode                : 1077
    InstallDate             : InstallDate
    Name                    : msvsmon90
    PathName                : “C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe” /s
                             ervice msvsmon90
    ProcessId             : 0
    ServiceSpecificExitCode : 0
    ServiceType             : Own Process
    Started                 : false
    StartMode             : Disabled
    StartName             : LocalSystem
    State                 : Stopped
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : COMPUTER01
    TagId                 : 0
    WaitHint                : 0

    …

    Description
    ———–
    This command returns endpoint references that correspond to all the services on the local computer.

    ————————– EXAMPLE 5 ————————–

    C:\PS>Get-WSManInstance -Enumerate wmicimv2/* -filter “select * from win32_service where StartMode = ‘Auto’ and State = ‘Stopped'” -ComputerName server01

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_Service_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : false
    Caption                 : Windows Media Center Service Launcher
    CheckPoint             : 0
    CreationClassName     : Win32_Service
    Description             : Starts Windows Media Center Scheduler and Windows Media Center Receiver services
                             at startup if TV is enabled within Windows Media Center.
    DesktopInteract         : false
    DisplayName             : Windows Media Center Service Launcher
    ErrorControl            : Ignore
    ExitCode                : 0
    InstallDate             : InstallDate
    Name                    : ehstart
    PathName                : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    ProcessId             : 0
    ServiceSpecificExitCode : 0
    ServiceType             : Share Process
    Started                 : false
    StartMode             : Auto
    StartName             : NT AUTHORITY\LocalService
    State                 : Stopped
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : Server01
    TagId                 : 0
    WaitHint                : 0

    …

    Description
    ———–
    This command lists all of the services that meet the following criteria on the remote server01 computer:

     – The startup type of the service is “Automatic”.
     – The service is stopped.

    ————————– EXAMPLE 6 ————————–

    C:\PS>Get-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”http”}

    cfg                 : http://schemas.microsoft.com/wbem/wsman/1/config/listener
    xsi                 : http://www.w3.org/2001/XMLSchema-instance
    lang                 : en-US
    Address             : *
    Transport             : HTTP
    Port                 : 80
    Hostname             :
    Enabled             : true
    URLPrefix             : WSMan
    CertificateThumbprint :
    ListeningOn         : {100.0.0.1, 123.123.123.123, ::1, 2001:4898:0:fff:0:5efe:123.123.123.123…}

    Description
    ———–
    This command lists the WS-Management listener configuration on the local computer for the listener that matches the criteria in the selector set.

    ————————– EXAMPLE 7 ————————–

    C:\PS>Get-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”http”} -ComputerName server01

    cfg                 : http://schemas.microsoft.com/wbem/wsman/1/config/listener
    xsi                 : http://www.w3.org/2001/XMLSchema-instance
    lang                 : en-US
    Address             : *
    Transport             : HTTP
    Port                 : 80
    Hostname             :
    Enabled             : true
    URLPrefix             : WSMan
    CertificateThumbprint :
    ListeningOn         : {100.0.0.1, 123.123.123.124, ::1, 2001:4898:0:fff:0:5efe:123.123.123.124…}

    Description
    ———–
    This command lists the WS-Management listener configuration on the remote server01 computer for the listener that matches the criteria in the selector set.

    ————————– EXAMPLE 8 ————————–

    C:\PS>Get-WSManInstance -Enumerate -Dialect association -filter “{Object=win32_service?name=winrm}” -res wmicimv2/*

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                         : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_ComputerSystem
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                     : p:Win32_ComputerSystem_Type
    lang                     : en-US
    AdminPasswordStatus     : 1
    AutomaticManagedPagefile : true
    AutomaticResetBootOption : true
    AutomaticResetCapability : true
    BootOptionOnLimit         : BootOptionOnLimit
    BootOptionOnWatchDog     : BootOptionOnWatchDog
    BootROMSupported         : true
    BootupState             : Normal boot
    Caption                 : SERVER01
    ChassisBootupState        : 3
    CreationClassName         : Win32_ComputerSystem
    CurrentTimeZone         : -480
    DaylightInEffect         : false
    Description             : AT/AT COMPATIBLE
    DNSHostName             : server01
    Domain                    : site01.corp.fabrikam.com
    DomainRole                : 1
    EnableDaylightSavingsTime : true
    FrontPanelResetStatus     : 2
    InfraredSupported         : false
    InstallDate             : InstallDate
    KeyboardPasswordStatus    : 2
    LastLoadInfo             : LastLoadInfo
    Manufacturer             : Dell Inc.
    Model                     : OptiPlex 745
    Name                     : SERVER01
    NameFormat                : NameFormat
    NetworkServerModeEnabled : true
    NumberOfLogicalProcessors : 2
    NumberOfProcessors        : 1
    OEMStringArray            : www.dell.com
    PartOfDomain             : true
    PauseAfterReset         : -1
    PCSystemType             : 5
    PowerManagementSupported : PowerManagementSupported
    PowerOnPasswordStatus     : 1
    PowerState                : 0
    PowerSupplyState         : 3
    PrimaryOwnerContact     : PrimaryOwnerContact
    PrimaryOwnerName         : testuser01
    ResetCapability         : 1
    ResetCount                : -1
    ResetLimit                : -1
    Roles                     : {LM_Workstation, LM_Server, SQLServer, NT}
    Status                    : OK
    SystemStartupDelay        : SystemStartupDelay
    SystemStartupSetting     : SystemStartupSetting
    SystemType                : X86-based PC
    ThermalState             : 3
    TotalPhysicalMemory     : 3217760256
    UserName                 : FABRIKAM\testuser01
    WakeUpType                : 6
    Workgroup                 : Workgroup

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_Service_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : false
    Caption                 : Remote Procedure Call (RPC)
    CheckPoint             : 0
    CreationClassName     : Win32_Service
    Description             : Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped
                             or disabled, programs using COM or Remote Procedure Call (RPC) services will not Function
                             properly.
    DesktopInteract         : false
    DisplayName             : Remote Procedure Call (RPC)
    ErrorControl            : Normal
    ExitCode                : 0
    InstallDate             : InstallDate
    Name                    : RpcSs
    PathName                : C:\Windows\system32\svchost.exe -k rpcss
    ProcessId             : 1100
    ServiceSpecificExitCode : 0
    ServiceType             : Share Process
    Started                 : true
    StartMode             : Auto
    StartName             : NT AUTHORITY\NetworkService
    State                 : Running
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : SERVER01
    TagId                 : 0
    WaitHint                : 0

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_SystemDriver
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_SystemDriver_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : true
    Caption                 : HTTP
    CreationClassName     : Win32_SystemDriver
    Description             : HTTP
    DesktopInteract         : false
    DisplayName             : HTTP
    ErrorControl            : Normal
    ExitCode                : 0
    InstallDate             : InstallDate
    Name                    : HTTP
    PathName                : C:\Windows\system32\drivers\HTTP.sys
    ServiceSpecificExitCode : 0
    ServiceType             : Kernel Driver
    Started                 : true
    StartMode             : Manual
    StartName             :
    State                 : Running
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : SERVER01
    TagId                 : 0

    Description
    ———–
    This command gets the associated instances that are related to the specified instance (winrm).

    Important: You must enclose the filter in quotation marks, as shown in the example.

    ————————– EXAMPLE 9 ————————–

    C:\PS>Get-WSManInstance -Enumerate -Dialect association -References -filter “{Object=win32_service?name=winrm}” -res wmicimv2/*

    Description
    ———–
    This command gets association instances that are related to the specified instance (winrm). Because the Dialect parameter is set to “association” and the Reference parameter is used, this command returns association instances, not associated instances.

    Important: You must enclose the filter in quotation marks, as shown in the example.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141444
    Connect-WSMan
    Disable-WSManCredSSP
    Disconnect-WSMan
    Enable-WSManCredSSP
    Get-WSManCredSSP
    Invoke-WSManAction
    New-WSManInstance
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan

cmdlet, Get, WSManCredSSP

Get-WSManCredSSP

NAME
    Get-WSManCredSSP

SYNOPSIS
    Gets the Credential Security Service Provider-related configuration for the client.

SYNTAX
    Get-WSManCredSSP [<CommonParameters>]

DESCRIPTION
    The Get-WSManCredSPP cmdlet gets the Credential Security Service Provider-related configuration of the client and the server. The output indicates whether Credential Security Service Provider (CredSSP) authentication is enabled or disabled. It also displays configuration information for the AllowFreshCredentials policy of CredSSP. When you use CredSSP authentication, the user’s credentials are passed to a remote computer to be authenticated. This type of authentication is designed for commands that create a remote session from within another remote session. For example, you use this type of authentication if you want to run a background job on a remote computer.

    The cmdlet performs the following actions:

        – Gets the WS-Management CredSSP setting on the client (<localhost|computername>\Client\Auth\CredSSP).
        – Gets the Windows CredSSP policy setting AllowFreshCredentials.
        – Gets the WS-Management CredSSP setting on the server (<localhost|computername>\Service\Auth\CredSSP).

    Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

    To disable CredSSP authentication, use the Disable-WSManCredSSP cmdlet. To enable CredSSP authentication, use the Enable-WSManCredSSP cmdlet.

PARAMETERS
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        This cmdlet does not accept any input.

OUTPUTS
    None
        This cmdlet does not generate any output.

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-WSManCredSSP

    Description
    ———–
    This command displays CredSSP configuration information for both the client and server.

    The output identifies that this computer is or is not configured for CredSSP.

    If the computer is configured for CredSSP, this is the output:

    “The machine is configured to allow delegating fresh credentials to the following target(s): WSMan/server02.accounting.fabrikam.com”

    If the computer is not configured for CredSSP, this is the output:

    “The machine is not configured to allow delegating fresh credentials.”

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141443
    Connect-WSMan
    Disable-WSManCredSSP
    Disconnect-WSMan
    Enable-WSManCredSSP
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan

cmdlet, Get, WmiObject

Get-WmiObject

NAME
    Get-WmiObject

SYNOPSIS
    Gets instances of Windows Management Instrumentation (WMI) classes or information about the available classes.

SYNTAX
    Get-WmiObject [-Authority <string>] [-Amended] [-AsJob] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-ThrottleLimit <int>] [<CommonParameters>]

    Get-WmiObject [[-Class] <string>] [-Authority <string>] [-List] [-Recurse] [-Amended] [-AsJob] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-ThrottleLimit <int>] [<CommonParameters>]

    Get-WmiObject [-Authority <string>] [-Amended] [-AsJob] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-ThrottleLimit <int>] [<CommonParameters>]

    Get-WmiObject [-Class] <string> [[-Property] <string[]>] [-Authority <string>] [-DirectRead] [-Filter <string>] [-Amended] [-AsJob] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-ThrottleLimit <int>] [<CommonParameters>]

    Get-WmiObject -Query <string> [-Authority <string>] [-DirectRead] [-Amended] [-AsJob] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-ThrottleLimit <int>] [<CommonParameters>]

DESCRIPTION
    The Get-WmiObject cmdlet gets instances of WMI classes or information about the available WMI classes. The ComputerName parameter can always be used to specify a remote computer. If the List parameter is specified, the cmdlet gets information about the WMI classes that are available in a specified namespace. If the Query parameter is specified, the cmdlet runs a WMI query language (WQL) statement.

    The Get-WmiObject cmdlet does not use the Windows PowerShell remoting infrastructure to perform remote operations. You can use the ComputerName parameter of the Get-WmiObject cmdlet even if your computer does not meet the requirements for Windows PowerShell remoting and even if your computer is not configured for remoting in Windows PowerShell.

PARAMETERS
    -Amended [<SwitchParameter>]
        Gets or sets a value that indicates whether the objects that are returned from WMI should contain amended information. Typically, amended information is localizable information, such as object and property descriptions, that is attached to the WMI object..

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -AsJob [<SwitchParameter>]
        Runs the command as a background job. Use this parameter to run commands that take a long time to finish.

        When you use the AsJob parameter, the command returns an object that represents the background job and then displays the command prompt. You can continue to work in the session while the job finishes. If Get-WmiObject is used against a remote computer, the job is created on the local computer, and the results from remote computers are automatically returned to the local computer. To manage the job, use the cmdlets that contain the Job noun (the Job cmdlets). To get the job results, use the Receive-Job cmdlet.

        Note: To use this parameter with remote computers, the local and remote computers must be configured for remoting. Additionally, you must start Windows PowerShell by using the “Run as administrator” option in Windows Vista and later versions of Windows,. For more information, see about_remote_requirements.

        For more information about Windows PowerShell background jobs, see about_jobs and about_remote_Jobs.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Authentication <AuthenticationLevel>
        Specifies the authentication level to be used with the WMI connection. Valid values are:

        -1: Unchanged
        0: Default
        1: None (No authentication in performed.)
        2: Connect (Authentication is performed only when the client establishes a relationship with the application.)
        3: Call (Authentication is performed only at the beginning of each call when the application receives the request.)
        4: Packet (Authentication is performed on all the data that is received from the client.)
        5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.)
        6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.)

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Authority <string>
        Specifies the authority to use to authenticate the WMI connection. You can specify standard NTLM or Kerberos authentication. To use NTLM, set the authority setting to ntlmdomain:<DomainName>, where <DomainName> identifies a valid NTLM domain name. To use Kerberos, specify kerberos:<DomainName>\<ServerName>”. You cannot include the authority setting when you connect to the local computer.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Class <string>
        Specifies the name of a WMI class. When this parameter is used, the cmdlet retrieves instances of the WMI class.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ComputerName <string[]>
        Specifies the computer against which you want to run the management operation. The value can be a fully qualified domain name, a NetBIOS name, or an IP address. Use the local computer name, use localhost, or use a dot (.) to specify the local computer. The local computer is the default. When the remote computer is in a different domain from the user, you must use a fully qualified domain name. This parameter can also be piped to the cmdlet.

        This parameter does not rely on Windows PowerShell remoting, which uses WS-Management ). You can use the ComputerName parameter of Get-WmiObject even if your computer is not configured to run WS-Management remote commands.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Credential <PSCredential>
        Specifies a user account that has permission to perform this action. The default is the current user. Type a user name, such as “User01”, “Domain01\User01”, or User@Contoso.com. Or, enter a PSCredential object, such as an object that is returned by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -DirectRead [<SwitchParameter>]
        Specifies whether direct access to the WMI provider is requested for the specified class without any regard to its base class or to its derived classes.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -EnableAllPrivileges [<SwitchParameter>]
        Enables all the privileges of the current user before the command makes the WMI call.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Filter <string>
        Specifies a Where clause to use as a filter. Uses the syntax of the WMI Query Language (WQL).

        Important: Do not include the Where keyword in the value of the parameter. For example, the following commands return only the logical disks that where the DeviceID equals ‘c:’ and the services where the name equals ‘WinRM’, without using the Where keyword:

        Get-WmiObject Win32_LogicalDisk -Filter “DeviceID = ‘c:’ ”
        Get-WmiObject win32_service -Filter “name=’WinRM'”

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Impersonation <ImpersonationLevel>
        Specifies the impersonation level to use. Valid values are:

        0: Default (reads the local Registry for the default impersonation level , which is usually set to “3: Impersonate”.)
        1: Anonymous (Hides the credentials of the caller.)
        2: Identify (Allows objects to query the credentials of the caller.)
        3: Impersonate (Allows objects to use the credentials of the caller.)
        4: Delegate (Allows objects to permit other objects to use the credentials of the caller.)

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -List [<SwitchParameter>]
        Specifies whether to retrieve and display the names of the WMI classes in the WMI repository namespace that is specified in the Namespace parameter. The Default Namespace Registry entry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting Registry key is not used by this cmdlet to determine the default namespace. If you specify the List parameter but not the Namespace parameter, the root\CIMV2 namespace is used by default.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Locale <string>
        Specifies the preferred locale for WMI objects. Specify the value of the Locale parameter as an array in the MS_<LCID> format in the preferred order .

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Namespace <string>
        When used with the Class parameter, this parameter specifies the WMI repository namespace where the referenced WMI class is located. When used with the List parameter, it specifies the namespace from which to gather WMI class information.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Property <string[]>
        Specifies the WMI class property or set of properties to retrieve.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Query <string>
        Specifies a WMI Query Language (WQL) statement to run. Event queries are not supported by this parameter.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Recurse [<SwitchParameter>]
        Makes the command search the current namespace and all other namespaces for the class name that is specified in the Class parameter.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ThrottleLimit <int>
        Allows the user to specify a throttling value for the number of WMI operations that can be executed simultaneously. This parameter is used together with the AsJob parameter.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        You cannot pipe input to Get-WmiObject.

OUTPUTS
    PSObject or System.Management.Automation.RemotingJob
        When you use the AsJob parameter, the cmdlet returns a job object. Otherwise, the object that Get-WmiObject returns depends on the value of the Class parameter.

NOTES

        To access WMI information on a remote computer, the cmdlet must run under an account that is a member of the local administrators group on the remote computer. Alternatively, the default access control on the WMI namespace of the remote repository can be changed to give other account access rights.

        By default, only some of the properties of a WMI class are displayed. The set of properties that will be displayed for each WMI class is specified in the Types.ps1xml configuration file. One of the examples included in this Help topic demonstrates how to override this behavior by using the Format-List cmdlet.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-WmiObject win32_process

    __GENUS                    : 2
    __CLASS                    : Win32_Process
    __SUPERCLASS             : CIM_Process
    __DYNASTY                 : CIM_ManagedSystemElement
    __RELPATH                 : Win32_Process.Handle=”0″
    __PROPERTY_COUNT         : 45
    __DERIVATION             : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}
    __SERVER                 : SYSTEM01
    __NAMESPACE                : root\cimv2
    __PATH                     : \\SYSTEM01\root\cimv2:Win32_Process.Handle=”0″
    Caption                    : System Idle Process
    CommandLine                :
    CreationClassName         : Win32_Process
    CreationDate             :
    CSCreationClassName        : Win32_ComputerSystem
    CSName                     : SYSTEM01
    Description                : System Idle Process
    ExecutablePath             :
    ExecutionState             :
    Handle                     : 0
    HandleCount                : 0
    InstallDate                :
    KernelModeTime             : 6138394740432
    MaximumWorkingSetSize     :
    MinimumWorkingSetSize     :
    Name                     : System Idle Process
    OSCreationClassName        : Win32_OperatingSystem
    OSName                     : Microsoftr Windows VistaT Ultimate |C:\Windows|\Device\Harddisk0\Partition3
    OtherOperationCount        : 0
    OtherTransferCount         : 0
    PageFaults                 : 0
    PageFileUsage             : 0
    ParentProcessId            : 0
    PeakPageFileUsage         : 0
    PeakVirtualSize            : 0
    PeakWorkingSetSize         : 0
    Priority                 : 0
    PrivatePageCount         : 0
    ProcessId                 : 0
    QuotaNonPagedPoolUsage     : 0
    QuotaPagedPoolUsage        : 0
    QuotaPeakNonPagedPoolUsage : 0
    QuotaPeakPagedPoolUsage    : 0
    ReadOperationCount         : 0
    ReadTransferCount         : 0
    SessionId                 : 0
    Status                     :
    TerminationDate            :
    ThreadCount                : 2
    UserModeTime             : 0
    VirtualSize                : 0
    WindowsVersion             : 6.0.6001
    WorkingSetSize             : 24576
    WriteOperationCount        : 0
    WriteTransferCount         : 0
    ProcessName                : System Idle Process
    Handles                    : 0
    VM                         : 0
    WS                         : 24576
    Path                     :

    …

    Description
    ———–
    This command displays information about all the processes that are running on a computer.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-WmiObject win32_service -ComputerName 127.0.0.1

    __GENUS                    : 2
    __CLASS                    : Win32_Process
    __SUPERCLASS             : CIM_Process
    __DYNASTY                 : CIM_ManagedSystemElement
    __RELPATH                 : Win32_Process.Handle=”0″
    __PROPERTY_COUNT         : 45
    __DERIVATION             : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}
    __SERVER                 : SYSTEM02
    __NAMESPACE                : root\cimv2
    __PATH                     : \\SYSTEM02\root\cimv2:Win32_Process.Handle=”0″
    Caption                    : System Idle Process
    CommandLine                :
    CreationClassName         : Win32_Process
    CreationDate             :
    CSCreationClassName        : Win32_ComputerSystem
    CSName                     : SYSTEM02
    Description                : System Idle Process
    ExecutablePath             :
    ExecutionState             :
    Handle                     : 0
    HandleCount                : 0
    InstallDate                :
    KernelModeTime             : 6138394740432
    MaximumWorkingSetSize     :
    MinimumWorkingSetSize     :
    Name                     : System Idle Process
    OSCreationClassName        : Win32_OperatingSystem
    OSName                     : Microsoftr Windows VistaT Ultimate |C:\Windows|\Device\Harddisk0\Partition3
    OtherOperationCount        : 0
    OtherTransferCount         : 0
    PageFaults                 : 0
    PageFileUsage             : 0
    ParentProcessId            : 0
    PeakPageFileUsage         : 0
    PeakVirtualSize            : 0
    PeakWorkingSetSize         : 0
    Priority                 : 0
    PrivatePageCount         : 0
    ProcessId                 : 0
    QuotaNonPagedPoolUsage     : 0
    QuotaPagedPoolUsage        : 0
    QuotaPeakNonPagedPoolUsage : 0
    QuotaPeakPagedPoolUsage    : 0
    ReadOperationCount         : 0
    ReadTransferCount         : 0
    SessionId                 : 0
    Status                     :
    TerminationDate            :
    ThreadCount                : 2
    UserModeTime             : 0
    VirtualSize                : 0
    WindowsVersion             : 6.0.6001
    WorkingSetSize             : 24576
    WriteOperationCount        : 0
    WriteTransferCount         : 0
    ProcessName                : System Idle Process
    Handles                    : 0
    VM                         : 0
    WS                         : 24576
    Path                     :

    …

    Description
    ———–
    This command displays information about the services on the remote computer. It displays the information by specifying the Internet Protocol (IP) address 127.0.0.1. You can change this IP address to any other valid IP address on your network so that you can display information about the services on that remote computer. By default, the account you are running under must be a member of the local administrators group on the remote computer that you specify .

    ————————– EXAMPLE 3 ————————–

    C:\PS>Get-WmiObject -Namespace “root/default” -list

     NameSpace: ROOT\default

    Name                                Methods             Properties
    —-                                ——-             ———-
    __NotifyStatus                     {}                 {StatusCode}
    __ExtendedStatus                    {}                 {Description, Operation, ParameterInfo, ProviderName…}
    __SecurityRelatedClass             {}                 {}
    __Trustee                         {}                 {Domain, Name, SID, SidLength…}
    __NTLMUser9X                        {}                 {Authority, Flags, Mask, Name…}
    __ACE                             {}                 {AccessMask, AceFlags, AceType, GuidInheritedObjectType…}
    __SecurityDescriptor                {}                 {ControlFlags, DACL, Group, Owner…}
    __PARAMETERS                        {}                 {}
    __SystemClass                     {}                 {}
    __ProviderRegistration             {}                 {provider}
    __EventProviderRegistration         {}                 {EventQueryList, provider}
    __ObjectProviderRegistration        {}                 {InteractionType, provider, QuerySupportLevels, SupportsBat…
    __ClassProviderRegistration         {}                 {CacheRefreshInterval, InteractionType, PerUserSchema, prov…
    __InstanceProviderRegistration     {}                 {InteractionType, provider, QuerySupportLevels, SupportsBat…
    __MethodProviderRegistration        {}                 {provider}
    __PropertyProviderRegistration     {}                 {provider, SupportsGet, SupportsPut}
    __EventConsumerProviderRegistration {}                 {ConsumerClassNames, provider}
    __thisNAMESPACE                     {}                 {SECURITY_DESCRIPTOR}
    __NAMESPACE                         {}                 {Name}
    __IndicationRelated                 {}                 {}
    __FilterToConsumerBinding         {}                 {Consumer, CreatorSID, DeliverSynchronously, DeliveryQoS…}
    __EventConsumer                     {}                 {CreatorSID, MachineName, MaximumQueueSize}
    LogFileEventConsumer                {}                 {CreatorSID, Filename, IsUnicode, MachineName…}
    ActiveScriptEventConsumer         {}                 {CreatorSID, KillTimeout, MachineName, MaximumQueueSize…}
    NTEventLogEventConsumer             {}                 {Category, CreatorSID, EventID, EventType…}
    SMTPEventConsumer                 {}                 {BccLine, CcLine, CreatorSID, FromLine…}
    CommandLineEventConsumer            {}                 {CommandLineTemplate, CreateNewConsole, CreateNewProcessGro…
    __AggregateEvent                    {}                 {NumberOfEvents, Representative}
    __TimerNextFiring                 {}                 {NextEvent64BitTime, TimerId}
    __EventFilter                     {}                 {CreatorSID, EventAccess, EventNamespace, Name…}
    __Event                             {}                 {SECURITY_DESCRIPTOR, TIME_CREATED}
    __NamespaceOperationEvent         {}                 {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
    __NamespaceModificationEvent        {}                 {PreviousNamespace, SECURITY_DESCRIPTOR, TargetNamespace, T…
    __NamespaceDeletionEvent            {}                 {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
    __NamespaceCreationEvent            {}                 {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
    __ClassOperationEvent             {}                 {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
    __ClassDeletionEvent                {}                 {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
    __ClassModificationEvent            {}                 {PreviousClass, SECURITY_DESCRIPTOR, TargetClass, TIME_CREA…
    __ClassCreationEvent                {}                 {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
    __InstanceOperationEvent            {}                 {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}
    __InstanceCreationEvent             {}                 {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}

    …

    Description
    ———–
    This command displays the WMI classes in the root or default namespace of the local computer.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Get-WmiObject -query “select * from win32_service where name=’WinRM'” -ComputerName server01, server02

    ExitCode : 0
    Name     : WinRM
    ProcessId : 1708
    StartMode : Auto
    State     : Running
    Status    : OK

    ExitCode : 0
    Name     : WinRM
    ProcessId : 948
    StartMode : Auto
    State     : Running
    Status    : OK

    Description
    ———–
    This command displays information about the WinRM service on the computers that are specified in the ComputerName parameter.

    ————————– EXAMPLE 5 ————————–

    C:\PS>(Get-WmiObject win32_service -Filter “name=’WinRM'” -ComputerName server01).StopService()

    __GENUS         : 2
    __CLASS         : __PARAMETERS
    __SUPERCLASS     :
    __DYNASTY        : __PARAMETERS
    __RELPATH        :
    __PROPERTY_COUNT : 1
    __DERIVATION     : {}
    __SERVER         :
    __NAMESPACE     :
    __PATH         :
    ReturnValue     : 0

    Another query using Get-WmiObject -query “select * from win32_service where name=’WinRM'” -ComputerName server01, shows the service as stopped.

    ExitCode : 0
    Name     : WinRM
    ProcessId : 0
    StartMode : Auto
    State     : Stopped
    Status    : OK

    Description
    ———–
    This command stops the WinRM service on the Server01 remote computer. The command uses the standard Get-WmiObject command and adds a call to the StopService method of the Win32_Service WMI class.

    ————————– EXAMPLE 6 ————————–

    C:\PS>Get-WmiObject win32_bios | Format-List *

    Status                : OK
    Name                 : Phoenix ROM BIOS PLUS Version 1.10 2.3.1
    Caption             : Phoenix ROM BIOS PLUS Version 1.10 2.3.1
    SMBIOSPresent         : True
    __GENUS             : 2
    __CLASS             : Win32_BIOS
    __SUPERCLASS         : CIM_BIOSElement
    __DYNASTY             : CIM_ManagedSystemElement
    __RELPATH             : Win32_BIOS.Name=”Phoenix ROM BIOS PLUS Version 1.10 2.3.1 “,SoftwareElementID=”Phoenix ROM BIOS
                             PLUS Version 1.10 2.3.1 “,SoftwareElementState=3,TargetOperatingSystem=0,Version=”DELL – 14”
    __PROPERTY_COUNT     : 27
    __DERIVATION         : {CIM_BIOSElement, CIM_SoftwareElement, CIM_LogicalElement, CIM_ManagedSystemElement}
    __SERVER             : SERVER01
    __NAMESPACE         : root\cimv2
    __PATH                : \\SERVER01\root\cimv2:Win32_BIOS.Name=”Phoenix ROM BIOS PLUS Version 1.10 2.3.1 “,Software
                            ElementID=”Phoenix ROM BIOS PLUS Version 1.10 2.3.1 “,SoftwareElementState=3,TargetOperatingSys
                            tem=0,Version=”DELL – 14”
    BiosCharacteristics : {7, 9, 10, 11…}
    BIOSVersion         : {DELL – 14, Phoenix ROM BIOS PLUS Version 1.10 2.3.1 , Phoenix ROM BIOS PLUS Version 1.10 2.3
                            .1 , Phoenix ROM BIOS PLUS Version 1.10 2.3.1 }
    BuildNumber         :
    CodeSet             :
    CurrentLanguage     : en|US|iso8859-1
    Description         : Phoenix ROM BIOS PLUS Version 1.10 2.3.1
    IdentificationCode    :
    InstallableLanguages : 1
    InstallDate         :
    LanguageEdition     :
    ListOfLanguages     : {en|US|iso8859-1}
    Manufacturer         : Dell Inc.
    OtherTargetOS         :
    PrimaryBIOS         : True
    ReleaseDate         : 20070521000000.000000+000
    SerialNumber         : 8PWRVD1
    SMBIOSBIOSVersion     : 2.3.1
    SMBIOSMajorVersion    : 2
    SMBIOSMinorVersion    : 3
    SoftwareElementID     : Phoenix ROM BIOS PLUS Version 1.10 2.3.1
    SoftwareElementState : 3
    TargetOperatingSystem : 0
    Version             : DELL – 14
    Scope                 : System.Management.ManagementScope
    Path                 : \\SERVER01\root\cimv2:Win32_BIOS.Name=”Phoenix ROM BIOS PLUS Version 1.10 2.3.1 “,Software
                            ElementID=”Phoenix ROM BIOS PLUS Version 1.10 2.3.1 “,SoftwareElementState=3,TargetOperatingSys
                            tem=0,Version=”DELL – 14”
    Options             : System.Management.ObjectGetOptions
    ClassPath             : \\SERVER01\root\cimv2:Win32_BIOS
    Properties            : {BiosCharacteristics, BIOSVersion, BuildNumber, Caption…}
    SystemProperties     : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY…}
    Qualifiers            : {dynamic, Locale, provider, UUID}
    Site                 :
    Container             :

    Description
    ———–
    This command displays BIOS information. It displays all the properties of the WMI class, not just the properties that are specified in the Types.ps1xml configuration file.

    ————————– EXAMPLE 7 ————————–

    C:\PS>Get-WmiObject win32_service -Credential FABRIKAM\administrator -computer fabrikam

    ExitCode : 0
    Name     : AeLookupSvc
    ProcessId : 0
    StartMode : Manual
    State     : Stopped
    Status    : OK

    ExitCode : 1077
    Name     : ALG
    ProcessId : 0
    StartMode : Manual
    State     : Stopped
    Status    : OK

    ExitCode : 1077
    Name     : AppIDSvc
    ProcessId : 0
    StartMode : Manual
    State     : Stopped
    Status    : OK

    ExitCode : 0
    Name     : Appinfo
    ProcessId : 888
    StartMode : Manual
    State     : Running
    Status    : OK

    ExitCode : 1077
    Name     : AppMgmt
    ProcessId : 0
    StartMode : Manual
    State     : Stopped
    Status    : OK

    …

    Description
    ———–
    This command displays service information on a computer named Fabrikam. It specifies a user account name by using the Credential parameter, which causes a dialog box to be displayed in which you enter the corresponding password.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113337
    Invoke-WmiMethod
    Remove-WmiObject
    Set-WmiInstance
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    Remove-WSManInstance

cmdlet, Get, WinEvent

Get-WinEvent

NAME
    Get-WinEvent

SYNOPSIS
    Gets events from event logs and event tracing log files on local and remote computers.

SYNTAX
    Get-WinEvent [-LogName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

    Get-WinEvent [-Path] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

    Get-WinEvent [-ProviderName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

    Get-WinEvent -FilterHashTable <Hashtable[]> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

    Get-WinEvent [-ListLog] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]

    Get-WinEvent [-ListProvider] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]

    Get-WinEvent -FilterXml <XmlDocument> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

DESCRIPTION
    The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the new Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).

    Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.

    Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.

    Note: Get-WinEvent requires Windows Vista, Windows Server 2008 R2, or later versions of Windows. And, it requires the Microsoft .NET Framework 3.5 or a later version.

PARAMETERS
    -ComputerName <string>
        Gets events from the event logs on the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. The default value is the local computer.

        This parameter accepts only one computer name at a time. To find event logs or events on multiple computers, use a ForEach statement. For more information about this parameter, see the examples.

        To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.

        This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Credential <PSCredential>
        Specifies a user account that has permission to perform this action. The default value is the current user.

        Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password.

        Required?                    false
        Position?                    named
        Default value                Current user
        Accept pipeline input?     false
        Accept wildcard characters? false

    -FilterHashTable <Hashtable[]>
        Uses a query in hash table format to select events from one or more event logs. The query contains a hash table with one or more key-value pairs.

        Hash table queries have the following rules:
        — Keys and values are case-insensitive.
        — Wildcard characters are valid only in the values associated with the LogName and ProviderName keys.
        — Each key can be listed only once in each hash-table.
        — The Path value takes paths to .etl, .evt, and .evtx log files.
        — The LogName, Path, and ProviderName keys can be used in the same query.
        — The UserID key can take a valid security identifier (SID) or a domain account name that can be used to construct a valid System.Security.Principal.NTAccount object.
        — The Data value takes event data in an unnamed field. This is for events in classic event logs.
        — The * key represents a named event data field.
        When Get-WinEvent cannot interpret a key-value pair, it interprets the key as a case-sensitive name for the event data in the event.

        The valid key-value pairs are as follows:
        — LogName=<String[]>
        — ProviderName=<String[]>
        — Path=<String[]>
        — Keywords=<Long[]>
        — ID=<Int32[]>
        — Level=<Int32[]>
        — StartTime=<DateTime>
        — EndTime=<DataTime>
        — UserID=<SID>
        — Data=<String[]>
        — *=<String[]>

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

    -FilterXml <XmlDocument>
        Uses a structured XML query to select events from one or more event logs.

        To generate a valid XML query, use the Create Custom View and Filter Current Log features in Event Viewer. Use the items in the dialog box to create a query, and then click the XML tab to view the query in XML format. You can copy the XML from the XML tab into the value of the FilterXml parameter. For more information about the Event Viewer features, see Event Viewer Help.

        Typically, you use an XML query to create a complex query that contains several XPath statements. The XML format also allows you to use a “Suppress” XML element that excludes events from the query. For more information about the XML schema for event log queries, see the following topics in the MSDN (Microsoft Developer Network) library.

        — “Query Schema”: http://go.microsoft.com/fwlink/?LinkId=143685

        — “XML Event Queries” in “Event Selection”: http://go.microsoft.com/fwlink/?LinkID=143608

        Required?                    true
        Position?                    named
        Default value                None
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

    -FilterXPath <string>
        Uses an XPath query to select events from one or more logs.

        For more information about the XPath language, see “Selection Filters” in “Event Selection” and in the “XPath Reference” in the MSDN library.

        Required?                    false
        Position?                    named
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Force <switch>
        Gets debug and analytic logs, in addition to other event logs. The Force parameter is required to get a debug or analytic log when the value of the name parameter includes wildcard characters.

        By default, Get-WinEvent excludes these logs unless you specify the full name of a debug or analytic log.

        Required?                    false
        Position?                    named
        Default value                Debugging and analytic logs are not returned in response to queries that use wildcard characters.
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ListLog <string[]>
        Gets the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. To get all the logs, enter a value of *.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

    -ListProvider <string[]>
        Gets the specified event log providers. An event log provider is a program or service that writes events to the event log.

        Enter the provider names in a comma-separated list. Wildcards are permitted. To get the providers of all the event logs on the computer, enter a value of *.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

    -LogName <string[]>
        Gets events from the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. You can also pipe log names to Get-WinEvent.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? true

    -MaxEvents <int64>
        Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.

        Required?                    false
        Position?                    named
        Default value                All events
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Oldest [<SwitchParameter>]
        Returns the events in oldest-first order. By default, events are returned in newest-first order.

        This parameter is required to get events from .etl and .evt files and from debug and analytic logs. In these files, events are recorded in oldest-first order, and the events can be returned only in oldest-first order.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Path <string[]>
        Gets events from the specified event log files. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns.

        Get-WinEvent supports files with the .evt, .evtx, and .etl file name extensions. You can include events from different files and file types in the same command.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

    -ProviderName <string[]>
        Gets events written by the specified event log providers. Enter the provider names in a comma-separated list, or use wildcard characters to create provider name patterns.

        An event log provider is a program or service that writes events to the event log. It is not a Windows PowerShell provider.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    System.String, System.Xml.XmlDocument, System.Collections.Hashtable.
        You can pipe a LogName (string), a FilterXML query, or a FilterHashTable query to Get-WinEvent.

OUTPUTS
    System.Diagnostics.Eventing.Reader.EventLogConfiguration, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.ProviderMetadata
        With the ListLog parameter, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogConfiguration objects. With the ListProvider parameter, Get-WinEvent returns
        System.Diagnostics.Eventing.Reader.ProviderMetadata objects. With all other parameters, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogRecord objects.

NOTES

        Get-WinEvent is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell 2.0 for systems earlier than Windows Vista.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-WinEvent -listlog *

    Description
    ———–
    This command gets all the logs on the local computer.

    Logs are listed in the order that Get-WinEvent gets them. Classic logs are usually retrieved first, followed by the new Windows Eventing logs.

    Because there are typically more than a hundred event logs, this parameter requires a log name or name pattern. To get all the logs, use *.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-WinEvent -listlog Setup | Format-List -property *

        FileSize                     : 69632
        IsLogFull                     : False
        LastAccessTime                 : 2/14/2008 12:55:12 AM
        LastWriteTime                 : 7/9/2008 3:12:05 AM
        OldestRecordNumber             : 1
        RecordCount                    : 3
        LogName                        : Setup
        LogType                        : Operational
        LogIsolation                 : Application
        IsEnabled                     : True
        IsClassicLog                 : False
        SecurityDescriptor             : O:BAG:SYD:(A;;0xf0007;;;SY)(A;
                                         (A;;0x1;;;S-1-5-32-573)
        LogFilePath                    : %SystemRoot%\System32\Winevt\L
        MaximumSizeInBytes             : 1052672
        LogMode                        : Circular
        OwningProviderName             : Microsoft-Windows-Eventlog
        ProviderNames                 : {Microsoft-Windows-WUSA, Micro
        ProviderLevel                 :
        ProviderKeywords             :
        ProviderBufferSize             : 64
        ProviderMinimumNumberOfBuffers : 0
        ProviderMaximumNumberOfBuffers : 64
        ProviderLatency                : 1000
        ProviderControlGuid            :

    Description
    ———–
    These commands get an object that represents the classic System log on the local computer. The object includes useful information about the log, including its size, event log provider, file path, and whether it is enabled.

    ————————– EXAMPLE 3 ————————–

    C:\PS>Get-WinEvent -listlog * -ComputerName Server01| where {$_.recordcount}

    Description
    ———–
    This command gets only event logs on the Server01 computer that contain events. Many logs might be empty.

    The command uses the RecordCount property of the EventLogConfiguration object that Get-WinEvent returns when you use the ListLog parameter.

    ————————– EXAMPLE 4 ————————–

    C:\PS>$s = “Server01”, “Server02”, “Server03”

    C:\PS> foreach ($server in $s)
         {$server; Get-WinEvent -listlog “Windows PowerShell” -ComputerName $server}

    Description
    ———–
    The commands in this example get objects that represent the Windows PowerShell event logs on the Server01, Server02, and Server03 computers. This command uses the Foreach keyword because the ComputerName parameter takes only one value.

    The first command saves the names of the computers in the $s Variable.

    The second command uses a Foreach statement. For each of the computers in the $s Variable, it performs the command in the script block (within the braces). First, the command prints the name of the computer. Then, it runs a Get-WinEvent command to get an object that represents the Windows PowerShell log.

    ————————– EXAMPLE 5 ————————–

    C:\PS>Get-WinEvent -listprovider *

    Description
    ———–
    This command gets the event log providers on the local computer and the logs to which they write, if any.

    ————————– EXAMPLE 6 ————————–

    C:\PS>(Get-WinEvent -listlog Application).providernames

    Description
    ———–
    This command gets all of the providers that write to the Application log on the local computer.

    ————————– EXAMPLE 7 ————————–

    C:\PS>>Get-WinEvent -listprovider *policy*

    Description
    ———–
    This command gets the event log providers whose names include the word “policy.”

    ————————– EXAMPLE 8 ————————–

    C:\PS>(Get-WinEvent -listprovider microsoft-windows-grouppolicy).events | Format-Table id, description -auto

    Description
    ———–
    This command lists the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.

    It uses the Events property of the object that Get-WinEvent returns when you use the ListProvider parameter, and it uses the ID and Description properties of the object in the Events property.

    ————————– EXAMPLE 9 ————————–

    C:\PS>$events = Get-WinEvent -LogName “Windows PowerShell”

    C:\PS> $events.count
    195

    C:\PS> $events | Group-Object id -noelement | Sort-Object count -desc
    Count Name
    —– —-
     147 600
     22 400
     21 601
        3 403
        2 103

     C:\PS> $events | Group-Object leveldisplayname -noelement
    Count Name
    —– —-
        2 Warning
     193 Information

    Description
    ———–
    This example shows how to use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.

    The first command uses the Get-WinEvent cmdlet to get all of the events in the Windows PowerShell event log. Then, it saves them in the $events Variable. The log name is enclosed in quotation marks because it contains a space.

    The second command uses the Count property of object collections to find the number of entries in the event log.

    The third command displays the incidence of each event in the log, with the most frequent events first. In this example, event ID 600 is the most frequent event.

    The fourth command groups the items by the value of their LevelDisplayName property to show how many Error, Warning, and Information events are in the log.

    ————————– EXAMPLE 10 ————————–

    C:\PS>Get-WinEvent -LogName *disk*, Microsoft-Windows-Kernel-WHEA

    Description
    ———–
    This command gets the error events whose names include “disk” from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WHEA event log.

    ————————– EXAMPLE 11 ————————–

    C:\PS>Get-WinEvent -path ‘c:\ps-test\Windows PowerShell.evtx’

    Description
    ———–
    This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks because the log name includes a space.

    ————————– EXAMPLE 12 ————————–

    C:\PS>Get-WinEvent -path ‘c:\tracing\tracelog.etl’ -MaxEvents 100 -Oldest

    C:\PS> Get-WinEvent -path ‘c:\tracing\tracelog.etl’ -Oldest | Sort-Object -property timecreated -desc | Select-Object -first 100

    Description
    ———–
    These commands get the first 100 events from an Event Tracing for Windows (ETW) event trace log file.

    The first command gets the 100 oldest events in the log. It uses the Get-WinEvent cmdlet to get events from the Tracelog.etl file. It uses the MaxEvents parameter to limit the retrieval to 100 events. Because the events are listed in the order in which they are written to the log (oldest first), the Oldest parameter is required.

    The second command gets the 100 newest events in the log. It uses the Get-WinEvent cmdlet to get all the events from the Tracing.etl file. It passes
    the events to the Sort-Object cmdlet, which sorts them in descending order by the value of the TimeCreated property. Then, it sends the sorted events to the Select-Object cmdlet to select the newest 100 events.

    ————————– EXAMPLE 13 ————————–

    C:\PS>Get-WinEvent -path “c:\tracing\tracelog.etl”, “c:\Logs\Windows PowerShell.evtx” -Oldest | where {$_.id -eq “103”}

    Description
    ———–
    This example shows how to get the events from an event trace log file (.etl) and from a copy of the Windows PowerShell log file (.evtx) that was saved to a test directory.

    You can combine multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord object), you can use the same properties to filter them.

    Note that the command requires the Oldest parameter because it is reading from an .etl file, but the Oldest parameter applies to both of the files.

    ————————– EXAMPLE 14 ————————–

    C:\PS># Use the Where-Object cmdlet
    C:\PS> $yesterday = (Get-Date) – (New-TimeSpan -day 1)
    C:\PS> Get-WinEvent -LogName “Windows PowerShell” | where {$_.timecreated -ge $yesterday}

    # Uses FilterHashTable
    C:\PS> $yesterday = (Get-Date) – (New-TimeSpan -day 1)
    C:\PS> Get-WinEvent -FilterHashTable @{LogName=’Windows PowerShell’; Level=3; StartTime=$yesterday}

    # Use FilterXML
    C:\PS> Get-WinEvent -FilterXML “<QueryList><Query><Select Path=’Windows PowerShell’>*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select></Query></QueryList>”

    # Use FilterXPath
    C:\PS> Get-WinEvent -LogName “Windows Powershell” -FilterXPath “*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]”

    Description
    ———–
    This example shows different filtering methods for selecting events from an event log. All of these commands get events that occurred in the last 24 hours from the Windows PowerShell event log.

    The filter methods are more efficient than using the Where-Object cmdlet because the filters are applied while the objects are being retrieved, rather than retrieving all the objects and then filtering them.

    Because dates are difficult to formulate in the XML and XPath formats, to create the XML content for the date, the Filter Current Log feature of Event Viewer is used. For more information about this feature, see Event Viewer Help.

    ————————– EXAMPLE 15 ————————–

    C:\PS>$date = (Get-Date).AddDays(-2)

    C:\PS> $events = Get-WinEvent -FilterHashTable @{ logname = “Microsoft-Windows-Diagnostics-Performance/Operational”; StartTime = $date; ID = 100 }

    Description
    ———–
    This example uses a filter hash table to get events from the performance log.

    The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the current date. It saves the date in the $date Variable.

    The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the performance log that occurred within the last two days and that have event ID 100.

    The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event ID.

    ————————– EXAMPLE 16 ————————–

    C:\PS>$starttime = (Get-Date).adddays(-7)

    C:\PS> $ie-error = Get-WinEvent -FilterHashtable @{logname=”application”; providername=”Application Error”; data=”iexplore.exe”; starttime=$starttime}

    Description
    ———–
    This example uses a filter hash table to find Internet Explorer application errors that occurred within the last week.

    The first command gets the date that is seven days before the current date and stores it in the $starttime Variable.

    The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the Application log that were written by the Application Error provider and include the phrase “iexplore.exe”.

    The LogName key specifies the event log. The ProviderName key specifies the event provider, the StartTime key specifies the starting date of the events, and the Data key specifies the text in the event message.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=138336
    Get-EventLog
    Get-Counter
    about_eventlogs