Tag Archives: ComputerName

Register-WmiEvent

February 26, 2014 Adam

SYNOPSIS
Subscribes to a Windows Management Instrumentation (WMI) event.

SYNTAX
Register-WmiEvent [-Class] <string> [[-SourceIdentifier] <string>] [[-Action] <scriptblock>] [-ComputerName <string>] [-Credential <PSCredential>] [-Forward] [-MessageData <psobject>] [-Namespace <string>] [-SupportEvent] [-Timeout <Int64>] [<CommonParameters>]

Register-WmiEvent [-Query] <string> [[-SourceIdentifier] <string>] [[-Action] <scriptblock>] [-ComputerName <string>] [-Credential <PSCredential>] [-Forward] [-MessageData <psobject>] [-Namespace <string>] [-SupportEvent] [-Timeout <Int64>] [<CommonParameters>]

DESCRIPTION
The Register-WmiEvent cmdlet subscribes to WMI events on the local computer or on a remote computer.

When the subscribed WMI event is raised, it is added to the event queue in your local session even if the event occurs on a remote computer. To get events in the event queue, use the Get-Event cmdlet.

You can use the parameters of Register-WmiEvent to subscribe to events on remote computers and to specify the property values of the events that can help you to identify the event in the queue. You can also use the Action parameter to specify actions to take when a subscribed event is raised.

When you subscribe to an event, an event subscriber is added to your session. To get the event subscribers in the session, use the Get-EventSubscriber cmdlet. To cancel the subscription, use the Unregister-Event cmdlet, which deletes the event subscriber from the session.

PARAMETERS
-Action <scriptblock>
Specifies commands that handle the events. The commands in the Action parameter run when an event is raised instead of sending the event to the event queue. Enclose the commands in braces ( { } ) to create a script block.

The value of the Action parameter can include the $Event, $EventSubscriber, $Sender, $SourceEventArgs, and $SourceArgs automatic Variables, which provide information about the event to the Action script block. For more information, see about_Automatic_Variables.

When you specify an action, Register-WmiEvent returns an event job object that represents that action. You can use the cmdlets that contain the Job noun (the Job cmdlets) to manage the event job.

        Required?                    false
        Position?                    102
        Default value                The event is added to the event queue.
        Accept pipeline input?     false
        Accept wildcard characters? false

-Class <string>
Specifies the event to which you are subscribing. Enter the WMI class that generates the events. A Class or Query parameter is required in every command.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? false

-ComputerName <string>
Specifies a remote computer. The default is the local computer. Enter a NetBIOS name, an IP address, or a fully qualified domain name.

        Required?                    false
        Position?                    named
        Default value                Local computer
        Accept pipeline input?     false
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. Type a user name, such as “User01” or “Domain01\User01”. Or, enter a PSCredential object, such as one from the Get-Credential cmdlet. If you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value                The credentials of the current user
        Accept pipeline input?     false
        Accept wildcard characters? false

-Forward [<SwitchParameter>]
Sends events for this subscription to the session on the local computer. Use this parameter when you are registering for events on a remote computer or in a remote session.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-MessageData <psobject>
Specifies any additional data to be associated with this event subscription. The value of this parameter appears in the MessageData property of all events associated with this subscription.

        Required?                    false
        Position?                    named
        Default value                None. The MessageData property is NULL.
        Accept pipeline input?     false
        Accept wildcard characters? false

-Namespace <string>
Specifies the namespace of the WMI class.

        Required?                    false
        Position?                    named
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? false

-Query <string>
Specifies a query in WMI Query Language (WQL) that identifies the WMI event class, such as “select * from __InstanceDeletionEvent”.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? false

-SourceIdentifier <string>
Specifies a name that you select for the subscription. The name that you select must be unique in the current session. The default value is the GUID that Windows PowerShell assigns.

The value of this parameter appears in the value of the SourceIdentifier property of the subscriber object and of all event objects associated with this subscription.

        Required?                    false
        Position?                    101
        Default value                GUID
        Accept pipeline input?     false
        Accept wildcard characters? false

-SupportEvent [<SwitchParameter>]
Hides the event subscription. Use this parameter when the current subscription is part of a more complex event registration mechanism and it should not be discovered independently.

To view or cancel a subscription that was created with the SupportEvent parameter, use the Force parameter of the Get-EventSubscriber and Unregister-Event cmdlets.

        Required?                    false
        Position?                    named
        Default value                False
        Accept pipeline input?     false
        Accept wildcard characters? false

-Timeout <Int64>
Determines how long Windows PowerShell waits for this command to complete.

The default value, 0 (zero), means that there is no time-out, and it causes Windows PowerShell to wait indefinitely.

        Required?                    false
        Position?                    named
        Default value                0
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
None
You cannot pipe objects to Register-WmiEvent.

OUTPUTS
None
This cmdlet does not generate any output.

NOTES

To use this cmdlet in Windows Vista or a later version of Windows, start Windows PowerShell with the “Run as administrator” option.

Events, event subscriptions, and the event queue exist only in the current session. If you close the current session, the event queue is discarded and the event subscription is canceled.

————————– EXAMPLE 1 ————————–

C:\PS>Register-WmiEvent -Class ‘Win32_ProcessStartTrace’ -SourceIdentifier “ProcessStarted”

    Description
    ———–
    This command subscribes to the events generated by the Win32_ProcessStartTrace class. This class raises an event whenever a process starts.

————————– EXAMPLE 2 ————————–

C:\PS>Register-WmiEvent -query “select * from __instancecreationevent within 5 where targetinstance isa ‘win32_process'” -SourceIdentifier “WMIProcess” -MessageData “Test 01” -Timeout 500

    Description
    ———–
    This command uses a query to subscribe to Win32_process instance creation events.

————————– EXAMPLE 3 ————————–

C:\PS>$action = { Get-History | where { $_.commandline -like “*Start-Process*” } | Export-Clixml “commandHistory.clixml” }

C:\PS> Register-WmiEvent -Class ‘Win32_ProcessStartTrace’ -SourceIdentifier “ProcessStarted” -Action $action

    Id    Name            State     HasMoreData Location Command
    —    —-            —–     ———– ——– ——-
    1     ProcessStarted NotStarted False                 Get-History | where {…

    Description
    ———–
    This example shows how to use an action to respond to an event. In this case, when a process starts, any Start-Process commands in the current session are written to an XML file.

When you use the Action parameter, Register-WmiEvent returns a background job that represents the event action. You can use the Job cmdlets, such as Get-Job and Receive-Job, to manage the event job.

For more information, see about_jobs.

————————– EXAMPLE 4 ————————–

C:\PS>Register-WmiEvent -Class ‘Win32_ProcessStartTrace’ -SourceIdentifier “Start” -ComputerName Server01

C:\PS> Get-Event -SourceIdentifier “Start”

    Description
    ———–
    This example registers for events on the Server01 remote computer.

WMI returns the events to the local computer and stores them in the event queue in the current session. To retrieve the events, run a local Get-Event command.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135245
    Register-ObjectEvent
    Register-EngineEvent
    Unregister-Event
    Get-Event
    New-Event
    Remove-Event
    Wait-Event

cmdlet, EventLog, Remove

Remove-EventLog

February 26, 2014 Adam

NAME
Remove-EventLog

SYNOPSIS
Deletes an event log or unregisters an event source.

SYNTAX
Remove-EventLog [-LogName] <string[]> [[-ComputerName] <string[]>] [-Confirm] [-WhatIf] [<CommonParameters>]

Remove-EventLog [[-ComputerName] <string[]>] [-Source <string[]>] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all of its event sources for the log. You can also use this cmdlet to unregister event sources without deleting any event logs.

The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

PARAMETERS
-ComputerName <string[]>
Specifies a remote computer. The default is the local computer.

Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer name, a dot (.), or “localhost”.

This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Remove-EventLog even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-LogName <string[]>
Specifies the event logs. Enter the log name (the value of the Log property; not the LogDisplayName) of one or more event logs , separated by commas. Wildcard characters are not permitted. This parameter is required.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Source <string[]>
Unregisters the specified event sources. Enter the source names (not the executable name), separated by commas.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Describes what would happen if you executed the command without actually executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
None
You cannot pipe input to this cmdlet.

OUTPUTS
None
This cmdlet does not return any output.

NOTES

To use Remove-EventLog on Windows Vista and later versions of Windows, start Windows PowerShell with the “Run as administrator” option.

If you remove an event log and then re-create the log, you will not be able to register the same event sources. Applications that used the events sources to write entries to the original log will not be able to write to the new log.

When you unregister an event source for a particular log, the event source might be prevented from writing entries in other event logs.

————————– EXAMPLE 1 ————————–

C:\PS>Remove-Eventlog -LogName MyLog

    Description
    ———–
    This command deletes the MyLog event log from the local computer and unregisters its event sources.

————————– EXAMPLE 2 ————————–

C:\PS>Remove-Eventlog -LogName MyLog, TestLog -ComputerName Server01, Server02, localhost

    Description
    ———–
    This command deletes the MyLog and TestLog event logs from the local computer (“localhost”) and the Server01 and Server02 remote computers. The command also unregisters the event sources for these logs.

————————– EXAMPLE 3 ————————–

C:\PS>Remove-Eventlog -source MyApp

    Description
    ———–
    This command deletes the MyApp event source from the logs on the local computer. When the command completes, the MyApp program cannot write to any event logs.

————————– EXAMPLE 4 ————————–

C:\PS>Get-Eventlog -list

     Max(K) Retain OverflowAction        Entries Log
     —— —— ————–        ——- —
     15,168     0 OverwriteAsNeeded     22,923 Application
     15,168     0 OverwriteAsNeeded         53 DFS Replication
         512     7 OverwriteOlder             0 Directory Service
     15,168     7 OverwriteOlder             0 Hardware Events
         512     7 OverwriteOlder             0 Internet Explorer
     20,480     0 OverwriteAsNeeded         0 Key Management Service
     30,016     0 OverwriteAsNeeded     50,060 Security
     15,168     0 OverwriteAsNeeded     27,592 System
     15,360     0 OverwriteAsNeeded     18,355 Windows PowerShell
     15,168     7 OverwriteAsNeeded         12 ZapLog

C:\PS> Remove-Eventlog -LogName ZapLog

C:\PS> Get-Eventlog -list

    Description
    ———–
    These commands show how to list the event logs on a computer and verify that a Remove-EventLog command was successful.

The first command lists the event logs on the local computer.

The second command deletes the ZapLog event log.

The third command lists the event logs again. The ZapLog event log no longer appears in the list.

————————– EXAMPLE 5 ————————–

C:\PS>Get-WmiObject win32_nteventlogfile -filter “logfilename=’TestLog'” | foreach {$_.sources}

MyApp
TestApp

C:\PS> Remove-Eventlog -source MyApp

C:\PS> Get-WmiObject win32_nteventlogfile -filter “logfilename=’TestLog’} | foreach {$_.sources}
TestApp

    Description
    ———–
    These commands use the Get-WmiObject cmdlet to list the event sources on the local computer. You can these commands to verify the success of a command or to delete an event source.

The first command gets the event sources of the TestLog event log on the local computer. MyApp is one of the sources.

The second command uses the Source parameter of Remove-EventLog to delete the MyApp event source.

The third command is identical to the first. It shows that the MyApp event source was deleted.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135248
    Clear-EventLog
    Get-EventLog
    Limit-EventLog
    New-EventLog
    Remove-EventLog
    Show-EventLog
    Write-EventLog
    Get-WinEvent

cmdlet, Remove, WmiObject

Remove-WmiObject

February 26, 2014 Adam

NAME
Remove-WmiObject

SYNOPSIS
Deletes an instance of an existing Windows Management Instrumentation (WMI) class.

SYNTAX
Remove-WmiObject [-Class] <string> [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-Authority <string>] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

Remove-WmiObject [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-Authority <string>] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

Remove-WmiObject -InputObject <ManagementObject> [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

Remove-WmiObject -Path <string> [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-Authority <string>] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Remove-WmiObject cmdlet deletes an instance of an existing WMI class.

PARAMETERS
    -AsJob [<SwitchParameter>]
        Runs the command as a background job. Use this parameter to run commands that take an extensive time to complete.
        Runs the command as a background job. Use this parameter to run commands that take a long time to finish.

When you use the AsJob parameter, the command returns an object that represents the background job and then displays the command prompt. You can continue to work in the session while the job finishes. If Remove-WmiObject is used against a remote computer, the job is created on the local computer, and the results from remote computers are automatically returned to the local computer. To manage the job, use the cmdlets that contain the Job noun (the Job cmdlets). To get the job results, use the Receive-Job cmdlet.

Note: To use this parameter with remote computers, the local and remote computers must be configured for remoting. Additionally, you must start Windows PowerShell by using the “Run as administrator” option in Windows Vista and later versions of Windows,. For more information, see about_remote_requirements.

For more information about Windows PowerShell background jobs, see about_jobs and about_remote_Jobs.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Authentication <AuthenticationLevel>
Specifies the authentication level to be used with the WMI connection. Valid values are:

        -1: Unchanged
        0: Default
        1: None (No authentication in performed.)
        2: Connect (Authentication is performed only when the client establishes a relationship with the application.)
        3: Call (Authentication is performed only at the beginning of each call when the application receives the request.)
        4: Packet (Authentication is performed on all the data that is received from the client.)
        5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.)
        6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.)

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Authority <string>
Specifies the authority to use to authenticate the WMI connection. You can specify standard NTLM or Kerberos authentication. To use NTLM, set the authority setting to “ntlmdomain:<DomainName>”, where <DomainName> identifies a valid NTLM domain name. To use Kerberos, specify “kerberos:<DomainName>\<ServerName>”. You cannot include the authority setting when you connect to the local computer.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Class <string>
Specifies the name of a WMI class that you want to delete.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ComputerName <string[]>
Specifies the computer against which you want to run the management operation. The value can be a fully qualified domain name, a NetBIOS name, or an IP address. Use the local computer name, use localhost, or use a dot (.) to specify the local computer. The local computer is the default. When the remote computer is in a different domain from the user, you must use a fully qualified domain name. You can set the value of this parameter by piping the value to the parameter.

This parameter does not rely on Windows PowerShell remoting, which uses WS-Management ). You can use the ComputerName parameter of Get-WmiObject even if your computer is not configured to run WS-Management remote commands.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user. Type a user name, such as “User01”, “Domain01\User01”, or “User@Contoso.com”. Or, enter a PSCredential object, such as an object that is returned by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-EnableAllPrivileges [<SwitchParameter>]
Enables all the privileges of the current user before the command makes the WMI call.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Impersonation <ImpersonationLevel>
Specifies the impersonation level to use. Valid values are:

        0: Default (Reads the local Registry for the default impersonation level, which is usually set to “3: Impersonate”.)
        1: Anonymous (Hides the credentials of the caller.)
        2: Identify (Allows objects to query the credentials of the caller.)
        3: Impersonate (Allows objects to use the credentials of the caller.)
        4: Delegate (Allows objects to permit other objects to use the credentials of the caller.)

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-InputObject <ManagementObject>
Specifies a ManagementObject object to use as input. When this parameter is used, all other parameters are ignored.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

-Locale <string>
Specifies the preferred locale for WMI objects. The Locale parameter is specified as an array in the MS_<LCID> format in the preferred order.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Namespace <string>
When used with the Class parameter, this parameter specifies the WMI repository namespace where the referenced WMI class is located.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Path <string>
Specifies the WMI object path of a WMI class, or specifies the WMI object path of an instance of a WMI class to delete.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ThrottleLimit <int>
Allows the user to specify a throttling value for the number of WMI operations that can be executed simultaneously. This parameter is used together with the AsJob parameter. The throttle limit applies only to the current command, not to the session or to the computer.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Describes what would happen if you executed the command without actually executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
System.Management.ManagementObject
You can pipe a management object to Remove-WmiObject.

OUTPUTS
None or System.Management.Automation.RemotingJob
When you use the AsJob parameter, this cmdlet returns a job object. Otherwise, it does not generate any output.

NOTES

————————– EXAMPLE 1 ————————–

    C:\PS>notepad
    C:\PS> $np = Get-WmiObject -query “select * from win32_process where name=’notepad.exe'”
    C:\PS> $np | Remove-WmiObject

    Description
    ———–
    This command closes all the instances of Notepad.exe.

The first command starts an instance of Notepad.

The second command uses the Get-WmiObject cmdlet to retrieve the instances of the Win32_Process that correspond to Notepad.exe and stores them in the $np Variable.

The third command passes the object in the $np Variable to the Remove-WmiObject cmdlet, which deletes all the instances of Notepad.exe.

————————– EXAMPLE 2 ————————–

C:\PS>$a = Get-WmiObject -query “Select * From Win32_Directory Where Name =’C:\\Test'”
C:\PS> $a | Remove-WmiObject

    Description
    ———–
    This command deletes the C:\Test directory.

The first command uses the Get-WmiObject cmdlet to query for the C:\Test directory and then stores the object in the $a Variable.

The second command pipes the $a Variable to the Remove-WmiObject, which deletes the directory.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113381
    Get-WmiObject
    Invoke-WmiMethod
    Set-WmiInstance
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    Remove-WSManInstance

cmdlet, New, WSManInstance

New-WSManInstance

February 26, 2014 Adam

NAME
New-WSManInstance

SYNOPSIS
Creates a new instance of a management resource.

SYNTAX
New-WSManInstance [-ApplicationName <string>] [-ComputerName <string>] [-Credential <PSCredential>] [-Port <int>] [-UseSSL] [-SelectorSet] <hashtable> -ResourceURI <Uri> [-AuthenticationMechanism <AuthenticationMechanism>] [-SessionOption <hashtable>] [-ValueSet <hashtable>] [<CommonParameters>]

New-WSManInstance [-ConnectionURI <Uri>] [-SelectorSet] <hashtable> -ResourceURI <Uri> [-AuthenticationMechanism <AuthenticationMechanism>] [-SessionOption <hashtable>] [-ValueSet <hashtable>] [<CommonParameters>]

DESCRIPTION
The New-WSManInstance cmdlet creates a new instance of a management resource. It uses a resource URI and a value set or input file to create the new instance of the management resource.

This cmdlet uses the WinRM connection/transport layer to create the management resource instance.

PARAMETERS
-ApplicationName <string>
Specifies the application name in the connection. The default value of the ApplicationName parameter is “WSMAN”. The complete identifier for the remote endpoint is in the following format:

For example:

http://server01:8080/WSMAN

Internet Information Services (IIS), which hosts the session, forwards requests with this endpoint to the specified application. This default setting of “WSMAN” is appropriate for most uses. This parameter is designed to be used when numerous computers establish remote connections to one computer that is running Windows PowerShell. In this case, IIS hosts Web Services for Management (WS-Management) for efficiency.

        Required?                    false
        Position?                    named
        Default value                WSMan
        Accept pipeline input?     false
        Accept wildcard characters? false

-AuthenticationMechanism <AuthenticationMechanism>
Specifies the authentication mechanism to be used at the server. Possible values are:

        – Basic: Basic is a scheme in which the user name and password are sent in clear text to the server or proxy.
        – Default : Use the authentication method implemented by the WS-Management protocol. This is the default.
        – Digest: Digest is a challenge-response scheme that uses a server-specified data string for the challenge.
        – Kerberos: The client computer and the server mutually authenticate by using Kerberos Certificates.
        – Negotiate: Negotiate is a challenge-response scheme that negotiates with the server or proxy to determine the scheme to use for authentication. For example, this parameter value allows negotiation to determine whether the Kerberos protocol or NTLM is used.
        – CredSSP: Use Credential Security Service Provider (CredSSP) authentication, which allows the user to delegate credentials. This option is designed for commands that run on one remote computer but collect data from or run additional commands on other remote computers.

Caution: CredSSP delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ComputerName <string>
Specifies the computer against which you want to run the management operation. The value can be a fully qualified domain name, a NetBIOS name, or an IP address. Use the local computer name, use localhost, or use a dot (.) to specify the local computer. The local computer is the default. When the remote computer is in a different domain from the user, you must use a fully qualified domain name must be used. You can pipe a value for this parameter to the cmdlet.

        Required?                    false
        Position?                    named
        Default value                localhost
        Accept pipeline input?     false
        Accept wildcard characters? false

-ConnectionURI <Uri>
Specifies the connection endpoint. The format of this string is:

The following string is a properly formatted value for this parameter:

http://Server01:8080/WSMAN

The URI must be fully qualified.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user. Type a user name, such as “User01”, “Domain01\User01”, or “User@Domain.com”. Or, enter a PSCredential object, such as one returned by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-File <File>
Specifies the path of a file that is used to create a management resource. You specify the management resource by using the ResourceURI parameter and the SelectorSet parameter . For example, the following command uses the File parameter:

Invoke-WSManAction -action stopservice -ResourceURI wmicimv2/Win32_Service -SelectorSet @{Name=”spooler”} -File c:\input.xml -Authentication default

This command calls the StopService method [descriptor] on the Spooler service by using input from a file. The file, Input.xml, contains the following content:

<p:StopService_INPUT xmlns:p=”http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service”/>

        Required?
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-OptionSet <hashtable>
Passes a set of switches to a service to modify or refine the nature of the request. These are similar to switches used in command-line shells because they are service specific. Any number of options can be specified.

The following example demonstrates the syntax that passes the values 1, 2, and 3 for the a, b, and c parameters:

-OptionSet @{a=1;b=2;c=3}

        Required?
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Port <int>
Specifies the port to use when the client connects to the WinRM service. When the transport is HTTP, the default port is 80. When the transport is HTTPS, the default port is 443. When you use HTTPS as the transport, the value of the ComputerName parameter must match the server’s Certificate common name (CN). However, if the SkipCNCheck parameter is specified as part of the SessionOption parameter, then the Certificate common name of the server does not have to match the host name of the server. The SkipCNCheck parameter should be used only for trusted computers.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ResourceURI <Uri>
Contains the Uniform Resource Identifier (URI) of the resource class or instance. The URI is used to identify a specific type of resource, such as disks or processes, on a computer.

A URI consists of a prefix and a path to a resource. For example:

http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_LogicalDisk
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_NumericSensor

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-SelectorSet <hashtable>
Specifies a set of value pairs that are used to select particular management resource instances. The SelectorSet parameter is used when more than one instance of the resource exists. The value of the SelectorSet parameter must be a hash table.

The following example shows how to enter a value for this parameter:

-SelectorSet @{Name=”WinRM”;ID=”yyy”}

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

-SessionOption <hashtable>
Defines a set of extended options for the WS-Management session. Enter a SessionOption object that you create by using the New-WSManSessionOption cmdlet. For more information about the options that are available, see New-WSManSessionOption.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-UseSSL [<SwitchParameter>]
Specifies that the Secure Sockets Layer (SSL) protocol should be used to establish a connection to the remote computer. By default, SSL is not used.

WS-Management encrypts all the Windows PowerShell content that is transmitted over the network. The UseSSL parameter lets you specify the additional protection of HTTPS instead of HTTP. If SSL is not available on the port that is used for the connection and you specify this parameter, the command fails.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ValueSet <hashtable>
Specifies a hash table that helps modify a management resource. You specify the management resource by using the ResourceURI parameter and the SelectorSet parameter. The value of the ValueSet parameter must be a hash table.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
None
This cmdlet does not accept any input.

OUTPUTS
None
This cmdlet does not generate any output.

NOTES

The Set-WmiInstance cmdlet, a Windows Management Instrumentation (WMI) cmdlet, is similar. Set-WmiInstance uses the DCOM connection/transport layer to create or update WMI instances.

————————– EXAMPLE 1 ————————–

C:\PS>New-WSManInstance winrm/config/Listener -SelectorSet @{Transport=HTTPS} -ValueSet @{Hostname=”HOST”;CertificateThumbprint=”XXXXXXXXXX”}

    Description
    ———–
    This command creates an instance of a WS-Management HTTPS listener on all IP addresses.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141448
    Connect-WSMan
    Disable-WSManCredSSP
    Disconnect-WSMan
    Enable-WSManCredSSP
    Get-WSManCredSSP
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan

cmdlet, New, PSSession

New-PSSession

February 26, 2014 Adam

NAME
New-PSSession

SYNOPSIS
Creates a persistent connection to a local or remote computer.

SYNTAX
New-PSSession [[-ComputerName] <string[]>] [-ApplicationName <string>] [-Authentication {Default | Basic | Negotiate | NegotiateWithImplicitCredential | Credssp | Digest | Kerberos}] [-CertificateThumbprint <string>] [-ConfigurationName <string>] [-Credential <PSCredential>] [-Name <string[]>] [-Port <int>] [-SessionOption <PSSessionOption>] [-UseSSL] [-ThrottleLimit <int>] [<CommonParameters>]

New-PSSession [[-Session] <PSSession[]>] [-Name <string[]>] [-ThrottleLimit <int>] [<CommonParameters>]

New-PSSession [-ConnectionURI] <Uri[]> [-AllowRedirection] [-Authentication {Default | Basic | Negotiate | NegotiateWithImplicitCredential | Credssp | Digest | Kerberos}] [-CertificateThumbprint <string>] [-ConfigurationName <string>] [-Credential <PSCredential>] [-Name <string[]>] [-SessionOption <PSSessionOption>] [-ThrottleLimit <int>] [<CommonParameters>]

DESCRIPTION
The New-PSSession cmdlet creates a Windows PowerShell session (PSSession) on a local or remote computer. When you create a PSSession, Windows PowerShell establishes a persistent connection to the remote computer.

Use a PSSession to run multiple commands that share data, such as a Function or the value of a Variable. To run commands in a PSSession, use the Invoke-Command cmdlet. To use the PSSession to interact directly with a remote computer, use the Enter-PSSession cmdlet. For more information, see about_pssessions.

You can run commands on a remote computer without creating a PSSession by using the ComputerName parameters of Enter-PSSession or Invoke-Command. When you use the ComputerName parameter, Windows PowerShell creates a temporary connection that is used for the interactive session or for a single command and is then closed.

PARAMETERS
-AllowRedirection [<SwitchParameter>]
Allows redirection of this connection to an alternate Uniform Resource Identifier (URI).

When you use the ConnectionURI parameter, the remote destination can return an instruction to redirect to a different URI. By default, Windows PowerShell does not redirect connections, but you can use the AllowRedirection parameter to allow it to redirect the connection.

You can also limit the number of times that the connection is redirected by setting the MaximumConnectionRedirectionCount property of the $PSSessionOption preference Variable, or the MaximumConnectionRedirectionCount property of the value of the SessionOption parameter.
The default value is 5. For more information, see the description of the SessionOption parameter, and see New-PSSessionOption.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ApplicationName <string>
Specifies the application name segment of the connection URI. Use this parameter to specify the application name when you are not using the ConnectionURI parameter in the command.

The default value is the value of the $PSSessionApplicationName preference Variable on the local computer. If this preference Variable is not defined, the default value is “WSMAN”. This value is appropriate for most uses. For more information, see about_preference_variables.

The WinRM service uses the application name to select a listener to service the connection request. The value of this parameter should match the value of the URLPrefix property of a listener on the remote computer.

        Required?                    false
        Position?                    named
        Default value                WSMan
        Accept pipeline input?     true (ByPropertyName)
        Accept wildcard characters? false

-Authentication <AuthenticationMechanism>
Specifies the mechanism that is used to authenticate the user’s credentials. Valid values are “Default”, “Basic”, “Credssp”, “Digest”, “Kerberos”, “Negotiate”, and “NegotiateWithImplicitCredential”. The default value is “Default”.

CredSSP authentication is available only in Windows Vista, Windows Server 2008, and later versions of Windows.

For more information about the values of this parameter, see the description of the System.Management.Automation.Runspaces.AuthenticationMechanism enumeration in the MSDN (Microsoft Developer Network) library at http://go.microsoft.com/fwlink/?LinkID=144382.

Caution: Credential Security Service Provider (CredSSP) authentication, in which the user’s credentials are passed to a remote computer to be authenticated, is designed for commands that require authentication on more than one resource, such as accessing a remote network share. This mechanism increases the security risk of the remote operation. If the remote computer is compromised, the credentials that are passed to it can be used to control the network session.

        Required?                    false
        Position?                    named
        Default value                Default
        Accept pipeline input?     false
        Accept wildcard characters? false

-CertificateThumbprint <string>
Specifies the digital public key Certificate (X509) of a user account that has permission to perform this action. Enter the Certificate thumbprint of the Certificate.

Certificates are used in client Certificate-based authentication. They can be mapped only to local user accounts; they do not work with domain accounts.

To get a Certificate thumbprint, use the Get-Item or Get-ChildItem command in the Windows PowerShell Cert: drive.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ComputerName <string[]>
Creates a persistent connection (PSSession) to the specified computer. If you enter multiple computer names, New-PSSession creates multiple PSSessions, one for each computer. The default is the local computer.

Type the NetBIOS name, an IP address, or a fully qualified domain name of one or more remote computers. To specify the local computer, type the computer name, “localhost”, or a dot (.). When the computer is in a different domain than the user, the fully qualified domain name is required. You can also pipe a computer name (in quotes) to New-PSSession.

To use an IP address in the value of the ComputerName parameter, the command must include the Credential parameter. Also, the computer must be configured for HTTPS transport or the IP address of the remote computer must be included in the WinRM TrustedHosts list on the local computer. For instructions for adding a computer name to the TrustedHosts list, see “How to Add a Computer to the Trusted Host List” in about_remote_TroubleShooting.

Note: In Windows Vista and later versions of Windows, to include the local computer in the value of the ComputerName parameter, you must start Windows PowerShell with the “Run as administrator” option.

        Required?                    false
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

-ConfigurationName <string>
Specifies the session configuration that is used for the new PSSession.

Enter a configuration name or the fully qualified resource Uniform Resource Identifier (URI) for a session configuration. If you specify only the configuration name, the following schema URI is prepended: http://schemas.microsoft.com/powershell.

The session configuration for a session is located on the remote computer. If the specified session configuration does not exist on the remote computer, the command fails.

The default value is the value of the $PSSessionConfigurationName preference Variable on the local computer. If this preference Variable is not set, the default is Microsoft.PowerShell. For more information, see about_preference_variables.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     true (ByPropertyName)
        Accept wildcard characters? false

-ConnectionURI <Uri[]>
Specifies a Uniform Resource Identifier (URI) that defines the connection endpoint. The URI must be fully qualified.

The format of this string is as follows:
<Transport>://<ComputerName>:<Port>/<ApplicationName>

The default value is as follows:
http://localhost:80/WSMAN

Valid values for the Transport segment of the URI are HTTP and HTTPS. If you do not specify a ConnectionURI, you can use the UseSSL, ComputerName, Port, and ApplicationName parameters to specify the URI values.

If the destination computer redirects the connection to a different URI, Windows PowerShell prevents the redirection unless you use the AllowRedirection parameter in the command.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByPropertyName)
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user.

Type a user name, such as “User01”, “Domain01\User01”, or “User@Domain.com”, or enter a PSCredential object, such as one returned by the Get-Credential cmdlet.

When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     true (ByPropertyName)
        Accept wildcard characters? false

-Name <string[]>
Specifies a friendly name for the PSSession.

You can use the name to refer to the PSSession when using other cmdlets, such as Get-PSSession and Enter-PSSession. The name is not required to be unique to the computer or the current session.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Port <int>
Specifies the network port on the remote computer that is used for this command. The default is port 80 (the HTTP port).

Before using an alternate port, you must configure the WinRM listener on the remote computer to listen at that port. Use the following commands to configure the listener:

1. winrm delete winrm/config/listener?Address=*+Transport=HTTP
2. winrm create winrm/config/listener?Address=*+Transport=HTTP @{Port="<port-number>"}

Do not use the Port parameter unless you must. The port setting in the command applies to all computers and sessions in which the command runs. An alternate port setting might prevent the command from running on all computers.

        Required?                    false
        Position?                    named
        Default value                80
        Accept pipeline input?     false
        Accept wildcard characters? false

-Session <PSSession[]>
Uses the specified PSSession as a model for the new PSSession. This parameter creates new PSSessions with the same properties as the specified PSSessions.

Enter a Variable that contains the PSSessions or a command that creates or gets the PSSessions, such as a New-PSSession or Get-PSSession command.

The resulting PSSessions have the same computer name, application name, connection URI, port, configuration name, throttle limit, and Secure Sockets Layer (SSL) value as the originals, but they have a different display name, ID, and instance ID (GUID).

-SessionOption <PSSessionOption>
Sets advanced options for the session. Enter a SessionOption object that you create by using the New-PSSessionOption cmdlet.

The default values for the options are determined by the value of the $PSSessionOption preference Variable, if it is set. Otherwise, the session uses the system defaults.

For a description of the session options, including the default values, see New-PSSessionOption. For information about the $PSSessionOption preference Variable, see about_preference_variables.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ThrottleLimit <int>
Specifies the maximum number of concurrent connections that can be established to run this command. If you omit this parameter or enter a value of 0 (zero), the default value, 32, is used.

The throttle limit applies only to the current command, not to the session or to the computer.

        Required?                    false
        Position?                    named
        Default value                32
        Accept pipeline input?     false
        Accept wildcard characters? false

-UseSSL [<SwitchParameter>]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection to the remote computer. By default, SSL is not used.

WS-Management encrypts all Windows PowerShell content transmitted over the network. UseSSL is an additional protection that sends the data across an HTTPS connection instead of an HTTP connection.

If you use this parameter, but SSL is not available on the port used for the command, the command fails.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
System.String, System.URI, System.Management.Automation.Runspaces.PSSession
You can pipe a ComputerName (string), ConnectionURI (URI), or Session (PSSession) object to New-PSSession.

OUTPUTS
System.Management.Automation.Runspaces.PSSession

NOTES

This cmdlet uses the Windows PowerShell remoting infrastructure. To use this cmdlet, the local computer and any remote computers must be configured for Windows PowerShell remoting. For more information, see about_remote_requirements.

In Windows Vista and later versions of Windows, to create a PSSession on the local computer, you must start Windows PowerShell with the “Run as administrator” option.

When you are finished with the PSSession, use the Remove-PSSession cmdlet to delete the PSSession and release its resources.

————————– EXAMPLE 1 ————————–

C:\PS>$s = New-PSSession

    Description
    ———–
    This command creates a new PSSession on the local computer and saves the PSSession in the $s Variable.

You can now use this PSSession to run commands on the local computer.

————————– EXAMPLE 2 ————————–

C:\PS>$Server01 = New-PSSession -ComputerName Server01

    Description
    ———–
    This command creates a new PSSession on the Server01 computer and saves it in the $Server01 Variable.

When creating multiple PSSessions, assign them to Variables with useful names. This will help you manage the PSSessions in subsequent commands.

————————– EXAMPLE 3 ————————–

C:\PS>$s1, $s2, $s3 = new-session -ComputerName server1,server2,server3

    Description
    ———–
    This command creates three new PSSessions, one on each of the computers specified by the ComputerName parameter.

The command uses the assignment operator (=) to assign the new PSSessions to an array of Variables: $s1, $s2, $s3. It assigns the Server01 PSSession to $s1, the Server02 PSSession to $s2, and the Server03 PSSession to $s3.

When you assign multiple objects to an array of Variables, Windows PowerShell assigns each object to a Variable in the array respectively. If there are more objects than Variables, all remaining objects are assigned to the last Variable. If there are more Variables than objects, the remaining Variables are empty (null).

————————– EXAMPLE 4 ————————–

C:\PS>New-PSSession -ComputerName Server01 -Port 8081 -UseSSL -ConfigurationName E12

    Description
    ———–
    This command creates a new PSSession on the Server01 computer that connects to server port 8081 and uses the SSL protocol. The new PSSession uses an alternate session configuration called “E12”.

Before setting the port, you must configure the WinRM listener on the remote computer to listen on port 8081. For more information, see the description of the Port parameter.

————————– EXAMPLE 5 ————————–

C:\PS>New-PSSession -session $s -Credential domain01\user01

    Description
    ———–
    This command creates a new PSSession with the same properties as an existing PSSession. You can use this command format when the resources of an existing PSSession are exhausted and a new PSSession is needed to offload some of the demand.

The command uses the Session parameter of New-PSSession to specify the PSSession saved in the $s Variable. It uses the credentials of the Domain1\Admin01 user to complete the command.

————————– EXAMPLE 6 ————————–

C:\PS>$global:s = New-PSSession -ComputerName server1.domain44.corpnet.fabrikam.com -Credential domain01\admin01

    Description
    ———–
    This example shows how to create a PSSession with a global scope on a computer in a different domain.

By default, PSSessions created at the command line are created with local scope and PSSessions created in a script have script scope.

To create a PSSession with global scope, create a new PSSession and then store the PSSession in a Variable that is cast to a global scope. In this case, the $s Variable is cast to a global scope.

The command uses the ComputerName parameter to specify the remote computer. Because the computer is in a different domain than the user account, the full name of the computer is specified along with the credentials of the user.

————————– EXAMPLE 7 ————————–

C:\PS>$rs = Get-Content c:\test\servers.txt | New-PSSession -ThrottleLimit 50

    Description
    ———–
    This command creates a PSSession on each of the 200 computers listed in the Servers.txt file and it stores the resulting PSSession in the $rs Variable. The PSSessions have a throttle limit of 50.

You can use this command format when the names of computers are stored in a database, spreadsheet, text file, or other text-convertible format.

————————– EXAMPLE 8 ————————–

C:\PS>$s = New-PSSession -URI http://Server01:91/NewSession -Credential domain01\user01

    Description
    ———–
    This command creates a PSSession on the Server01 computer and stores it in the $s Variable. It uses the URI parameter to specify the transport protocol, the remote computer, the port, and an alternate session configuration. It also uses the Credential parameter to specify a user account with permission to create a session on the remote computer.

————————– EXAMPLE 9 ————————–

C:\PS>$s = New-PSSession -ComputerName (Import-Csv servers.csv) -Credential domain01\admin01 -ThrottleLimit 16

C:\PS> Invoke-Command -session $s -scriptblock {Get-Process powershell} -AsJob

    Description
    ———–
    These commands create a set of PSSessions and then run a background job in each of the PSSessions.

The first command creates a new PSSession on each of the computers listed in the Servers.csv file. It uses the New-PSSession cmdlet to create the PSSession. The value of the ComputerName parameter is a command that uses the Import-Csv cmdlet to import the Servers.csv file and read its contents.

The command uses the Credential parameter to create the PSSessions with the permission of a domain administrator, and it uses the ThrottleLimit parameter to limit the command to 16 concurrent connections. The command saves the PSSessions in the $s Variable.

The second command uses the AsJob parameter of Invoke-Command to start a background job that runs a “Get-Process PowerShell” command in each of the PSSessions in $s.

For more information about background jobs, see about_jobs and about_remote_Jobs.

————————– EXAMPLE 10 ————————–

C:\PS>New-PSSession -ConnectionURI https://management.exchangelabs.com/Management

    Description
    ———–
    This command creates a new PSSession that connects to a computer that is specified by a URI instead of a computer name.

————————– EXAMPLE 11 ————————–

C:\PS>$so = New-WSManSessionOption -SkipCACheck

PS C:\> New-PSSession -ConnectionUri https://management.exchangelabs.com/Management -SessionOption $so -Credential server01\admin01

    Description
    ———–
    This example shows how to create and use a SessionOption parameter.

The first command uses the New-WSManSessionOption cmdlet to create a session option. It saves the resulting SessionOption object in the $so parameter.

The second command uses the option in a new session. The command uses the New-PSSession cmdlet to create a new session. The value of the SessionOption parameter is the SessionOption object in the $so Variable.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135237
    about_pssessions
    about_remote
    Get-PSSession
    Remove-PSSession
    Enter-PSSession
    Exit-PSSession
    Invoke-Command

cmdlet, Invoke, WmiMethod

Invoke-WmiMethod

February 26, 2014 Adam

NAME
Invoke-WmiMethod

SYNOPSIS
Calls Windows Management Instrumentation (WMI) methods.

SYNTAX
Invoke-WmiMethod [-Class] <string> [[-ArgumentList] <Object[]>] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-Authority <string>] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-Name] <string> [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

Invoke-WmiMethod [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-Authority <string>] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-Name] <string> [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

Invoke-WmiMethod -InputObject <ManagementObject> [-ArgumentList <Object[]>] [-Name] <string> [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

Invoke-WmiMethod -Path <string> [-ArgumentList <Object[]>] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-Authority <string>] [-ComputerName <string[]>] [-Credential <PSCredential>] [-EnableAllPrivileges] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Locale <string>] [-Namespace <string>] [-Name] <string> [-AsJob] [-ThrottleLimit <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Invoke-WmiMethod cmdlet calls WMI methods.

PARAMETERS
-ArgumentList <Object[]>
Specifies the parameters to pass to the called method. The value of this parameter must be an array of objects and they must appear in the order required by the called method.

Important: A second value of $null is required, otherwise the command will generate an error, such as “Unable to cast object of type ‘System.Byte’ to type ‘System.Array’.”.

An example using an array of objects ($binSD) followed by a null value ($null) follows:

        PS C:\> $acl = Get-Acl test.txt
        PS C:\> $binSD = $acl.GetSecurityDescriptorBinaryForm()
        PS C:\> Invoke-WmiMethod -Class Win32_SecurityDescriptorHelper -Name BinarySDToSDDL -ArgumentList $binSD, $null

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-AsJob [<SwitchParameter>]
Runs the command as a background job. Use this parameter to run commands that take a long time to finish.

When you use the AsJob parameter, the command returns an object that represents the background job and then displays the command prompt. You can continue to work in the session while the job finishes. If Invoke-WmiMethod is used against a remote computer, the job is created on the local computer, and the results from remote computers are automatically returned to the local computer. To manage the job, use the cmdlets that contain the Job noun (the Job cmdlets). To get the job results, use the Receive-Job cmdlet.

Note: To use this parameter with remote computers, the local and remote computers must be configured for remoting. Additionally, you must start Windows PowerShell by using the “Run as administrator” option in Windows Vista and later versions of Windows. For more information, see about_remote_requirements.

For more information about Windows PowerShell background jobs, see about_jobs and about_remote_Jobs.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Authentication <AuthenticationLevel>
Specifies the authentication level to be used with the WMI connection. Valid values are:

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Authority <string>
Specifies the authority to use to authenticate the WMI connection. You can specify standard NTLM or Kerberos authentication. To use NTLM, set the authority setting to ntlmdomain:<DomainName>, where <DomainName> identifies a valid NTLM domain name. To use Kerberos, specify kerberos:<DomainName\ServerName>. You cannot include the authority setting when you connect to the local computer.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Class <string>
Specifies the WMI class that contains a static method to call.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ComputerName <string[]>
Specifies the computer against which you want to run the management operation. The value can be a fully qualified domain name, a NetBIOS name, or an Internet Protocol (IP) address. Use the local computer name, use localhost, or use a dot (.) to specify the local computer. The local computer is the default. When the remote computer is in a different domain from the user, a fully qualified domain name is required. You can also set the value of this parameter by piping the value to the parameter.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user. Type a user name, such as “User01”, “Domain01\User01”, or User@Contoso.com. Or, enter a PSCredential object, such as an object that is returned by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-EnableAllPrivileges [<SwitchParameter>]
Enables all the privileges of the current user before the command makes the WMI call.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Impersonation <ImpersonationLevel>
Specifies the impersonation level to use. Valid values are:

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-InputObject <ManagementObject>
Specifies a ManagementObject object to use as input. When this parameter is used, all other parameters except the Flag and Argument parameters are ignored.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

-Locale <string>
Specifies the preferred locale for WMI objects. Specify the value of the Locale parameter as an array in the MS_<LCID> format in the preferred order.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Name <string>
Specifies the name of the method to be invoked. This parameter is mandatory and cannot be null or empty.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Namespace <string>
When used with the Class parameter, this parameter specifies the WMI repository namespace where the referenced WMI class or object is located.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Path <string>
Specifies the WMI object path of a WMI class, or specifies the WMI object path of an instance of a WMI class. The class or the instance that you specify must contain the method that is specified in the Name parameter.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Confirm [<SwitchParameter>]
Prompts you for confirmation before executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Describes what would happen if you executed the command without actually executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
None
This cmdlet does not accept any input.

OUTPUTS
None
This cmdlet does not generate any output.

NOTES

————————– EXAMPLE 1 ————————–

C:\PS>Invoke-WmiMethod -path win32_process -Name create -ArgumentList notepad.exe

    __GENUS         : 2
    __CLASS         : __PARAMETERS
    __SUPERCLASS     :
    __DYNASTY        : __PARAMETERS
    __RELPATH        :
    __PROPERTY_COUNT : 2
    __DERIVATION     : {}
    __SERVER         :
    __NAMESPACE     :
    __PATH         :
    ProcessId        : 4844
    ReturnValue     : 0

    Description
    ———–
    This command starts an instance of Notepad by calling the Create method of the Win32_Process class.

Note: The ReturnValue property is populated with a 0, and the ProcessId property is populated with an integer (the next process ID number) if the command is completed.

————————– EXAMPLE 2 ————————–

C:\PS>Invoke-WmiMethod -path “CIM_DataFile.Name=’C:\scripts\test.txt'” -Name Rename -ArgumentList “C:\scripts\test_bu.txt”

    __GENUS         : 2
    __CLASS         : __PARAMETERS
    __SUPERCLASS     :
    __DYNASTY        : __PARAMETERS
    __RELPATH        :
    __PROPERTY_COUNT : 1
    __DERIVATION     : {}
    __SERVER         :
    __NAMESPACE     :
    __PATH         :
    ReturnValue     : 0

    Description
    ———–
    This command renames a file. It uses the Path parameter to reference an instance of the CIM_DataFile class. Then, it applies the Rename method to that particular instance.

Note: The ReturnValue property is populated with a 0 if the command is completed.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113346
    Get-WmiObject
    Remove-WmiObject
    Set-WmiInstance
    Get-WSManInstance
    Invoke-WSManAction
    New-WSManInstance
    Remove-WSManInstance

cmdlet, EventLog, Limit

Limit-EventLog

February 26, 2014 Adam

NAME
Limit-EventLog

SYNOPSIS
Sets the event log properties that limit the size of the event log and the age of its entries.

SYNTAX
Limit-EventLog [-LogName] <string[]> [-ComputerName <string[]>] [-MaximumSize <Int64>] [-OverflowAction {OverwriteAsNeeded | OverwriteOlder | DoNotOverwrite}] [-RetentionDays <int>] [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size. You can use it to limit the event logs on local or remote computers.

PARAMETERS
-ComputerName <string[]>
Specifies a remote computer. The default is the local computer.

Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer name, a dot (.), or “localhost”.

This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Limit-EventLog even if your computer is not configured to run remote commands.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? false

-MaximumSize <Int64>
Specifies the maximum size of the event logs in bytes. Enter a value between 64 kilobytes (KB) and 4 gigabytes (GB). The value must be divisible by 64 KB (65536).

This parameter specifies the value of the MaximumKilobytes property of the System.Diagnostics.EventLog object that represents a classic event log.

-OverflowAction <OverflowAction>
Specifies what happens when the event log reaches its maximum size.

        Valid values are:
        — DoNotOverwrite: Existing entries are retained and new entries are discarded.
        — OverwriteAsNeeded: Each new entry overwrites the oldest entry.
        — OverwriteOlder: New events overwrite events older than the value specified by the MinimumRetentionDays property. If there are no events older than specified by the MinimumRetentionDays property value, new events are discarded.

This parameter specifies the value of the OverflowAction property of the System.Diagnostics.EventLog object that represents a classic event log.

-RetentionDays <int>
Specifies the minimum number of days that an event must remain in the event log.

This parameter specifies the value of the MinimumRetentionDays property of the System.Diagnostics.EventLog object that represents a classic event log.

-Confirm [<SwitchParameter>]
Prompts you for confirmation before executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-WhatIf [<SwitchParameter>]
Describes what would happen if you executed the command without actually executing the command.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
None
None

OUTPUTS
None
None

NOTES

To use Limit-EventLog on Windows Vista and later versions of Windows, open Windows PowerShell with the “Run as administrator” option.

Limit-EventLog changes the properties of the System.Diagnostics.EventLog object that represents a classic event log. To see the current settings of the event log properties, type “Get-Eventlog -list”.

————————– EXAMPLE 1 ————————–

C:\PS>Limit-EventLog -LogName “Windows PowerShell” -MaximumSize 20KB

    Description
    ———–
    This command increases the maximum size of the Windows PowerShell event log on the local computer to 20480 kilobytes (KB) (20 KB).

————————– EXAMPLE 2 ————————–

C:\PS>Limit-EventLog -LogName Security -comp Server01, Server02 -RetentionDays 7

    Description
    ———–
    This command ensures that events in the Security log on the Server01 and Server02 computers are retained for at least 7 days.

————————– EXAMPLE 3 ————————–

C:\PS>$logs = Get-Eventlog -list | foreach {$_.log}

C:\PS> Limit-EventLog -OverflowAction OverwriteOlder -LogName $logs

C:\PS> Get-Eventlog -list

    Max(K) Retain OverflowAction     Entries Log
    —— —— ————–     ——- —
    15,168     0 OverwriteOlder     3,412 Application
     512     0 OverwriteOlder         0 DFS Replication
     512     0 OverwriteOlder         17 DxStudio
    10,240     7 OverwriteOlder         0 HardwareEvents
     512     0 OverwriteOlder         0 Internet Explorer
     512     0 OverwriteOlder         0 Key Management Service
    16,384     0 OverwriteOlder         4 ODiag
    16,384     0 OverwriteOlder         389 OSession
                                             Security
    15,168     0 OverwriteOlder     19,360 System
    15,360     0 OverwriteOlder     15,828 Windows PowerShell

    Description
    ———–
    These commands change the overflow action of all event logs on the local computer to “OverwriteOlder”.

The first command gets the log names of all of the logs on the local computer. The second command sets the overflow action. The third command displays the results.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135227
    Clear-EventLog
    Get-EventLog
    Limit-EventLog
    New-EventLog
    Remove-EventLog
    Show-EventLog
    Write-EventLog
    Get-WinEvent

cmdlet, EventLog, New

New-EventLog

February 26, 2014 Adam

NAME
New-EventLog

SYNOPSIS
Creates a new event log and a new event source on a local or remote computer.

SYNTAX
New-EventLog [-LogName] <string> [-Source] <string[]> [[-ComputerName] <string[]>] [-CategoryResourceFile <string>] [-MessageResourceFile <string>] [-ParameterResourceFile <string>] [<CommonParameters>]

DESCRIPTION
This cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.

The cmdlets that contain the EventLog noun (the Event log cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

PARAMETERS
-CategoryResourceFile <string>
Specifies the path to the file that contains category strings for the source events. This file is also known as the Category Message File.

The file must be present on the computer on which the event log is being created. This parameter does not create or move files.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ComputerName <string[]>
Creates the new event logs on the specified computers. The default is the local computer.

Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer name, a dot (.), or “localhost”.

This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Get-EventLog even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    3
        Default value                .
        Accept pipeline input?     false
        Accept wildcard characters? false

-LogName <string>
Specifies the name of the event log.

If the log does not exist, New-EventLog creates the log and uses this value for the Log and LogDisplayName properties of the new event log. If the log exists, New-EventLog registers a new source for the event log.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-MessageResourceFile <string>
Specifies the path to the file that contains message formatting strings for the source events. This file is also known as the Event Message File.

The file must be present on the computer on which the event log is being created. This parameter does not create or move files.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ParameterResourceFile <string>
Specifies the path to the file that contains strings used for parameter substitutions in event descriptions. This file is also known as the Parameter Message File.

The file must be present on the computer on which the event log is being created. This parameter does not create or move files.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Source <string[]>
Specifies the names of the event log sources, such as application programs that write to the event log. This parameter is required.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
None
You cannot pipe input to this cmdlet.

OUTPUTS
System.Diagnostics.EventLogEntry

NOTES

To use New-EventLog on Windows Vista and later versions of Windows, open Windows PowerShell with the “Run as administrator” option.

To create an event source in Windows Vista, Windows XP Professional, or Windows Server 2003, you must be a member of the Administrators group on the computer.

When you create a new event log and a new event source, the system registers the new source for the new log, but the log is not created until the first entry is written to it.

The operating system stores event logs as files. When you create a new event log, the associated file is stored in the %SystemRoot%\System32\Config directory on the specified computer. The file name is the first eight characters of the Log property with an .evt file name extension.

————————– EXAMPLE 1 ————————–

C:\PS>New-Eventlog -Source TestApp -LogName TestLog -MessageResourceFile C:\Test\TestApp.dll

    Description
    ———–
    This command creates the TestLog event log on the local computer and registers a new source for it.

————————– EXAMPLE 2 ————————–

C:\PS>$file = “C:\Program Files\TestApps\NewTestApp.dll”

C:\PS> New-Eventlog -ComputerName Server01 -Source NewTestApp -LogName Application -MessageResourceFile $file -CategoryResourceFile $file

    Description
    ———–
    This command adds a new event source, NewTestApp, to the Application log on the Server01 remote computer.

The command requires that the NewTestApp.dll file is located on the Server01 computer.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135235
    Clear-EventLog
    Get-EventLog
    Limit-EventLog
    New-EventLog
    Remove-EventLog
    Show-EventLog
    Write-EventLog
    Get-WinEvent

cmdlet, Get, WSManInstance

Get-WSManInstance

February 26, 2014 Adam

NAME
Get-WSManInstance

SYNOPSIS
Displays management information for a resource instance specified by a Resource URI.

SYNTAX
Get-WSManInstance -SelectorSet <hashtable> [-ApplicationName <string>] [-ComputerName <string>] [-Credential <PSCredential>] [-Fragment <string>] [-Port <int>] [-UseSSL] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

Get-WSManInstance [-ApplicationName <string>] [-BasePropertiesOnly <switch>] [-ComputerName <string>] [-Credential <PSCredential>] [-Enumerate] [-filter <string>] [-Port <int>] [-References <switch>] [-ReturnType <string>] [-Shallow <switch>] [-UseSSL] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

Get-WSManInstance -ConnectionURI <Uri> -SelectorSet <hashtable> [-Fragment <string>] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

Get-WSManInstance -ConnectionURI <Uri> [-BasePropertiesOnly <switch>] [-Enumerate] [-filter <string>] [-References <switch>] [-ReturnType <string>] [-Shallow <switch>] [-ResourceURI] <Uri> [-Authentication <Authentication>] [-Dialect <Uri>] [-OptionSet <hashtable>] [-SessionOption <hashtable>] [<CommonParameters>]

DESCRIPTION
The Get-WSManInstance cmdlet retrieves an instance of a management resource that is specified by a resource URI. The information that is retrieved can be a complex XML information set (an object) or a simple value. This cmdlet is the equivalent to the standard WS-Management Get command.

This cmdlet uses the WS-Management connection/transport layer to retrieve information.

For example:

http://server01:8080/WSMAN

-Authentication <Authentication>
Specifies the authentication mechanism to be used at the server. Possible values are:

-BasePropertiesOnly <switch>
Enumerates only the properties that are part of the base class that is specified by the ResourceURI parameter. This parameter has no effect if the Shallow parameter is specified.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-ConnectionURI <Uri>
Specifies the connection endpoint. The format of this string is:

The following string is a properly formatted value for this parameter:

http://Server01:8080/WSMAN

The URI must be fully qualified.

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user. Type a user name, such as “User01”, “Domain01\User01”, or “User@Domain.com”. Or, enter a PSCredential object, such as one returned by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Dialect <Uri>
Specifies the dialect to use in the filter predicate. This can be any dialect that is supported by the remote service. The following Aliases can be used for the dialect URI:

        – WQL: http://schemas.microsoft.com/wbem/wsman/1/WQL
        – Selector: http://schemas.microsoft.com/wbem/wsman/1/wsman/SelectorFilter
        – Association: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter

        Required?                    false
        Position?                    named
        Default value                http://schemas.microsoft.com/wbem/wsman/1/WQL
        Accept pipeline input?     false
        Accept wildcard characters? false

-Enumerate [<SwitchParameter>]
Returns all of the instances of a management resource.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-filter <string>
Specifies the filter expression for the enumeration. If you use this parameter, you must also specify the Dialect parameter.

The valid values of this parameter depend on the dialect that is specified in the Dialect parameter. For example, if the Dialect parameter is set to WQL, the Filter parameter must contain a string, and the string must contain a valid WQL query such as the following query:

“Select * from Win32_Service where State != Running”

If the Dialect parameter is set to Association, the Filter parameter must contain a string, and the string must contain a valid filter, such as the following filter:

-filter:Object=EPR[;AssociationClassName=AssocClassName][;ResultClassName=ClassName][;Role=RefPropertyName][;ResultRole=RefPropertyName]}

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Fragment <string>
Specifies a section inside the instance that is to be updated or retrieved for the specified operation. For example, to get the status of a spooler service, specify “-Fragment Status”.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

The following example demonstrates the syntax that passes the values 1, 2, and 3 for the a, b, and c parameters:

-OptionSet @{a=1;b=2;c=3}

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-References <switch>
Indicates that association instances (not associated instances) should be retrieved. You can use this parameter only when the Dialect parameter is set to a value of “Association”.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

A URI consists of a prefix and a path to a resource. For example:

http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_LogicalDisk
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_NumericSensor

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByValue, ByPropertyName)
        Accept wildcard characters? false

-ReturnType <string>
Specifies the type of data to be returned. The valid values are:

            Object (the default)
            EPR
            ObjectAndEPR

If Object is specified or if this parameter is not used, only objects are returned. If EPR (endpoint reference) is specified, only the endpoint references of the objects are returned. Endpoint references contain information about the resource URI and the selectors for the instance. If ObjectAndEPR is specified, both the object and its associated endpoint references are returned.

        Required?                    false
        Position?                    named
        Default value                Object
        Accept pipeline input?     false
        Accept wildcard characters? false

The following example shows how to enter a value for this parameter:

-SelectorSet @{Name=”WinRM”;ID=”yyy”}

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Shallow <switch>
Causes only instances of the base class that is specified in the resource URI to be returned. If this switch is not specified, instances of the base class that is specified in the URI and in all its derived classes is returned.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-UseSSL [<SwitchParameter>]
Specifies that the Secure Sockets Layer (SSL) protocol should be used to establish a connection to the remote computer. By default, SSL is not used.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

INPUTS
None
This command does not accept any input.

OUTPUTS
System.Xml.XmlElement
The Get-WSManInstance cmdlet generates an XMLElement object.

NOTES

————————– EXAMPLE 1 ————————–

C:\PS>Get-WSManInstance wmicimv2/win32_service -SelectorSet @{name=”winrm”} -ComputerName server01

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Service
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_Service_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : true
    Caption                 : Windows Remote Management (WS-Management)
    CheckPoint             : 0
    CreationClassName     : Win32_Service
    Description             : Windows Remote Management (WinRM) service implements the WS-Management protocol for remote
                             management. WS-Management is a standard web services protocol used for remote software and
                             hardware management. The WinRM service listens on the network for WS-Management requests
                             and processes them. The WinRM Service needs to be configured with a listener using the
                             winrm.cmd command line tool or through Group Policy in order for it to listen over the
                             network. The WinRM service provides access to WMI data and enables event collection. Event
                             collection and subscription to events require that the service is running. WinRM messages
                             use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is
                             preconfigured to share a port with IIS on the same machine. The WinRM service reserves the
                             /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any
                             websites hosted on IIS do not use the /wsman URL prefix.
    DesktopInteract         : false
    DisplayName             : Windows Remote Management (WS-Management)
    ErrorControl            : Normal
    ExitCode                : 0
    InstallDate             : InstallDate
    Name                    : winrm
    PathName                : C:\Windows\System32\svchost.exe -k NetworkService
    ProcessId             : 948
    ServiceSpecificExitCode : 0
    ServiceType             : Share Process
    Started                 : true
    StartMode             : Auto
    StartName             : NT AUTHORITY\NetworkService
    State                 : Running
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : SERVER01
    TagId                 : 0
    WaitHint                : 0

    Description
    ———–
    This command returns all of the information that Windows Management Instrumentation (WMI) exposes about the WinRM service on the remote server01 computer.

————————– EXAMPLE 2 ————————–

C:\PS>Get-WSManInstance wmicimv2/win32_service -SelectorSet @{name=”spooler”} -Fragment status -ComputerName server01

XmlFragment=OK

    Description
    ———–
    This command returns only the status of the Spooler service on the remote server01 computer.

————————– EXAMPLE 3 ————————–

C:\PS>Get-WSManInstance -enumerate wmicimv2/win32_process

    OSName                     : Microsoft Windows Vista Ultimate |C:\Windows|\Device\Harddisk0\Partition3
    OtherOperationCount        : 11441
    OtherTransferCount         : 428570
    PageFaults                 : 27346
    PageFileUsage             : 16428
    ParentProcessId            : 604
    PeakPageFileUsage         : 17588
    PeakVirtualSize            : 93876224
    PeakWorkingSetSize         : 12472
    Priority                 : 8
    PrivatePageCount         : 16822272
    ProcessId                 : 1160
    QuotaNonPagedPoolUsage     : 14
    QuotaPagedPoolUsage        : 126
    QuotaPeakNonPagedPoolUsage : 16
    QuotaPeakPagedPoolUsage    : 159
    ReadOperationCount         : 29568
    ReadTransferCount         : 1660581404
    SessionId                 : 0
    Status                     : Status
    TerminationDate            : TerminationDate
    ThreadCount                : 23
    UserModeTime             : 763156892
    VirtualSize                : 80846848
    WindowsVersion             : 6.0.6001
    WorkingSetSize             : 11624448
    WriteOperationCount        : 1913
    WriteTransferCount         : 6825768

    xsi                        : http://www.w3.org/2001/XMLSchema-instance
    p                         : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Process
    cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
    type                     : p:Win32_Process_Type
    lang                     : en-US
    Caption                    : svchost.exe
    CommandLine                : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    CreationClassName         : Win32_Process
    CreationDate             : CreationDate
    CSCreationClassName        : Win32_ComputerSystem
    CSName                     : COMPUTER01
    Description                : svchost.exe
    ExecutablePath             : C:\Windows\System32\svchost.exe
    ExecutionState             : ExecutionState
    Handle                     : 1192
    HandleCount                : 832

…

    Description
    ———–
    This command returns all the instances of the WMI Win32_Process class on the local computer.

————————– EXAMPLE 4 ————————–

C:\PS>Get-WSManInstance -enumerate wmicimv2/win32_service -returntype epr

…

    Description
    ———–
    This command returns endpoint references that correspond to all the services on the local computer.

————————– EXAMPLE 5 ————————–

C:\PS>Get-WSManInstance -Enumerate wmicimv2/* -filter “select * from win32_service where StartMode = ‘Auto’ and State = ‘Stopped'” -ComputerName server01

…

    Description
    ———–
    This command lists all of the services that meet the following criteria on the remote server01 computer:

– The startup type of the service is “Automatic”.
– The service is stopped.

————————– EXAMPLE 6 ————————–

C:\PS>Get-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”http”}

    cfg                 : http://schemas.microsoft.com/wbem/wsman/1/config/listener
    xsi                 : http://www.w3.org/2001/XMLSchema-instance
    lang                 : en-US
    Address             : *
    Transport             : HTTP
    Port                 : 80
    Hostname             :
    Enabled             : true
    URLPrefix             : WSMan
    CertificateThumbprint :
    ListeningOn         : {100.0.0.1, 123.123.123.123, ::1, 2001:4898:0:fff:0:5efe:123.123.123.123…}

    Description
    ———–
    This command lists the WS-Management listener configuration on the local computer for the listener that matches the criteria in the selector set.

————————– EXAMPLE 7 ————————–

C:\PS>Get-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”http”} -ComputerName server01

    Description
    ———–
    This command lists the WS-Management listener configuration on the remote server01 computer for the listener that matches the criteria in the selector set.

————————– EXAMPLE 8 ————————–

C:\PS>Get-WSManInstance -Enumerate -Dialect association -filter “{Object=win32_service?name=winrm}” -res wmicimv2/*

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                         : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_ComputerSystem
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                     : p:Win32_ComputerSystem_Type
    lang                     : en-US
    AdminPasswordStatus     : 1
    AutomaticManagedPagefile : true
    AutomaticResetBootOption : true
    AutomaticResetCapability : true
    BootOptionOnLimit         : BootOptionOnLimit
    BootOptionOnWatchDog     : BootOptionOnWatchDog
    BootROMSupported         : true
    BootupState             : Normal boot
    Caption                 : SERVER01
    ChassisBootupState        : 3
    CreationClassName         : Win32_ComputerSystem
    CurrentTimeZone         : -480
    DaylightInEffect         : false
    Description             : AT/AT COMPATIBLE
    DNSHostName             : server01
    Domain                    : site01.corp.fabrikam.com
    DomainRole                : 1
    EnableDaylightSavingsTime : true
    FrontPanelResetStatus     : 2
    InfraredSupported         : false
    InstallDate             : InstallDate
    KeyboardPasswordStatus    : 2
    LastLoadInfo             : LastLoadInfo
    Manufacturer             : Dell Inc.
    Model                     : OptiPlex 745
    Name                     : SERVER01
    NameFormat                : NameFormat
    NetworkServerModeEnabled : true
    NumberOfLogicalProcessors : 2
    NumberOfProcessors        : 1
    OEMStringArray            : www.dell.com
    PartOfDomain             : true
    PauseAfterReset         : -1
    PCSystemType             : 5
    PowerManagementSupported : PowerManagementSupported
    PowerOnPasswordStatus     : 1
    PowerState                : 0
    PowerSupplyState         : 3
    PrimaryOwnerContact     : PrimaryOwnerContact
    PrimaryOwnerName         : testuser01
    ResetCapability         : 1
    ResetCount                : -1
    ResetLimit                : -1
    Roles                     : {LM_Workstation, LM_Server, SQLServer, NT}
    Status                    : OK
    SystemStartupDelay        : SystemStartupDelay
    SystemStartupSetting     : SystemStartupSetting
    SystemType                : X86-based PC
    ThermalState             : 3
    TotalPhysicalMemory     : 3217760256
    UserName                 : FABRIKAM\testuser01
    WakeUpType                : 6
    Workgroup                 : Workgroup

    xsi                     : http://www.w3.org/2001/XMLSchema-instance
    p                     : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_SystemDriver
    cim                     : http://schemas.dmtf.org/wbem/wscim/1/common
    type                    : p:Win32_SystemDriver_Type
    lang                    : en-US
    AcceptPause             : false
    AcceptStop             : true
    Caption                 : HTTP
    CreationClassName     : Win32_SystemDriver
    Description             : HTTP
    DesktopInteract         : false
    DisplayName             : HTTP
    ErrorControl            : Normal
    ExitCode                : 0
    InstallDate             : InstallDate
    Name                    : HTTP
    PathName                : C:\Windows\system32\drivers\HTTP.sys
    ServiceSpecificExitCode : 0
    ServiceType             : Kernel Driver
    Started                 : true
    StartMode             : Manual
    StartName             :
    State                 : Running
    Status                 : OK
    SystemCreationClassName : Win32_ComputerSystem
    SystemName             : SERVER01
    TagId                 : 0

    Description
    ———–
    This command gets the associated instances that are related to the specified instance (winrm).

Important: You must enclose the filter in quotation marks, as shown in the example.

————————– EXAMPLE 9 ————————–

C:\PS>Get-WSManInstance -Enumerate -Dialect association -References -filter “{Object=win32_service?name=winrm}” -res wmicimv2/*

    Description
    ———–
    This command gets association instances that are related to the specified instance (winrm). Because the Dialect parameter is set to “association” and the Reference parameter is used, this command returns association instances, not associated instances.

Important: You must enclose the filter in quotation marks, as shown in the example.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkId=141444
    Connect-WSMan
    Disable-WSManCredSSP
    Disconnect-WSMan
    Enable-WSManCredSSP
    Get-WSManCredSSP
    Invoke-WSManAction
    New-WSManInstance
    New-WSManSessionOption
    Remove-WSManInstance
    Set-WSManInstance
    Set-WSManQuickConfig
    Test-WSMan

cmdlet, Get, WinEvent

Get-WinEvent

February 26, 2014 Adam

NAME
Get-WinEvent

SYNOPSIS
Gets events from event logs and event tracing log files on local and remote computers.

SYNTAX
Get-WinEvent [-LogName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

Get-WinEvent [-Path] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

Get-WinEvent [-ProviderName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

Get-WinEvent -FilterHashTable <Hashtable[]> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

Get-WinEvent [-ListLog] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]

Get-WinEvent [-ListProvider] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]

Get-WinEvent -FilterXml <XmlDocument> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]

DESCRIPTION
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the new Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).

Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.

Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.

Note: Get-WinEvent requires Windows Vista, Windows Server 2008 R2, or later versions of Windows. And, it requires the Microsoft .NET Framework 3.5 or a later version.

PARAMETERS
-ComputerName <string>
Gets events from the event logs on the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. The default value is the local computer.

This parameter accepts only one computer name at a time. To find event logs or events on multiple computers, use a ForEach statement. For more information about this parameter, see the examples.

To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.

This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default value is the current user.

Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password.

        Required?                    false
        Position?                    named
        Default value                Current user
        Accept pipeline input?     false
        Accept wildcard characters? false

-FilterHashTable <Hashtable[]>
Uses a query in hash table format to select events from one or more event logs. The query contains a hash table with one or more key-value pairs.

        Hash table queries have the following rules:
        — Keys and values are case-insensitive.
        — Wildcard characters are valid only in the values associated with the LogName and ProviderName keys.
        — Each key can be listed only once in each hash-table.
        — The Path value takes paths to .etl, .evt, and .evtx log files.
        — The LogName, Path, and ProviderName keys can be used in the same query.
        — The UserID key can take a valid security identifier (SID) or a domain account name that can be used to construct a valid System.Security.Principal.NTAccount object.
        — The Data value takes event data in an unnamed field. This is for events in classic event logs.
        — The * key represents a named event data field.
        When Get-WinEvent cannot interpret a key-value pair, it interprets the key as a case-sensitive name for the event data in the event.

        The valid key-value pairs are as follows:
        — LogName=<String[]>
        — ProviderName=<String[]>
        — Path=<String[]>
        — Keywords=<Long[]>
        — ID=<Int32[]>
        — Level=<Int32[]>
        — StartTime=<DateTime>
        — EndTime=<DataTime>
        — UserID=<SID>
        — Data=<String[]>
        — *=<String[]>

        Required?                    true
        Position?                    named
        Default value
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

-FilterXml <XmlDocument>
Uses a structured XML query to select events from one or more event logs.

To generate a valid XML query, use the Create Custom View and Filter Current Log features in Event Viewer. Use the items in the dialog box to create a query, and then click the XML tab to view the query in XML format. You can copy the XML from the XML tab into the value of the FilterXml parameter. For more information about the Event Viewer features, see Event Viewer Help.

Typically, you use an XML query to create a complex query that contains several XPath statements. The XML format also allows you to use a “Suppress” XML element that excludes events from the query. For more information about the XML schema for event log queries, see the following topics in the MSDN (Microsoft Developer Network) library.

— “Query Schema”: http://go.microsoft.com/fwlink/?LinkId=143685

— “XML Event Queries” in “Event Selection”: http://go.microsoft.com/fwlink/?LinkID=143608

        Required?                    true
        Position?                    named
        Default value                None
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? false

-FilterXPath <string>
Uses an XPath query to select events from one or more logs.

For more information about the XPath language, see “Selection Filters” in “Event Selection” and in the “XPath Reference” in the MSDN library.

-Force <switch>
Gets debug and analytic logs, in addition to other event logs. The Force parameter is required to get a debug or analytic log when the value of the name parameter includes wildcard characters.

By default, Get-WinEvent excludes these logs unless you specify the full name of a debug or analytic log.

        Required?                    false
        Position?                    named
        Default value                Debugging and analytic logs are not returned in response to queries that use wildcard characters.
        Accept pipeline input?     false
        Accept wildcard characters? false

-ListLog <string[]>
Gets the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. To get all the logs, enter a value of *.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

-ListProvider <string[]>
Gets the specified event log providers. An event log provider is a program or service that writes events to the event log.

Enter the provider names in a comma-separated list. Wildcards are permitted. To get the providers of all the event logs on the computer, enter a value of *.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

-LogName <string[]>
Gets events from the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. You can also pipe log names to Get-WinEvent.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     true (ByValue)
        Accept wildcard characters? true

-MaxEvents <int64>
Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.

        Required?                    false
        Position?                    named
        Default value                All events
        Accept pipeline input?     false
        Accept wildcard characters? false

-Oldest [<SwitchParameter>]
Returns the events in oldest-first order. By default, events are returned in newest-first order.

This parameter is required to get events from .etl and .evt files and from debug and analytic logs. In these files, events are recorded in oldest-first order, and the events can be returned only in oldest-first order.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

-Path <string[]>
Gets events from the specified event log files. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns.

Get-WinEvent supports files with the .evt, .evtx, and .etl file name extensions. You can include events from different files and file types in the same command.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

-ProviderName <string[]>
Gets events written by the specified event log providers. Enter the provider names in a comma-separated list, or use wildcard characters to create provider name patterns.

An event log provider is a program or service that writes events to the event log. It is not a Windows PowerShell provider.

        Required?                    true
        Position?                    1
        Default value                None
        Accept pipeline input?     false
        Accept wildcard characters? true

INPUTS
System.String, System.Xml.XmlDocument, System.Collections.Hashtable.
You can pipe a LogName (string), a FilterXML query, or a FilterHashTable query to Get-WinEvent.

OUTPUTS
    System.Diagnostics.Eventing.Reader.EventLogConfiguration, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.ProviderMetadata
        With the ListLog parameter, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogConfiguration objects. With the ListProvider parameter, Get-WinEvent returns
        System.Diagnostics.Eventing.Reader.ProviderMetadata objects. With all other parameters, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogRecord objects.

NOTES

Get-WinEvent is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell 2.0 for systems earlier than Windows Vista.

————————– EXAMPLE 1 ————————–

C:\PS>Get-WinEvent -listlog *

    Description
    ———–
    This command gets all the logs on the local computer.

Logs are listed in the order that Get-WinEvent gets them. Classic logs are usually retrieved first, followed by the new Windows Eventing logs.

Because there are typically more than a hundred event logs, this parameter requires a log name or name pattern. To get all the logs, use *.

————————– EXAMPLE 2 ————————–

C:\PS>Get-WinEvent -listlog Setup | Format-List -property *

        FileSize                     : 69632
        IsLogFull                     : False
        LastAccessTime                 : 2/14/2008 12:55:12 AM
        LastWriteTime                 : 7/9/2008 3:12:05 AM
        OldestRecordNumber             : 1
        RecordCount                    : 3
        LogName                        : Setup
        LogType                        : Operational
        LogIsolation                 : Application
        IsEnabled                     : True
        IsClassicLog                 : False
        SecurityDescriptor             : O:BAG:SYD:(A;;0xf0007;;;SY)(A;
                                         (A;;0x1;;;S-1-5-32-573)
        LogFilePath                    : %SystemRoot%\System32\Winevt\L
        MaximumSizeInBytes             : 1052672
        LogMode                        : Circular
        OwningProviderName             : Microsoft-Windows-Eventlog
        ProviderNames                 : {Microsoft-Windows-WUSA, Micro
        ProviderLevel                 :
        ProviderKeywords             :
        ProviderBufferSize             : 64
        ProviderMinimumNumberOfBuffers : 0
        ProviderMaximumNumberOfBuffers : 64
        ProviderLatency                : 1000
        ProviderControlGuid            :

    Description
    ———–
    These commands get an object that represents the classic System log on the local computer. The object includes useful information about the log, including its size, event log provider, file path, and whether it is enabled.

————————– EXAMPLE 3 ————————–

C:\PS>Get-WinEvent -listlog * -ComputerName Server01| where {$_.recordcount}

    Description
    ———–
    This command gets only event logs on the Server01 computer that contain events. Many logs might be empty.

The command uses the RecordCount property of the EventLogConfiguration object that Get-WinEvent returns when you use the ListLog parameter.

————————– EXAMPLE 4 ————————–

C:\PS>$s = “Server01”, “Server02”, “Server03”

C:\PS> foreach ($server in $s)
{$server; Get-WinEvent -listlog “Windows PowerShell” -ComputerName $server}

    Description
    ———–
    The commands in this example get objects that represent the Windows PowerShell event logs on the Server01, Server02, and Server03 computers. This command uses the Foreach keyword because the ComputerName parameter takes only one value.

The first command saves the names of the computers in the $s Variable.

The second command uses a Foreach statement. For each of the computers in the $s Variable, it performs the command in the script block (within the braces). First, the command prints the name of the computer. Then, it runs a Get-WinEvent command to get an object that represents the Windows PowerShell log.

————————– EXAMPLE 5 ————————–

C:\PS>Get-WinEvent -listprovider *

    Description
    ———–
    This command gets the event log providers on the local computer and the logs to which they write, if any.

————————– EXAMPLE 6 ————————–

C:\PS>(Get-WinEvent -listlog Application).providernames

    Description
    ———–
    This command gets all of the providers that write to the Application log on the local computer.

————————– EXAMPLE 7 ————————–

C:\PS>>Get-WinEvent -listprovider *policy*

    Description
    ———–
    This command gets the event log providers whose names include the word “policy.”

————————– EXAMPLE 8 ————————–

C:\PS>(Get-WinEvent -listprovider microsoft-windows-grouppolicy).events | Format-Table id, description -auto

    Description
    ———–
    This command lists the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.

It uses the Events property of the object that Get-WinEvent returns when you use the ListProvider parameter, and it uses the ID and Description properties of the object in the Events property.

————————– EXAMPLE 9 ————————–

C:\PS>$events = Get-WinEvent -LogName “Windows PowerShell”

C:\PS> $events.count
195

    C:\PS> $events | Group-Object id -noelement | Sort-Object count -desc
    Count Name
    —– —-
     147 600
     22 400
     21 601
        3 403
        2 103

     C:\PS> $events | Group-Object leveldisplayname -noelement
    Count Name
    —– —-
        2 Warning
     193 Information

    Description
    ———–
    This example shows how to use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.

The first command uses the Get-WinEvent cmdlet to get all of the events in the Windows PowerShell event log. Then, it saves them in the $events Variable. The log name is enclosed in quotation marks because it contains a space.

The second command uses the Count property of object collections to find the number of entries in the event log.

The third command displays the incidence of each event in the log, with the most frequent events first. In this example, event ID 600 is the most frequent event.

The fourth command groups the items by the value of their LevelDisplayName property to show how many Error, Warning, and Information events are in the log.

————————– EXAMPLE 10 ————————–

C:\PS>Get-WinEvent -LogName *disk*, Microsoft-Windows-Kernel-WHEA

    Description
    ———–
    This command gets the error events whose names include “disk” from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WHEA event log.

————————– EXAMPLE 11 ————————–

C:\PS>Get-WinEvent -path ‘c:\ps-test\Windows PowerShell.evtx’

    Description
    ———–
    This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks because the log name includes a space.

————————– EXAMPLE 12 ————————–

C:\PS>Get-WinEvent -path ‘c:\tracing\tracelog.etl’ -MaxEvents 100 -Oldest

C:\PS> Get-WinEvent -path ‘c:\tracing\tracelog.etl’ -Oldest | Sort-Object -property timecreated -desc | Select-Object -first 100

    Description
    ———–
    These commands get the first 100 events from an Event Tracing for Windows (ETW) event trace log file.

The first command gets the 100 oldest events in the log. It uses the Get-WinEvent cmdlet to get events from the Tracelog.etl file. It uses the MaxEvents parameter to limit the retrieval to 100 events. Because the events are listed in the order in which they are written to the log (oldest first), the Oldest parameter is required.

The second command gets the 100 newest events in the log. It uses the Get-WinEvent cmdlet to get all the events from the Tracing.etl file. It passes
the events to the Sort-Object cmdlet, which sorts them in descending order by the value of the TimeCreated property. Then, it sends the sorted events to the Select-Object cmdlet to select the newest 100 events.

————————– EXAMPLE 13 ————————–

C:\PS>Get-WinEvent -path “c:\tracing\tracelog.etl”, “c:\Logs\Windows PowerShell.evtx” -Oldest | where {$_.id -eq “103”}

    Description
    ———–
    This example shows how to get the events from an event trace log file (.etl) and from a copy of the Windows PowerShell log file (.evtx) that was saved to a test directory.

You can combine multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord object), you can use the same properties to filter them.

Note that the command requires the Oldest parameter because it is reading from an .etl file, but the Oldest parameter applies to both of the files.

————————– EXAMPLE 14 ————————–

    C:\PS># Use the Where-Object cmdlet
    C:\PS> $yesterday = (Get-Date) – (New-TimeSpan -day 1)
    C:\PS> Get-WinEvent -LogName “Windows PowerShell” | where {$_.timecreated -ge $yesterday}

    # Uses FilterHashTable
    C:\PS> $yesterday = (Get-Date) – (New-TimeSpan -day 1)
    C:\PS> Get-WinEvent -FilterHashTable @{LogName=’Windows PowerShell’; Level=3; StartTime=$yesterday}

# Use FilterXML
C:\PS> Get-WinEvent -FilterXML “<QueryList><Query><Select Path=’Windows PowerShell’>*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select></Query></QueryList>”

# Use FilterXPath
C:\PS> Get-WinEvent -LogName “Windows Powershell” -FilterXPath “*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]”

    Description
    ———–
    This example shows different filtering methods for selecting events from an event log. All of these commands get events that occurred in the last 24 hours from the Windows PowerShell event log.

The filter methods are more efficient than using the Where-Object cmdlet because the filters are applied while the objects are being retrieved, rather than retrieving all the objects and then filtering them.

Because dates are difficult to formulate in the XML and XPath formats, to create the XML content for the date, the Filter Current Log feature of Event Viewer is used. For more information about this feature, see Event Viewer Help.

————————– EXAMPLE 15 ————————–

C:\PS>$date = (Get-Date).AddDays(-2)

C:\PS> $events = Get-WinEvent -FilterHashTable @{ logname = “Microsoft-Windows-Diagnostics-Performance/Operational”; StartTime = $date; ID = 100 }

    Description
    ———–
    This example uses a filter hash table to get events from the performance log.

The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the current date. It saves the date in the $date Variable.

The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the performance log that occurred within the last two days and that have event ID 100.

The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event ID.

————————– EXAMPLE 16 ————————–

C:\PS>$starttime = (Get-Date).adddays(-7)

C:\PS> $ie-error = Get-WinEvent -FilterHashtable @{logname=”application”; providername=”Application Error”; data=”iexplore.exe”; starttime=$starttime}

    Description
    ———–
    This example uses a filter hash table to find Internet Explorer application errors that occurred within the last week.

The first command gets the date that is seven days before the current date and stores it in the $starttime Variable.

The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the Application log that were written by the Application Error provider and include the phrase “iexplore.exe”.

The LogName key specifies the event log. The ProviderName key specifies the event provider, the StartTime key specifies the starting date of the events, and the Data key specifies the text in the event message.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=138336
    Get-EventLog
    Get-Counter
    about_eventlogs