Tag Archives: Source

cmdlet, EventLog, Write

Write-EventLog

NAME
    Write-EventLog

SYNOPSIS
    Writes an event to an event log.

SYNTAX
    Write-EventLog [-LogName] <string> [-Source] <string> [-EventId] <int> [-Message] <string> [[-EntryType] {Error | Warning | Information | SuccessAudit | FailureAudit}] [-Category <Int16>] [-ComputerName <string>] [-RawData <Byte[]>] [<CommonParameters>]

DESCRIPTION
    The Write-EventLog cmdlet writes an event to an event log.

    To write an event to an event log, the event log must exist on the computer and the source must be registered for the event log.

    The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

PARAMETERS
    -Category <Int16>
        Specifies a task category for the event. Enter an integer that is associated with the strings in the category message file for the event log.

        Required?                    false
        Position?                    named
        Default value                1
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ComputerName <string>
        Specifies a remote computer. The default is the local computer.

        Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer.

        This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Get-EventLog even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -EntryType <EventLogEntryType>
        Specifies the entry type of the event. Valid values are Error, Warning, Information, SuccessAudit, and FailureAudit. The default value is Information.

        For a description of the values, see System.Diagnostics.EventLogEntryType in the MSDN (Microsoft Developer Network) library at http://go.microsoft.com/fwlink/?LinkId=143599.

        Required?                    false
        Position?                    4
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -EventId <int>
        Specifies the event identifier. This parameter is required.

        Required?                    true
        Position?                    3
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -LogName <string>
        Specifies the name of the log to which the event is written. Enter the log name (the value of the Log property, not the LogDisplayName). Wildcard characters are not permitted. This parameter is required.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Message <string>
        Specifies the event message. This parameter is required.

        Required?                    true
        Position?                    5
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -RawData <Byte[]>
        Specifies the binary data that is associated with the event, in bytes.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Source <string>
        Specifies the event source, which is typically the name of the application that is writing the event to the log.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        You cannot pipe input to this cmdlet.

OUTPUTS
    System.Diagnostics.EventLogEntry
        Write-EventLog returns objects that represents the events in the logs.

NOTES

        To use Write-EventLog on Windows Vista and later versions of Windows, start Windows PowerShell with the “Run as administrator” option.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Write-EventLog -LogName Application -Source MyApp -EventId 3001 -EntryType Information -Message “MyApp added a user-requested feature to the display.” -Category 1 -RawData 10,20

    Description
    ———–
    This command writes an event from the MyApp source to the Application event log.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Write-EventLog -ComputerName Server01 -LogName Application -Source MyApp -EventId 3001 -Message “MyApp added a user-requested feature to the display.”

    Description
    ———–
    This command writes an event from the MyApp source to the Application event log on the Server01 remote computer.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135281
    Clear-EventLog
    Get-EventLog
    Limit-EventLog
    New-EventLog
    Remove-EventLog
    Show-EventLog
    Write-EventLog
    Get-WinEvent

cmdlet, Connection, Test

Test-Connection

NAME
    Test-Connection

SYNOPSIS
    Sends ICMP echo request packets (“pings”) to one or more computers.

SYNTAX
    Test-Connection [-ComputerName] <string[]> [[-Source] <string[]>] [-AsJob] [-Authentication {Default | None | Connect | Call | Packet | PacketIntegrity | PacketPrivacy | Unchanged}] [-BufferSize <int>] [-Count <int>] [-Credential <PSCredential>] [-Delay <int>] [-Impersonation {Default | Anonymous | Identify | Impersonate | Delegate}] [-Quiet] [-ThrottleLimit <int>] [-TimeToLive <int>] [<CommonParameters>]

DESCRIPTION
    The Test-Connection cmdlet sends Internet Control Message Protocol (ICMP) echo request packets (“pings”) to one or more remote computers and returns the echo response replies. You can use this cmdlet to determine whether a particular computer can be contacted across an Internet Protocol (IP) network.

    You can use the parameters of Test-Connection to specify both the sending and receiving computers, to run the command as a background job, to set a timeout and number of pings, and to configure the connection and authentication.

    Unlike the traditional “ping” command, Test-Connection returns a Win32_PingStatus object that you can investigate in Windows PowerShell, but you can use the Quiet parameter to force it to return only a Boolean value.

PARAMETERS
    -AsJob [<SwitchParameter>]
        Runs the command as a background job.

        Note: To use this parameter, the local and remote computers must be configured for remoting and, on Windows Vista and later versions of Windows, you must open Windows PowerShell with the “Run as administrator” option. For more information, see about_remote_requirements.

        When you use the AsJob parameter, the command immediately returns an object that represents the background job. You can continue to work in the session while the job completes. The job is created on the local computer and the results from remote computers are automatically returned to the local computer. To get the job results, use the Receive-Job cmdlet.

        For more information about Windows PowerShell background jobs, see about_jobs and about_remote_Jobs.

        Required?                    false
        Position?                    named
        Default value                False
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Authentication <AuthenticationLevel>
        Specifies the authentication level that is used for the WMI connection. (Test-Connection uses WMI.)

        Valid values are:

        Unchanged:     The authentication level is the same as the previous command.
        Default:         Windows Authentication.
        None:            No COM authentication.
        Connect:         Connect-level COM authentication.
        Call:            Call-level COM authentication.
        Packet:         Packet-level COM authentication.
        PacketIntegrity: Packet Integrity-level COM authentication.
        PacketPrivacy: Packet Privacy-level COM authentication.

        Required?                    false
        Position?                    named
        Default value                4
        Accept pipeline input?     false
        Accept wildcard characters? false

    -BufferSize <int>
        Specifies the size, in bytes, of the buffer sent with this command. The default value is 32.

        Required?                    false
        Position?                    named
        Default value                32
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ComputerName <string[]>
        Specifies the computers to ping. Type the computer names or type IP addresses in IPv4 or IPv6 format. Wildcard characters are not permitted. This parameter is required.

        This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     true (ByPropertyName)
        Accept wildcard characters? false

    -Count <int>
        Specifies the number of echo requests to send. The default value is 4.

        Required?                    false
        Position?                    named
        Default value                4
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Credential <PSCredential>
        Specifies a user account that has permission to perform this action. Type a user name, such as “User01” or “Domain01\User01”, or enter a PSCredential object, such as one from the Get-Credential cmdlet.

        Required?                    false
        Position?                    named
        Default value                Current user
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Delay <int>
        Specifies the interval between pings, in seconds.

        Required?                    false
        Position?                    named
        Default value                1 (second)
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Impersonation <ImpersonationLevel>
        Specifies the impersonation level to use when calling WMI. (Test-Connection uses WMI.) The default value is “Impersonate”.

        Valid values are:

        Default:     Default impersonation.
        Anonymous:    Hides the identity of the caller.
        Identify:     Allows objects to query the credentials of the caller.
        Impersonate: Allows objects to use the credentials of the caller.

        Required?                    false
        Position?                    named
        Default value                3
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Quiet [<SwitchParameter>]
        Suppresses all errors and returns $True if any pings succeeded and $False if all failed.

        Required?                    false
        Position?                    named
        Default value                False
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Source <string[]>
        Specifies the names of the computers where the ping originates. Enter a comma-separated list of computer names. The default is the local computer.

        Required?                    false
        Position?                    2
        Default value                Local computer
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ThrottleLimit <int>
        Specifies the maximum number of concurrent connections that can be established to run this command. If you omit this parameter or enter a value of 0, the default value, 32, is used.

        The throttle limit applies only to the current command, not to the session or to the computer.

        Required?                    false
        Position?                    named
        Default value                32
        Accept pipeline input?     false
        Accept wildcard characters? false

    -TimeToLive <int>
        Specifies the maximum time, in seconds, that each echo request packet (“pings”) is active. The default value is 80 (seconds). The Alias of the TimeToLive parameter is TTL.

        Required?                    false
        Position?                    named
        Default value                80
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        You cannot pipe input to this cmdlet.

OUTPUTS
    System.Management.ManagementObject#root\cimv2\Win32_PingStatus, System.Management.Automation.RemotingJob, System.Boolean
        When you use the AsJob parameter, the cmdlet returns a job object. When you use the Quiet parameter, it returns a Boolean. Otherwise, this cmdlet returns a Win32_PingStatus object for each ping.

NOTES

        This cmdlet uses the Win32_PingStatus class. A “get-wmiojbect win32_pingstatus” command is equivalent to a Test-Connection command.

    ————————– EXAMPLE 1 ————————–

    C:\PS>Test-Connection server01

    Source        Destination     IPV4Address     IPV6Address Bytes    Time(ms)
    ——        ———–     ———–     ———– —–    ——–
    ADMIN1        Server01        157.59.137.44                32     0
    ADMIN1        Server01        157.59.137.44                32     0
    ADMIN1        Server01        157.59.137.44                32     0
    ADMIN1        Server01        157.59.137.44                32     1

    Description
    ———–
    This command sends echo request packets (“pings”) from the local computer to the Server01 computer. This command uses the ComputerName parameter to specify the Server01 computer, but omits the optional parameter name.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Test-Connection -ComputerName server01, server02, server12 -Credential domain01\user01

    Description
    ———–
    This command sends pings from the local computer to several remote computers. It uses the Credential parameter to specify a user account that has permission to ping all of the remote computers.

    ————————– EXAMPLE 3 ————————–

    C:\PS>Test-Connection -Source Server02, Server 12, localhost -ComputerName Server01

    Description
    ———–
    This command sends pings from different source computers to a single remote computer, Server01. Use this command format to test the latency of connections from multiple points.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Test-Connection -ComputerName Server01 -Count 3 -Delay 2 -TTL 256 -BufferSize 256 -throttle 32

    Description
    ———–
    This command sends three pings from the local computer to the Server01 computer. It uses the parameters of Test-Connection to customize the command.

    Use this command format when the ping response is expected to take longer than usual, either because of an extended number of hops or a high-traffic network condition.

    ————————– EXAMPLE 5 ————————–

    C:\PS>$job = Test-Connection -ComputerName (Get-Content servers.txt) -AsJob

    C:\PS> if ($job.jobstateinfo.state -ne “Running”) {$results = Receive-Job $job}

    Description
    ———–
    This example shows how to run a Test-Connection command as a Windows PowerShell background job.

    The first command uses the Test-Connection cmdlet to ping many computers in an enterprise. The value of ComputerName parameter is a Get-Content command that reads a list of computer names from the Servers.txt file. The command uses the AsJob parameter to run the command as a background job.

    The second command checks to see that the job is not still running, and if it is not, it uses a Receive-Job command to get the results and store them in the $results Variable.

    ————————– EXAMPLE 6 ————————–

    C:\PS>Test-Connection Server55 -Credential domain55\user01 -Impersonation Identify

    Description
    ———–
    This command uses the Test-Connection cmdlet to ping a remote computer. The command uses the Credential parameter to specify a user account with permission to ping the remote computer and the Impersonation parameter to change the impersonation level to “Identify”.

    ————————– EXAMPLE 7 ————————–

    C:\PS>if (Test-Connection -ComputerName Server01 -quiet) {New-PSSession Server01}

    Description
    ———–
    This command creates a PSSession on the Server01 only if at least one of the pings sent to the computer succeeds.

    The command uses the Test-Connection cmdlet to ping the Server01 computer. The command uses the Quiet parameter, which returns a Boolean value, instead of a Win32_PingStatus object. The value is $True if any of the four pings succeed and is, otherwise, false.

    If the Test-Connection command returns a value of $True, the command uses the New-PSSession cmdlet to create the PSSession.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135266
    Add-Computer
    Restart-Computer
    Stop-Computer

cmdlet, EventLog, New

New-EventLog

NAME
    New-EventLog

SYNOPSIS
    Creates a new event log and a new event source on a local or remote computer.

SYNTAX
    New-EventLog [-LogName] <string> [-Source] <string[]> [[-ComputerName] <string[]>] [-CategoryResourceFile <string>] [-MessageResourceFile <string>] [-ParameterResourceFile <string>] [<CommonParameters>]

DESCRIPTION
    This cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.

    The cmdlets that contain the EventLog noun (the Event log cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

PARAMETERS
    -CategoryResourceFile <string>
        Specifies the path to the file that contains category strings for the source events. This file is also known as the Category Message File.

        The file must be present on the computer on which the event log is being created. This parameter does not create or move files.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ComputerName <string[]>
        Creates the new event logs on the specified computers. The default is the local computer.

        Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer name, a dot (.), or “localhost”.

        This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Get-EventLog even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    3
        Default value                .
        Accept pipeline input?     false
        Accept wildcard characters? false

    -LogName <string>
        Specifies the name of the event log.

        If the log does not exist, New-EventLog creates the log and uses this value for the Log and LogDisplayName properties of the new event log. If the log exists, New-EventLog registers a new source for the event log.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -MessageResourceFile <string>
        Specifies the path to the file that contains message formatting strings for the source events. This file is also known as the Event Message File.

        The file must be present on the computer on which the event log is being created. This parameter does not create or move files.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ParameterResourceFile <string>
        Specifies the path to the file that contains strings used for parameter substitutions in event descriptions. This file is also known as the Parameter Message File.

        The file must be present on the computer on which the event log is being created. This parameter does not create or move files.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Source <string[]>
        Specifies the names of the event log sources, such as application programs that write to the event log. This parameter is required.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None
        You cannot pipe input to this cmdlet.

OUTPUTS
    System.Diagnostics.EventLogEntry

NOTES

        To use New-EventLog on Windows Vista and later versions of Windows, open Windows PowerShell with the “Run as administrator” option.

        To create an event source in Windows Vista, Windows XP Professional, or Windows Server 2003, you must be a member of the Administrators group on the computer.

        When you create a new event log and a new event source, the system registers the new source for the new log, but the log is not created until the first entry is written to it.

        The operating system stores event logs as files. When you create a new event log, the associated file is stored in the %SystemRoot%\System32\Config directory on the specified computer. The file name is the first eight characters of the Log property with an .evt file name extension.

    ————————– EXAMPLE 1 ————————–

    C:\PS>New-Eventlog -Source TestApp -LogName TestLog -MessageResourceFile C:\Test\TestApp.dll

    Description
    ———–
    This command creates the TestLog event log on the local computer and registers a new source for it.

    ————————– EXAMPLE 2 ————————–

    C:\PS>$file = “C:\Program Files\TestApps\NewTestApp.dll”

    C:\PS> New-Eventlog -ComputerName Server01 -Source NewTestApp -LogName Application -MessageResourceFile $file -CategoryResourceFile $file

    Description
    ———–
    This command adds a new event source, NewTestApp, to the Application log on the Server01 remote computer.

    The command requires that the NewTestApp.dll file is located on the Server01 computer.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=135235
    Clear-EventLog
    Get-EventLog
    Limit-EventLog
    New-EventLog
    Remove-EventLog
    Show-EventLog
    Write-EventLog
    Get-WinEvent

cmdlet, EventLog, Get

Get-EventLog

NAME
    Get-EventLog

SYNOPSIS
    Gets the events in an event log, or a list of the event logs, on the local or remote computers.

SYNTAX
    Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

    Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>] [<CommonParameters>]

DESCRIPTION
    The Get-EventLog cmdlet gets events and event logs on the local and remote computers.

    Use the parameters of Get-EventLog to search for events by using their property values. Get-EventLog gets only the events that match all of the specified property values.

    The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

PARAMETERS
    -After <DateTime>
        Gets only the events that occur after the specified date and time. Enter a DateTime object, such as the one returned by the Get-Date cmdlet.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -AsBaseObject [<SwitchParameter>]
        Returns a standard System.Diagnostics.EventLogEntry object for each event. Without this parameter, Get-EventLog returns an extended PSObject object with additional EventLogName, Source, and InstanceId properties.

        To see the effect of this parameter, pipe the events to the Get-Member cmdlet and examine the TypeName value in the result.

        Required?                    false
        Position?                    named
        Default value                False
        Accept pipeline input?     false
        Accept wildcard characters? false

    -AsString [<SwitchParameter>]
        Returns the output as strings, instead of objects.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Before <DateTime>
        Gets only the events that occur before the specified date and time. Enter a DateTime object, such as the one returned by the Get-Date cmdlet.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -ComputerName <string[]>
        Specifies a remote computer. The default is the local computer.

        Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer name, a dot (.), or “localhost”.

        This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Get-EventLog even if your computer is not configured to run remote commands.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -EntryType <string[]>
        Gets only events with the specified entry type. Valid values are Error, Information, FailureAudit, SuccessAudit, and Warning. The default is all events.

        Required?                    false
        Position?                    named
        Default value                All events
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Index <Int32[]>
        Gets only events with the specified index values.

        Required?                    false
        Position?                    named
        Default value                All events
        Accept pipeline input?     false
        Accept wildcard characters? false

    -InstanceId <Int64[]>
        Gets only events with the specified instance IDs.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -List [<SwitchParameter>]
        Gets a list of event logs on the computer.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -LogName <string>
        Specifies the event log. Enter the log name (the value of the Log property; not the LogDisplayName) of one event log. Wildcard characters are not permitted. This parameter is required.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Message <string>
        Gets events that have the specified string in their messages. You can use this property to search for messages that contain certain words or phrases. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? true

    -Newest <int>
        Specifies the maximum number of events retrieved. Get-EventLog gets the specified number of events, beginning with the newest event in the log.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? false

    -Source <string[]>
        Gets events that were written to the log by the specified sources. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? true

    -UserName <string[]>
        Gets only the events that are associated with the specified user names. Enter names or name patterns, such as User01, User*, or Domain01\User*. Wildcards are permitted.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?     false
        Accept wildcard characters? true

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        “Get-Help about_CommonParameters“.

INPUTS
    None.
        You cannot pipe input to this cmdlet.

OUTPUTS
    System.Diagnostics.EventLogEntry. System.Diagnostics.EventLog. System.String
        If the LogName parameter is specified, the output is a collection of EventLogEntry objects (System.Diagnostics.EventLogEntry).

        If only the List parameter is specified, the output is a collection of EventLog objects (System.Diagnostics.EventLog).

        If both the List and AsString parameters are specified, the output is a collection of Strings (System.String).

NOTES

    ————————– EXAMPLE 1 ————————–

    C:\PS>Get-Eventlog -list

    Description
    ———–
    This command displays information about the event logs on the computer.

    ————————– EXAMPLE 2 ————————–

    C:\PS>Get-Eventlog -Newest 5 -LogName application

    Description
    ———–
    This command displays the five most recent entries in the Application event log.

    ————————– EXAMPLE 3 ————————–

    C:\PS>$events = Get-Eventlog -LogName system -Newest 1000

    C:\PS> $events | Group-Object -property source -noelement | Sort-Object -property count -descending

    Count Name
    —– —-
     75 Service Control Manager
     12 Print
        6 UmrdpService
        2 DnsApi
        2 DCOM
        1 Dhcp
        1 TermDD
        1 volsnap

    Description
    ———–
    This example shows how to find all of the sources that are represented in the 1000 most recent entries in the System event log.

    The first command gets the 1,000 most recent entries from the System event log and stores them in the $events Variable.

    The second command uses a pipeline operator (|) to send the events in $events to the Group-Object cmdlet, which groups the entries by the value of the Source property. The command uses a second pipeline operator to send the grouped events to the Sort-Object cmdlet, which sorts them in descending order, so the most frequently appearing source is listed first.

    Source is just property of event log entries. To see all of the properties of an event log entry, pipe the events to the Get-Member cmdlet.

    ————————– EXAMPLE 4 ————————–

    C:\PS>Get-Eventlog -LogName System -EntryType Error

    Description
    ———–
    This command gets only error events from the System event log.

    ————————– EXAMPLE 5 ————————–

    C:\PS>Get-Eventlog -LogName System -InstanceId 3221235481 -Source “DCOM”

    Description
    ———–
    This command gets events from the System log that have an InstanceID of 3221235481 and a Source value of “DCOM.”

    ————————– EXAMPLE 6 ————————–

    C:\PS>Get-Eventlog -LogName “Windows PowerShell” -ComputerName localhost, Server01, Server02

    Description
    ———–
    This command gets the events from the “Windows PowerShell” event log on three computers, Server01, Server02, and the local computer, known as “localhost”.

    ————————– EXAMPLE 7 ————————–

    C:\PS>Get-Eventlog -LogName “Windows PowerShell” -Message “*failed*”

    Description
    ———–
    This command gets all the events in the Windows PowerShell event log that have a message value that includes the word “failed”.

    ————————– EXAMPLE 8 ————————–

    C:\PS>$a = Get-Eventlog -log System -Newest 1

    C:\PS> $a | Format-List -property *

    EventID            : 7036
    MachineName        : Server01
    Data             : {}
    Index             : 10238
    Category         : (0)
    CategoryNumber     : 0
    EntryType         : Information
    Message            : The description for Event ID
    Source             : Service Control Manager
    ReplacementStrings : {WinHTTP Web Proxy Auto-Disco
    InstanceId         : 1073748860
    TimeGenerated     : 4/11/2008 9:56:05 PM
    TimeWritten        : 4/11/2008 9:56:05 PM
    UserName         :
    Site             :
    Container         :

    Description
    ———–
    This example shows how to display all of the property values of an event.

    The first command gets the newest event from the System event log and saves it in the $a Variable.

    The second command uses a pipeline operator (|) to send the event in $a to the Format-List command, which displays all (*) of the event properties.

    ————————– EXAMPLE 9 ————————–

    C:\PS>Get-Eventlog -log application -Source outlook | where {$_.eventID -eq 34}

    Description
    ———–
    This command gets events in the Application event log where the source is Outlook and the event ID is 34. Even though Get-EventLog does not have an EventID parameter, you can use the Where-Object cmdlet to select events based on the value of any event property.

    ————————– EXAMPLE 10 ————————–

    C:\PS>Get-Eventlog -log system -UserName NT* | Group-Object -property username -noelement | Format-Table Count, Name -auto

    Count Name
    —– —-
     6031 NT AUTHORITY\SYSTEM
     42 NT AUTHORITY\LOCAL SERVICE
        4 NT AUTHORITY\NETWORK SERVICE

    Description
    ———–
    This command returns the events in the system log grouped by the value of their UserName property. The Get-EventLog command uses the UserName parameter to get only events in which the user name begins with “NT*”.

    ————————– EXAMPLE 11 ————————–

    C:\PS>$May31 = Get-Date 5/31/08

    C:\PS> $July1 = Get-Date 7/01/08

    C:\PS> Get-Eventlog -log “Windows PowerShell” -EntryType Error -After $may31 -Before $july1

    Description
    ———–
    This command gets all of the errors in the Windows PowerShell event log that occurred in June 2008.

RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113314
    Get-WinEvent
    Clear-EventLog
    Limit-EventLog
    New-EventLog
    Remove-EventLog
    Show-EventLog
    Write-EventLog
    Get-WinEvent