Posted by: Preetam | January 8, 2007

Reading Eventlog before and after shutdown

$gener=Get-EventLog -LogName system where{$_.eventid -eq “6005”} sort timegenerated Select-Object -last 1
$timegen=$gener.timegenerated
$afterReb=get-eventlog -logname system where{$_.timegenerated -gt $timegen}
Write-host “————————-Error Type ————————— ” -foregroundcolor “WHITE”
$afterReb Group-Object entrytype
#Start-Sleep -m 500
Write-host ” “
Write-host “————————-ERRORS ————————— ” -foregroundcolor “WHITE”
#Start-Sleep -m 500
$afterReb where{$_.entrytype -eq “error”} Select-Object timegenerated,Source,EventID,Message format-list out-host -paging
#$afterReb sort-Object entrytype format-list Out-Host -Paging
Write-host ” “
$BforeShtdn=$timegen.addhours(-1)
Write-host “————————-Error 1 Hour Before ShutdownType ————————— ” -foregroundcolor “WHITE”
$LsbforeShtdn=Get-EventLog -LogName system where{(($_.timegenerated -gt $BforeShtdn) -and ($_.timegenerated -lt $timegen))}
$LsbforeShtdn sort-Object entrytype format-list Out-Host -Paging

Suppose you get a call from Helpdesk, that system has gone unexpected shutdown.And now system is up but you wish to know why it went down.So first thing you look is event log. And what is your area of concentration. Obiviously when system went down and if there were any errors before and after shutdown. Exactly same thing this script does. It gets all event logs when system went down unexpectedly. Event ID in this case should be either 6008/6005, you can certainly include that logic here.But not only this I also got event logs before system went down for 1 hour duration. And I’m again amazed by $BforeShtdn=$timegen.addhours(-1), it is simple mathematics. I don’t have to do programatically subtraction. Simple Superb. Thanks to Powershell team.

Well the script is again very simple, But it should be unique.I parsed the eventlog and filtered out 6005. I got all logs from after this event. Logically all events after system is shutdown.

Apart from the script above I found a very simple method to detect the uptime of any computer across the network.

$wmip=get-wmiobject Win32_PerfFormattedData_PerfOS_System -computername “SystemName”
$time=$wmip.SystemUpTime
$uptime=new-timespan -seconds $time
$formattime=”{0:N}” -f $uptime
Write-host $formattime [Days:Hours:Minutes:Seconds]

Technorati tags:

IceRocket tags:


Responses

  1. $wmip=get-wmiobject Win32_PerfFormattedData_PerfOS_System -computername “WSNG1109102335”
    $time=$wmip.SystemUpTime
    $uptime=new-timespan -seconds $time
    Write-host $uptime.days DAYS $uptime.Hours HOURS $uptime.Minutes MINUTES $uptime.Seconds SECONDS

    Would look great


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: