Vista Event Logs and PowerShell



Hello Everybody

 

Sorry for the huge delay in posting anything, I promise I will never leave it so long again. 

 

I got asked a question the other day.  Can I use Get-EventLog to access all the new logs that are in Vista?

 

Which logs am I referring to you may ask. Well, there are loads of new logs that can provide a massive set of troubleshooting information. Here’s a screen shot from my Vista laptop that shows some of the logs:

 

image

 

So the question is can I query the Backup, Bits-Client, DiskDiagnostic and all the other logs using the Get-Eventlog cmdlet.

 

In short no.  You can however still use PowerShell, but you need to use a command line tool that ships in Vista, wevtutil.exe.  You can find out all the logs that can be accessed using Get-Eventlog with the -list parameter. 

 


PS C:\Users\benp> Get-EventLog -list

Max(K) Retain OverflowAction Entries Name
—— —— ————– ——- —-
15,168 0 OverwriteAsNeeded 1,381 Application
15,168 0 OverwriteAsNeeded 0 DFS Replication
20,480 0 OverwriteAsNeeded 0 Hardware Events
512 7 OverwriteOlder 0 Internet Explorer
512 7 OverwriteOlder 0 Key Management Service
8,192 0 OverwriteAsNeeded 0 Media Center
16,384 0 OverwriteAsNeeded 0 Microsoft Office Diagnostics
16,384 0 OverwriteAsNeeded 29 Microsoft Office Sessions

15,168 0 OverwriteAsNeeded 4,109 System
15,360 0 OverwriteAsNeeded 40 Windows PowerShell


 

All of the above logs are part of the standard Windows Event Log.  However, all of the the other logs in the screenshot use Windows Eventing 6.0.  Get-EventLog does not hook into Windows Eventing 6.0.

 

So how can I get at these logs using PowerShell?  Check out the sample below:

 


PS C:\Users\benp> wevtutil.exe qe Microsoft-Windows-UAC/Operational /c:2 /f:text
Event[0]:
Log Name: Microsoft-Windows-UAC/Operational
Source: Microsoft-Windows-UAC
Date: 2007-10-30T11:14:00.524
Event ID: 1
Task: N/A
Level: Error
Opcode: Info
Keyword: N/A
User: S-1-5-21-1721234763-462695806-1538865281-2692397
User Name: testdom\benp
Computer: vista.test.microsoft.com
Description:
The process failed to handle ERROR_ELEVATION_REQUIRED during the creation of a child process.

This sample connects to the UAC Operational log and displays the newest 2 items as text.  (There is only 1 event listed, because I only have 1 entry in the log).


So yes I can access these logs using PowerShell, but no I can’t use the Get-EventLog cmdlet to do it.  Check out the following link for detailed syntax for using wevtutil.exe


http://technet2.microsoft.com/windowsserver2008/en/library/d4c791e0-7e59-45c5-aa55-0223b77a48221033.mspx?mfr=true


Thanks to Narayanan Lakshmanan for answering the many questions I had about this.


That is all



BenP