2012 Scripting Games Advanced Event 7: Search Windows Logs

 2012 Scripting Games badge

Summary: In Advanced Event 7, you are required to search all Windows logs for the most recent event.

About this event



Date of Event

4/10/2012 12:01 AM

Due Date

4/17/2012 12:01 AM 

Event scenario

You are troubleshooting a problem with your Windows 7 laptop, and you hope to find some clues to the recent performance issues by examining recent entries from various Windows logs. You have recently become aware that there are nearly 500 logs available in a standard Windows 7 installation, but you do not feel like manually searching through all of the logs by using the Event Viewer utility. You decide to use Windows PowerShell to come to the rescue. You want to write a command that will display the most recent one-event log entry from each event log and troubleshooting log that is enabled and has at least one entry in it. Crucial information for this process includes the log name, time of the event, the event ID, and the event message. An acceptable output is shown in the image that follows.

Image of command output

Design points

  • Your code should not display any errors.
  • Your code should query hidden logs if they are enabled and they contain at least one entry.
  • You should display only the most recent entry from each log.
  • The event log entries should be sorted so that the most recent entry appears first.
  • You must display the following required properties: time of the event, the name of the log, number of the event ID, and the event details.

2012 Scripting Games links

2012 Scripting Games: All Links on One Page

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. Good luck as you compete in this year’s Scripting Games. We wish you well.

Ed Wilson, Microsoft Scripting Guy 

Comments (23)

  1. K_Schulte says:


    Without your last explanation, I would never have guessed, what you meant!

    In my own words, we have to search:

    The most recent entry from each traditional event log (dead or alive, ie: unconditionally … in effect)


    The most recent entry from each non-traditional event log, if it is enabled (alive)

    If a log has no entry … you won't get anything back anyway!

    Thanks, Klaus

  2. mredwilson says:

    @Mikko K that is correct. If a hidden log is disabled it should not be displayed even it does have entries.

  3. Anonymous says:

    You are late Ed, I've read it! *evil laugh*

  4. mredwilson says:

    @vNoob no, if a log is enabled but does not have any entries, it should not be included.

  5. Bigteddy says:

    Ed, can you confirm that you want errors trapped and reported, if a log is inaccessible?  This is not what you stated in the original outline.  You said "Do not display errors".  This seems like an additional requirement.

  6. K_Schulte says:


    OK … BUT!!! The event scenario description says in sentence before the last:

    You want to write a command that will display the most recent one-event log entry from each event log and troubleshooting log that is enabled and has at least one entry in it.

    This seems to be a task for the "normal logs" and in design point 2 it is repeated as a task for the hidden logs.

    Which is imho now a common task for all logs!

    Dear Ed: What have I misunderstood???


  7. mredwilson says:

    @VNoob you need to trap the error and display log name with "no access" in the output.

  8. K_Schulte says:

    @Ed: *ssss* Thanks!

    Well, than I will submitt it pretty soon …

    Adv. Event 6 is still "a hammer" if I would try to get it done the way I think it should be implemented.

    But that will always be a compromise between different possible (no-go)s.

    The choices are between pest and cholera ( a german saying ) … there is no optimal solution 🙁


  9. mredwilson says:

    @K_Schulte you want to display the most recent entry from all of the event logs (these are the "normal" "traditional" "classic" style of event logs). In addition, you ONLY want to display the most recent entry from a (new style of log) diagnostic / troubleshooting log that is enabled (that is it is not disabled) IF it has at least 1 entry. It is possible that an enabled diagnostic log might have a entry that is not very recent, but I still want it if it is the most recent entry in that log. Make sure that you include hidden logs in your counts. The hidden logs are not a separate task, but just a reminder that there are both hidden and visible logs that may be enabled.

  10. mredwilson says:

    @K_Schulte yes, you have got it correct. WOOHOO. I look forward to reading your entry.

  11. Anonymous says:

    So hidden logs that are disabled, even if they contain entries, shouldn't be displayed, right?

  12. mredwilson says:

    @K_Schulte you are right about Advanced 6 … in the real world, it is very difficult to really determine true uptime for a server … there are many variables that can enter into the scenario.

  13. mredwilson says:

    @DamienCharbonnel I want the most recently written event log entry from each of the logs — that is the one that is closest in time when the script runs.

  14. mredwilson says:

    Please do NOT post answers to these questions here. The 2012 Scripting Games are still going on.

  15. mredwilson says:

    @K_Schulte no. You want to make sure you display both the normal logs and the hidden logs. But you only want to display hidden logs that contain log entries. So if a hidden log contains no entries at all, you will not want to display it.

  16. mredwilson says:

    @Bigteddy, I do not want to display raw errors, but they should be trapped, and something friendly like logname not accessible should be displayed instead.

  17. mredwilson says:

    @Roman Prosvetov Yes, but I deleted the answer because it was a bad script, and I did not want everyone copying it and getting a 1 🙂

  18. K_Schulte says:

    HI Ed,

    I seem to be the only one here, who hadn't ever heard of "hidden" logs.

    Even Google (or Bing) don't do much better 🙁

    If I once will get to know them ,,, is it right, that we should display ONLY these logs?

    The description of the event let me think, that we should query ALL logs.

    Design point 2 … is it: ONLY "Hidden?" logs ???


  19. vNoob says:

    What about logs that might need special access/rights to view?

  20. DamienCharbonnel says:


    When you ask for "a command that will display the most recent one-event log entry from each event log and troubleshooting log that is enabled and has at least one entry in it", in fact, you want the first information event of each log?

  21. DamienCharbonnel says:

    Ok , thank you for your quick answer

  22. I hope you have a fast computer for grading this one…

  23. vNoob says:

    What about logs that are enabled but don't have any log entries? Should those be included?

Skip to main content