2012 Scripting Games Beginner Event 9: Search the Event Log

 2012 Scripting Games badge

Summary: In Beginner Event 9, you are required to search the event log for specific entries.

About this event



Date of Event

4/12/2012 12:01 AM

Due Date

4/19/2012 12:01 AM

Event scenario

You are trying to troubleshoot shutdown issues on your laptop. It appears to hang for few seconds before it begins the shutdown process. You were looking through the application event log, and you noticed an event log entry that states that the BTTray.exe application attempted to veto the shutdown (how rude). A sample event log entry is shown in the image that follows.

Image of event log

You decide to search the application log for other event log entries from this source to determine how often this particular application is attempting to veto the shutdown, and to see if there are other applications doing the same thing. You write a quick one-line Windows PowerShell command that displays the date of the occurrence and the application name. An acceptable output is shown in the image that follows (the column headings are hidden because part of the problem is finding the properties to display).

Image of command output

Design points

  • Your command should be as efficient as possible; therefore, you want to limit the entries that are returned from the event log to only those that match the particular scenario. For hints on the filter to use, study the event log entry (the first image).
  • Keep in mind that what appears in a graphical tool is not always what you need to use in your filter.
  • Be careful with the number of entries returned from the application log—make your filter as efficient as possible. You will lose points for inefficient queries.
  • Because you are troubleshooting your computer, this is not a long involved script, but a “one liner.” Do not get carried away writing a complex script—complexity will cost you points.

2012 Scripting Games links

2012 Scripting Games: All Links on One Page

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. Good luck as you compete in this year’s Scripting Games. We wish you well.

Ed Wilson, Microsoft Scripting Guy 

Comments (23)

  1. mredwilson says:

    @AballahSonDis @Pendrag Yes, it is not too difficult once you know the solution.

  2. mredwilson says:

    @MarcW exactly.

    @DavidW this is a good suggestion.

  3. SdeDot says:

    Thanks for your comments DavidW and MarcW.

    DavidW:  Im not understanding specifically what you are saying.  I think you are saying if I walk through the steps you outlined, I will generate Event ID 10001 records, correct?

    MarcW: Yes, my understanding is as yours to write a 'filtering' script, however not being able to use Powersell commands against live data is somewhat limiting.  If there is no data to test against, Im not sure the cmdlets/properties Im querying against are correct.

  4. mredwilson says:

    @Timo Skupin You look for any application causing the problem. I simply used BTTray.exe as an example to clarify what I wanted.

  5. Anonymous says:

    I have a basic questions, but I don't work  much with these type of scenario so here it is:

    Based on the comments and other answers submitted, I had guessed that I would need to do searching on EventID 10001, but my question is how would I know that was the only Event that would return a Veto message?

    I couldn't find anything that would really specify that message would only come from Winsrv andor EventID 10001 on the application log?  I am not debating the question and I did put it in my solution, but I would like to know for my own reference purposes where a good source of information on the EventIDs can be found.



  6. mredwilson says:

    @Srikanth try again in a little while. There are authentication issues at the hosting service.

  7. SdeDot says:

    DavidW:  Bingo!  Based on your instructions, EventID 10001 records were generated in the App Event Log, so thanks for the help.  Hopefully now I have what I need to assemble this script.

  8. mredwilson says:

    @SdeDOT open the Event log and look for something that IS causing an error. BTTray.exe is Blue Tooth tray, if your computer does not have bluetooth you will NOT find this particular process.

  9. SdeDot says:

    So I dont have any of these events generated on my systems, so anybody have any suggestions on how to work this script without having the specific events to work with?

  10. Timo Skupin says:

    Hi Ed,

    i'm a little bit confused on this one. Should we query just this application (BTTray.exe) or any application that causes this problem?


    Best regards from Germany =)

  11. srikanth says:

    I can connect to http://2012sg.poshcode.org/, but am unable to login to submit the script. Is anyone else facing this issue?

  12. VincentVH says:

    @Srikanth Yep, I can't login either. It has been like that for at least 6 hours.

  13. Leon says:

    Yip, same here, Can't log on to submit 🙁

  14. jlsuperman says:

    @Srikanth @VincentVH me too me too…

  15. DavidW says:

    @SdeDot Try to restart with notepad running.  Make sure to hit cancel when it asks to save and also when it asks to force quit.

  16. MarcW says:

    SdeDot, there are a lot of computers that wont have BTTray.exe running or causing errors because they dont come with bluetooth. The understanding i have is to write a script to filter out a specific process.

  17. DavidW says:

    @SdeDot Yes, if you follow my steps, it will create the same type of alert.  Just one more thing to add to it though.  Make sure to type something into notepad before rebooting the machine.  If you don't, notepad will close without prompting.

  18. Timo Skupin says:

    No access for me since 9 hours… 🙁

  19. AballahSonDis says:

    I can get all the information.  HOwever, getting the second column to format {BTTray.exe, 0} seems nigh impossible.  I will keep working on it but man I am baffled on this one.  

  20. Pendrag says:

    ARGH!!! I just spent a couple of hours on this solution, and when I found it, I wanted to pound my poor keyboard.

    Thanks, really

  21. Greg Lambert says:

    Can not submit answers. It's impossible to login, when this will be fixed ?

  22. Dawn Villejoin says:

    @greg If you can't log in, try to clear cache or restart browser.  It's worked for me on a few occasions.

  23. Dawn Villejoin says:

    @Craig I was wondering the same thing. I can't seem to find a definitive answer on what specifically returns event of 10001.  I do know that winsrv will also return application hang events but id is 10002.

    Great question!!

Skip to main content