I wish I'd known about Get-Eventlog before
Having mentioned Powershell in several recent posts, I said in passing I'd discovered that it had a Get-EventLog cmdlet
I also talked about the problems I was having with sleep - or more to the point the machine waking up and running till it crashed, I said
"Looking through the event log I found when the machine boots, the event logging service records an Error 6008 - "The previous system shutdown at {time} was unexpected.", if it wasn't shut down cleanly. Now I don't know how it works out the time it happened. There are 5 of these events in the last 40 days. Roughly two hours before each is a message recorded by Power-Troubleshooting . "The system has resumed from sleep. Sleep Time: {time} Wake Time: {time}. Wake Source: Device -ACPI Lid""
In order to do this looking I'd actually exported the information from Event viewer, merged it in Excel and read down it; this process didn't take hours and hours - but it did take a good few minutes. What would it take to get this information in Powershell. I want
- "Power-TroubleShooter" messages which refer to ACPI lid - although these messages don't seem to parse properly - hence the message that "The description can't be found" but the key strings, including "ACPI Lid" are embedded in this message.
- Event-log "Started" messages , code 6005
- Event-log "Previous shut down at {time} was unexpected" messages , code 6008. Usefully the time is near the start of the message
So a Where-object cmdlet which checks for these, and takes input from Get-EventLog and sends it to Format-Table should do the trick. It took a moment to find that Power-Troubleshooter was actually Microsoft-Windows-Power-Troubleshooter. And then it's east.
Get-EventLog -logname system | where-object {(($_.source -eq "EventLog") -and (($_.get_eventID() -eq 6005) -or ($_.get_eventID() -eq 6008)))
-or (($_.source -eq 'Microsoft-Windows-Power-Troubleshooter') -and ($_.Message -like '*ACPI Lid*')) } |
format-table -Property TimeGenerated, message
And here's the output. It's pretty easy to see when the system woke up shortly before an unexpected shutdown.
TimeGenerated Message
------------- -------
19/08/2007 13:25:40 The description for Event ID '1' in Source 'Microsoft-Wi...
19/08/2007 12:38:41 The Event log service was started.
18/08/2007 00:34:22 The Event log service was started.
18/08/2007 00:34:22 The previous system shutdown at 22:33:54 on 17/08/2007 w...
16/08/2007 22:05:32 The description for Event ID '1' in Source 'Microsoft-Wi...
16/08/2007 20:42:06 The description for Event ID '1' in Source 'Microsoft-Wi...
16/08/2007 10:15:40 The description for Event ID '1' in Source 'Microsoft-Wi...
15/08/2007 11:31:25 The Event log service was started.
14/08/2007 22:35:33 The description for Event ID '1' in Source 'Microsoft-Wi...
14/08/2007 06:16:28 The description for Event ID '1' in Source 'Microsoft-Wi...
13/08/2007 16:57:21 The Event log service was started.
13/08/2007 10:50:57 The Event log service was started.
13/08/2007 10:50:57 The previous system shutdown at 10:24:05 on 13/08/2007 w...
13/08/2007 10:26:37 The description for Event ID '1' in Source 'Microsoft-Wi...
09/08/2007 22:27:28 The Event log service was started.
09/08/2007 22:27:28 The previous system shutdown at 22:16:20 on 09/08/2007 w...
09/08/2007 21:07:52 The description for Event ID '1' in Source 'Microsoft-Wi...
08/08/2007 22:14:21 The description for Event ID '1' in Source 'Microsoft-Wi...
08/08/2007 15:02:44 The description for Event ID '1' in Source 'Microsoft-Wi...
08/08/2007 14:53:49 The description for Event ID '1' in Source 'Microsoft-Wi...
08/08/2007 11:00:40 The description for Event ID '1' in Source 'Microsoft-Wi...
08/08/2007 00:10:23 The Event log service was started.
08/08/2007 00:10:23 The previous system shutdown at 20:29:48 on 07/08/2007 w...
07/08/2007 18:53:35 The description for Event ID '1' in Source 'Microsoft-Wi...
07/08/2007 10:07:11 The description for Event ID '1' in Source 'Microsoft-Wi...
02/08/2007 18:53:27 The description for Event ID '1' in Source 'Microsoft-Wi...
02/08/2007 11:41:22 The description for Event ID '1' in Source 'Microsoft-Wi...
01/08/2007 14:53:19 The description for Event ID '1' in Source 'Microsoft-Wi...
01/08/2007 14:09:56 The description for Event ID '1' in Source 'Microsoft-Wi...
01/08/2007 10:04:26 The Event log service was started.
01/08/2007 07:19:30 The Event log service was started.
01/08/2007 07:19:30 The previous system shutdown at 20:36:18 on 31/07/2007 w...
31/07/2007 18:53:17 The description for Event ID '1' in Source 'Microsoft-Wi...
29/07/2007 14:00:22 The description for Event ID '1' in Source 'Microsoft-Wi...
29/07/2007 05:42:25 The description for Event ID '1' in Source 'Microsoft-Wi...
28/07/2007 02:49:07 The description for Event ID '1' in Source 'Microsoft-Wi...
Technorati tags: Microsoft, Powershell, Windows Vista