Scripting WMI Win32_NTLogEvent with PowerShell
The benefits of using either PowerShell or VBScript to interrogate the event logs is that you can get fine control of filtering for a particular error or warning.
On this page I have chosen to ask Get-WmiObject to retrieve the WMI class Win32_NTLogEvent, rather than employ the simpler Get-Eventlog.
PowerShell WMI Win32_NTLogEvent Examples
PowerShell Pre-requisites and Checklist
In the case of Windows 7 and later, you don't need to download any extra files, just: 'Add Feature' --> Windows PowerShell. However, for older operating systems, there are different versions of PowerShell for XP, Windows Server 2003 and Vista. For such legacy systems only, you need to download PowerShell from Microsoft's site.
Once you have installed PowerShell 2.0 or later, I recommend choosing the ISE (Integrated Scripting Engine) version, it will save buying a text editor.
Warning: From a learning point of view Example 1 is the best place to start, but from a practical point of view I would go to Example 2 because this first script takes too long and returns too much data.
The purpose of this raw script, which just uses to Get-WmiObject (GWMI), is to return all the event log items, in all of the logs!
# PowerShell script to list the event logs.
Note 1a: The hash # symbol is PowerShell's way of introducing a comment.
Note 1b: -class is optional, its assumed that the first parameter is WMI class.
This variation from example 1 filters the event logs for two properties, log = Application and type = Error; furthermore this PowerShell script formats the output into a table.
# WMI Win32_NTLogEvent PowerShell script
Note 2a: The backtick ` enables the command to continue onto the next line.
Note 2b: The crucial construction is -filter. To see what I mean have a look at the next example which features SELECT * From ... WHERE.
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches - give LEM a whirl.
The example below achieves the same result as before but uses -query coupled with Select all from.
These are just examples of WMI Win32_NTLogEvent, now its up to you to modify my examples to suit your task. For example, you may with to change logfile ='Application' to logfile = 'System'. I would also consider changing the columns in the output; perhaps removing EventCode and adding SourceName.
Researching More Properties with Get-Member (GM)
Whenever you discover a new PowerShell command, it benefits from being checked over with Get-Member, invariably this throws-up unexpected properties. To see what I mean try:
Get-Member Reveals WMI Win32_NTLogEvent Properties
Note 4a: Be patient! The above command reveals a list of properties that you can then use in the output, for example SourceName.
Note 4b: The -MemberType property filters the output to just properties.
Note 4c: See more on Win32_NTLogEvent.
SolarWinds' Network Performance Monitor will help you discover what's happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Example 4: Win32_NTLogEvent SourceName
This example filters the Application log for SourceName = 'Application Hang'
# WMI Win32_NTLogEvent filter example
Real-life task: It's worth opening the Event Viewer to check the precise values to use in your filter.
The Windows logs are a victim of their own success, there are too many entries. The benefit of a good script is that you filter the messages that are of interest. Through experimenting with PowerShell WMI scripts you can fine tune the results to achieve your mission in ways that are not possible with Event Viewer.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.