Z@RAYS

Always A-HEAD, By being ahead you are always master of time

Hits

BOOKS

Monday, January 08, 2007

Reading Eventlog before and after shutdown

$gener=Get-EventLog -LogName system where{$_.eventid -eq "6005"} sort timegenerated Select-Object -last 1
$timegen=$gener.timegenerated
$afterReb=get-eventlog -logname system where{$_.timegenerated -gt $timegen}
Write-host "-------------------------Error Type --------------------------- " -foregroundcolor "WHITE"
$afterReb Group-Object entrytype
#Start-Sleep -m 500
Write-host " "
Write-host "-------------------------ERRORS --------------------------- " -foregroundcolor "WHITE"
#Start-Sleep -m 500
$afterReb where{$_.entrytype -eq "error"} Select-Object timegenerated,Source,EventID,Message format-list out-host -paging
#$afterReb sort-Object entrytype format-list Out-Host -Paging
Write-host " "
$BforeShtdn=$timegen.addhours(-1)
Write-host "-------------------------Error 1 Hour Before ShutdownType --------------------------- " -foregroundcolor "WHITE"
$LsbforeShtdn=Get-EventLog -LogName system where{(($_.timegenerated -gt $BforeShtdn) -and ($_.timegenerated -lt $timegen))}
$LsbforeShtdn sort-Object entrytype format-list Out-Host -Paging

Suppose you get a call from Helpdesk, that system has gone unexpected shutdown.And now system is up but you wish to know why it went down.So first thing you look is event log. And what is your area of concentration. Obiviously when system went down and if there were any errors before and after shutdown. Exactly same thing this script does. It gets all event logs when system went down unexpectedly. Event ID in this case should be either 6008/6005, you can certainly include that logic here.But not only this I also got event logs before system went down for 1 hour duration. And I'm again amazed by $BforeShtdn=$timegen.addhours(-1), it is simple mathematics. I don't have to do programatically subtraction. Simple Superb. Thanks to Powershell team.

Well the script is again very simple, But it should be unique.I parsed the eventlog and filtered out 6005. I got all logs from after this event. Logically all events after system is shutdown.

Apart from the script above I found a very simple method to detect the uptime of any computer across the network.

$wmip=get-wmiobject Win32_PerfFormattedData_PerfOS_System -computername "SystemName"
$time=$wmip.SystemUpTime
$uptime=new-timespan -seconds $time
$formattime="{0:N}" -f $uptime
Write-host $formattime [Days:Hours:Minutes:Seconds]

Technorati tags:

IceRocket tags:

Posted by PReetamZ at 6:06 PM

Labels: ,

1 comment:

Anonymous said...

$wmip=get-wmiobject Win32_PerfFormattedData_PerfOS_System -computername "WSNG1109102335"
$time=$wmip.SystemUpTime
$uptime=new-timespan -seconds $time
Write-host $uptime.days DAYS $uptime.Hours HOURS $uptime.Minutes MINUTES $uptime.Seconds SECONDS

Would look great

2:10 AM

Post a Comment

Subscribe to: Post Comments (Atom)