mrdon
January 25, 2021, 10:36pm
1
Hi
I am trying to get the KB details from EventViewer
Below is the output.
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
13/1/2021 2:53:55 AM 2 Information Package KB4598242 was successfully changed to the Installed state.
What I want is to display in below output.
Server KB12345 KB67892 KB22445
ServerA TimeCreated TimeCreated TimeCreated
ServerB TimeCreated TimeCreated TimeCreated
Below is the code i tried so far.
Clear-Host
Get-PSSession | Remove-PSSession
Remove-Variable * -ErrorAction SilentlyContinue; $Error.Clear()
$ScriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
$Serverlist = @(get-content -Path "$ScriptDir\serverlist.txt")
$Kblist = @(get-content -Path "$ScriptDir\kblist.txt")
$Results = Foreach ($Server in $Serverlist)
{
Foreach ($Kb in $KBlist)
{
Try
{
$TimeCreated = (Get-WinEvent -FilterHashtable @{logname='setup'} -ComputerName $Server -ErrorAction Stop | where-object { ($_.Message -like "*$kb*") -and ($_.Message -like "*installed*")}).TimeCreated
[PSCustomObject]@{
Server = $Server
Status = 'Success'
InstalledDate = $TimeCreated
}
}
Catch
{
[PSCustomObject]@{
Server = $Server
Status = 'Fail'
InstalledDate = $Null
}
}
}
}
$Results | Select-Object Server, Status, InstalledDate
mrdon
January 26, 2021, 3:07am
2
Correction:
I would like the output like below format.
Server KB TimeCreated
Your Get-WinEvent is not unique. The Massage contains the word INSTALLED more than one time.
See:
##$TimeCreated
Foreach ($Kb in $KBlist)
{
$KBEvent = (Get-WinEvent -FilterHashtable @{logname='setup'} | where-object { ($_.Message -like "*$kb*") -and ($_.Message -like "*installed*")})
ForEach ($Item in $KBEvent){
Try
{
[PSCustomObject]@{
KB = $kb
Server = $Server
Status = 'Success'
InstalledDate = $Item.TimeCreated
Message = $($Item.Message)
}
}
Catch
{
[PSCustomObject]@{
KB = $Item
Server = $Server
Status = 'Fail'
InstalledDate = $Null
Message = $($Item.Message)
}
}
}
}
For example:
$KBlist = @(“KB4576945”,“KB4571756”,“KB4576478”)
You can use the -match operator and a regular expression to extract the package name from the message. Also you can add id=2 to your filterhashtable instead of piping to Where-Object. Not sure why you need error handling in this situation, but you can do it if you want. Here’s my solution. Works fine on my localhost.
$kblist = -split @'
KB4598242
KB4586876
KB4598481
KB4592438
KB4593175
'@
$events = Get-WinEvent -FilterHashtable @{logname='setup';id=2} |
Select-Object TimeCreated,
@{n="Package";e={$_.message -match "KB\d+" | Out-Null; $Matches[0]}}
$obj = @{}
#$obj.Server = $Server
foreach ($pkg in $kblist) {
$obj."$pkg" = ($events | Where-Object {$_.Package -eq $pkg}).TimeCreated
} #foreach
[pscustomobject]$obj | Format-Table
tonyd
January 26, 2021, 7:19am
6
You can also get the KB from:
Select-Object TimeCreated, @{n=“Package”;e={$_.Properties[0].Value}}
tonyd
January 26, 2021, 7:34am
7
Not sure why I cant edit my post … I mean to add this as well. Another way to get system updates:
Get-WmiObject -ClassName Win32_QuickFixEngineering
I would totally go with TonyD’s recommendation if what you want is current applied hotfix, but if you want historic data (even if it is not current), you might have to go with log entries. This might catch things like a hotfix was installed then removed etc.