Retrieve event logs for boot time

Hello. Long time lurker, first time poster. Please be gentle.

I am relatively new to PowerShell, but have used bat/cmd files for all sorts of automation.

After beginning the Powershell 3 “lunches” book, I found a website that went into some detail about the different Win 7 boot time events (100-110) in the Applications and Services Logs | Microsoft | Windows | Diagnostics-Performance location.

What I would like to do is create a powershell script I can run on multiple machines that will:

Get-EventLog -LogName Application and Services | Export-CSV -Path \sharedlocation\file.csv /noclobber

What I’m not sure how to do is to just have it see the Application and Services event log, then pull the Diagnostics-Performance logs only. Help is appreciated with that piece. Looking at it in the Event Log, I can see it’s really just Powershell with a GUI doing the heavy lifting, but I can’t “see” how to get this just in Powershell.

And I’m not looking for someone to write the script for me, just looking for someone to help push me in the right direction. Maybe with what to look for within the get-help commands to get me where I want to be? Maybe Get-EventLog isn’t how I get to the Applications and Services log? Does Powershell have access to that location? Maybe a way to set it up as a PSDrive?

Thanks in advance!

You can’t retrieve from both event logs at once with a single Get-EventLog; you have to pick one at a time. Additionally, Get-EventLog itself doesn’t support much in the way of filtering. That means you essentially have to retrieve all of the entries, and then use Where-Object to filter through them. It can be pretty time-consuming for a large log, but the event log architecture, and the cmdlet, just kinda work that way. What can help a bit is to use some of the filtering the cmdlet does support, such as only grabbing entries from after a certain date and time, grabbing entries of a specific type (that’ll help a lot), entries from a specific source, and so on. Look at the help for Get-EventLog to see what it can do.

Now… you said “diagnostics/performance.” Get-EventLog doesn’t support the newer event logs; it only supports the “classic” logs. You may want to look at Get-WinEvent, which is made for the newer log types introduced in Visa/Win2008.

You could access the log files via a file system PSDrive, sure - but the log file format is binary, and PowerShell doesn’t have any native means of parsing it, really. Going through Get-EventLog or Get-WinEvent queries the log entries via a communications API, so you’re not actually reading the log file per se.

Also… if you’re just after last boot time, be aware you can easily grab that from the Win32_OperatingSystem class using WMI or CIM.

Exactly how you go about this depends a bit. If Remoting is enabled on the machines you want to query, that’d be the best route. You can distribute the processing quite a bit that way. If not, then you’ll probably want to build a job to do this, since it can parallelize things a bit, and get the processing into a background thread, since it’s likely to take a while. That essentially involves building a short script to do the work, and then running it as a job when you’ve debugged it all the way.

Great! Thanks Don.

What I want is just the 100-110 “error” codes, so I can probably filter with that. And what I want is the newer logs, so it’ll bet Get-WinEvent.

So I want to dump say, the last 20 100-110 codes for a large sample group of machines. Pull the machine name, the code and the offending startup item, then I’ll have a field day playing with Excel and filter the data that way.

Remoting is on for our machines, so that’s not a major problem to solve, and the idea is to run the code on the local machines and dump the data to a folder on the network.

Not just looking for last boot, trying to pull together some “this is what causes boot time to be slow” and see if there is anything that is common across machines we can work on “fixing” in some way.

Thanks again, this will help me start pulling something together!

The efficient way to do that, then would be to run:

$computernames = Do-Something-That-Gets-Computer-Names
Invoke-Command -Comp $computernames -ScriptBlock { Get-WinEvent -Whatever -Whatever } -AsJob

That’d pull the data over to YOUR machine, whereupon you could do whatever with it. Having each machine write to a network location will be trickier, unless you’ve properly enabled Kerberos delegation or CredSSP. The machines running Get-WinEvent in that fashion won’t be able to access network resources otherwise.

And ugh, dude. Excel. Get yourself a copy of SQL Server Express, at least. It’s designed to do that. Don’t go down the dark place of using Excel as a reporting tool.

Great! Thanks again Don, that’s really helpful and will help get me on the way to getting what I want.

As far as SQL… well, that’s another thing I’ll have to learn then. Excel, in this case, gets me what I want in a way I know how to manipulate it. That being said, I’ve downloaded SQL Server Express. Any good references/resources for learning SQL? Something like the Lunches book you’ve put together for PowerShell?

That being said, I do need to thank you for the Lunches book. It’s helped me “get it” better than the other books I tried. The Step by Step book helps too, but the lunches put it in the best possible bite size to really get it to sink in.

I’m actually working on a SQL Server book right now for the Lunches series. But, meantime, one of the free ebooks here (go to the Newsletter tab) has a module that simplifies basic SQL Server use, specifically for reporting. Give it a look.

Thanks again Don. I’ll download and check out the eBooks. I’ll start on them when I finish the PowerShell lunches in a hand full of days. And thanks again for the help.