 © Rakhesh Sasidharan
|
Had a Windows Server 2008 R2 server that started giving a blank screen since the recent Windows update reboot. This was a VM and it was the same result via VMware console or RDP. Safe Mode didn’t help either. Bummer!
Since this is a VM I mounted its disk on another 2008 R2 VM and tried to fix the problem offline. Most of my attempts didn’t help but I thought of posting them here for reference.
Note: In the following examples the broken VM’s disk is mounted to F: drive.
Recent updates
I used dism to list recent updates and remove them. To list updates from this month (March 2017):
|
|
dism /image:f:\ /get-packages /format:table | findstr "03/2017" |
To remove an update:
|
|
dism /image:f:\ /remove-package /packagename:Package_for_BlahBlahBlah |
I did this for each of the updates I had. That didn’t help though. And oddly I found that one of the updates kept re-appearing with a slightly different name (a different number suffixed to it actually) each time I’d remove it. Not sure why that was the case but I saw that F:\Windows\SxS had a file called pending.xml and figured this must be doing something to stop the update from being removed. I couldn’t delete the file in-spite of taking ownership and full control, so I opened it in Notepad and cleared all the contents. :o) After that the updates didn’t return but the machine was still broken.
SFC
I used sfc to check the integrity of all the system files:
|
|
sfc /scannow /offbootdir=f:\ /offwindir=f:\Windows |
No luck with that either!
Event Logs
Maybe the Event Logs have something? These can be found at F:\Windows\System32\Winevt\Logs. Double click the ones of interest to view.
In my case the Event Logs had nothing! No record at all of the VM starting up or what was causing it to hang. Tough luck!
Bonus info: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog contains locations of the files backing the Event Logs. Just mentioning it here as I came across this.
Drivers
Could drivers cause any issue? Unlikely. You can’t use dism to query drivers as above but you can check via registry. See this post. Honestly, I didn’t read it much. I didn’t suspect drivers and it seemed too much work fiddling through registry keys and folders.
Last Known Good Configuration
Whenever I’d boot up the VM I never got the Last Known Good (LKG) Configuration option. I tried pressing F8 a couple of times but it had no effect. So I wondered if I could tweak this via the registry. Turns out I can. And turns out I already knew this just that I had forgotten!
Your current configuration is HKLM\System\CurrentControlSet. This is actually a link to HKLM\System\CurrentControlSet01 or HKLM\System\CurrentControlSet02 or HKLM\System\CurrentControlSet03 or … (you get the point). Each of the CurrentControlSetXXX key is one of your previous configurations. The one that’s actually used can be found via HKLM\System\Select. The entry Current points to the number of the CurrentControlSetXXX key in use. The entry LastKnownGood points to the Last Known Good Configuration. Now we know what to do.
- Mount the
HKLM\SYSTEM hive of the broken VM. All registry hives can be found under %windir%\System32\Config. In my case that translates to the file F:\Windows\System32\Config\SYSTEM.
- To mount this file open Registry Editor, select the
HKLM hive, and go to File > Load Hive. (This is a good post with screenshots etc).
- Go to the
Select key above. Change Current to whatever LastKnownGood was.
- That’s all. Now unload the hive and you are done.
This helped in my case! I was finally able to move past the blank screen and get a login prompt. Upon login I was also able to download and install all the patches and confirm that the VM is now working fine (took a snapshot of course, just in case!). I have no idea what went wrong, but at least I have the pleasure of being able to fix it. From the post I link to below, I’d say it looks like a registry hive corruption.
Since I successfully logged in, my machine’s Last Known Good Configuration will be automatically updated by Windows with the current one. Here’s a blog post that explains this in more detail.
That’s all! Hope this helps someone.
These are notes from the AD Troubleshooting WorkshopPLUS session I attended. The notes are on troubleshooting Domain Controller critical services. I am mostly following what was discussed in class here rather than add anything new (except in the section of SC where I talk a bit about it).
Before moving on let’s recap the DC critical services from my previous post:
- DHCP client / DNS client – registers the DCs A and PTR records
- DHCP client for Server 2003 and prior
- DNS client for Server 2008 and later
- FRS / DFSR – responsible for SYSVOL replication between DCs
- FRS is now deprecated, may or may not be used in the domain. DFSR is the replacement.
- If the domain was born in functional level 2008 (i.e. all DCs are Server 2008 or later) then DFRS is used.
- Else FRS could be in use unless it was migrated.
- DNS server – used by DCs to locate each other, clients to locate DCs
- KDC – used for Kerberos authentication in the domain
- Netlogon – maintains secure channel between DCs and other DCs and clients; also updates DNS with the SRV records
- Secure channel is used for Kerberos authentication and AD replication
- DNS records are also written to
%systemroot%\system32\config\Netlogon.DNS in case manual updating of DNS server is required.
- Windows Time – maintains correct time in the domain, required for Kerberos authentication and AD replication
- AD DS – provides AD
- AD WDS – provides a web interface to AD
Event Viewer
In case of issues the Event Viewer is the best place to start troubleshooting from. Bear in mind merely looking at the System and Application logs as most admins do is not enough. AD specific events are usually logged under the Custom Views > Server Roles section.
Event IDs for some of the common problems can be found at this link. Some more event IDs and their resolution can be found at this link. The previous two links are worth a read in that they also give a high level overview of AD and troubleshooting.
DcDiag
This has a separate post of its own now.
Service Controller (SC)
This is a command I haven’t used much except in the context of checking for drivers. Try the following if you want to get a list of all active drivers on your system:
|
|
sc query type= driver | findstr DISPLAY_NAME |
Omit the pipe and findstr after that if you want more details. SC is cool in that it can do remote computers too:
|
|
sc \\win-dc03 query type= driver | findstr DISPLAY_NAME |
But drivers are just one type of objects SC can query. If you omit the type= driver SC returns services (and if you set type= All SC returns both drivers and services).
For example, to get a list of all services on the machine
An example entry in the output looks like this:
|
|
SERVICE_NAME: ADWS DISPLAY_NAME: Active Directory Web Services TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 |
Too much info, so to output just the Service Name, Display Name, and State use findstr:
|
|
sc query | findstr "SERVICE_NAME DISPLAY_NAME STATE" |
Services can be stopped and started using the following commands:
SC has its limitations though, in that you can’t stop a service if it has other services dependent on it. To my knowledge SC doesn’t have a way of enumerate services that depend on a particular service either, so there’s no way to manually stop all those services via a batch file or something. That said, SC can find which services a particular service depends upon via the sc qc command. For example:
|
|
C:\Users\Administrator>sc qc DNS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DNS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\dns.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DNS Server DEPENDENCIES : Tcpip : Afd : RpcSs : NTDS SERVICE_START_NAME : LocalSystem |
Given a service you can also get its description. For example:
|
|
C:\Users\Administrator>sc qdescription DNS [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: DNS DESCRIPTION: Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will no t occur. If this service is disabled, any services that explicitly depend on it will fail to start. |
Like I said, I don’t use SC much except to query drivers. What I typically use for querying services is PowerShell.
PowerShell
- Start-Service
- Stop-Service
- Restart-Service
- Get-Service
I have noticed that sometimes the results from Get-Service and sc query vary. A recent example was when I did Get-Service NTDS on a Server 2008 R2 machine and it returned nothing while sc query NTDS returned results as expected.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
PS> Get-Service NTDS Get-Service : Cannot find any service with service name 'NTDS'. At line:1 char:12 + Get-Service <<<< NTDS + CategoryInfo : ObjectNotFound: (NTDS:String) [Get-Service], ServiceCommandException + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand C:\> sc query NTDS SERVICE_NAME: NTDS TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\> wmic service list status | findstr "NTDS" 0 NTDS OK |
Even WMIC is able to find NTDS above, but Get-Service doesn’t. Go figure!
Be mindful of the symptoms
One thing that was emphasized in class a lot is that while troubleshooting start with the symptoms (doh!). As in, think of the symptoms you are experiencing and work backwards from them as to what critical services could be down/ broken which might be leading to these symptoms. That will give you a good starting point to troubleshoot and then you can use the tools above to dig deeper and identify the problem. AD is a complex system made up of many moving parts, so a good understanding of the underlying structure and how they tie in together is important.
So as I mentioned yesterday I have been thinking of using Task Scheduler to try and enable disabled Office add-ins automatically.
The Problem
Here’s what happens. Every so often when users open Word, Outlook, Excel, etc they get a prompt like the one below:
We don’t know why they keep getting it, but ideally users should be clicking “NO” as we use all these add-ins and don’t want them disabled. But users being users they click “YES” intentionally or inadvertently and then call IT with complaints that their Word, Outlook, etc aren’t working as expected. Then we in IT have to do the boring task of going to their add-ins screen and enabling these items; followed by closing and opening Word, Outlook, whatever.
What I want to do here is (1) warn users when the above dialog box comes up, advising them not to click the “YES” button; and (2) if they do click “YES” then somehow enable the add-ins behind their back and get them to close and open the affected program.
Add-ins and the registry
I started off thinking I might need to do some fancy stuff to enable add-ins, but soon realized that they are all controlled by the registry. Nice!
- Add-ins can be installed for all users on the machine or just a specific user. So you have to look under both
HKLM and HKCU. The two locations are:  HKCU\Software\Microsoft\Office\(application)\Addins\ and HKLM\Software\Microsoft\Office\(application)\Addins\ (replace (application) with Word, Outlook, Excel, or PowerPoint). These two locations contain keys for each add-in installed for that particular application.Here’s a screen shot for the Outlook InterAction add-in for a user.
- The key thing in the registry keys above is the
LoadBehavior entry. This can take many values – the default is a value of 3 which means the add-in is loaded automatically at startup and is currently loaded. If the value is 2 it means the add-in is loaded automatically at startup but is currently not loaded.
- My initial hunch was that
LoadBehavior is what I must target. I thought when a user disables an add-in the LoadBehavior value of that add-in probably changes to 2, so all I need to do is switch it back to 3. But I was wrong (as I quickly figured after crashing Word a couple of times and choosing to disable add-ins).
- Then I discovered that add-ins which are disabled via a user dialog box as above don’t have their
LoadBehavior value changed; rather they are set as disabled at another place in the registry. And that is under the HKCU hive, at HKCU\Software\Microsoft\Office\(version)\(application)\Resiliency\DisabledItems (replace (version) with 15.0 for Office 2013, 14.0 for Office 2010, 12.0 for Office 2007, 11.0 for Office 2003, you get the idea … and replace (application) with Word, Outlook, etc as before).
Each time an add-in is disabled, a REG_BINARY entry is created under HKCU\Software\Microsoft\Office\(version)\(application)\Resiliency\DisabledItems with a binary value. I didn’t experiment to see if there’s a one-to-one mapping between this entry and an add-in, and also whether the entry is same for an add-in across all machines; the important finding for me was that if I delete this entry, it enables the add-in. So all I really needed to do to see if there are disabled add-ins for a program is to just check this key, and if there are any entries I can delete them all to re-enable all the add-ins. Nice! This doesn’t require a PowerShell script really. Good old reg can do the trick too. So a batch file is more than sufficient.
Below is what I came up with:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
@ECHO OFF setlocal enableextensions enabledelayedexpansion :CHECKOUTLOOK FOR /F "usebackq" %%I IN (`reg query HKCU\Software\Microsoft\Office\14.0\Outlook\Resiliency\DisabledItems`) DO ( IF %%I NEQ "" GOTO ENABLEOUTADDIN ) :CHECKWORD FOR /F "usebackq" %%I IN (`reg query HKCU\Software\Microsoft\Office\14.0\Word\Resiliency\DisabledItems`) DO ( IF %%I NEQ "" GOTO ENABLEWORDADDIN ) :CHECKEXCEL FOR /F "usebackq" %%I IN (`reg query HKCU\Software\Microsoft\Office\14.0\Excel\Resiliency\DisabledItems`) DO ( IF %%I NEQ "" GOTO ENABLEEXCELADDIN ) :CHECKPPT FOR /F "usebackq" %%I IN (`reg query HKCU\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DisabledItems`) DO ( IF %%I NEQ "" GOTO ENABLEEXCELADDIN ) GOTO EOF :ENABLEOUTADDIN reg delete HKCU\Software\Microsoft\Office\14.0\Outlook\Resiliency\DisabledItems /va /f msg * "Your Outlook had some errors which the system fixed automatically. Please close and open Outlook. Until you do so certain functionality may be disabled." GOTO CHECKWORD :ENABLEWORDADDIN reg delete HKCU\Software\Microsoft\Office\14.0\Word\Resiliency\DisabledItems /va /f msg * "Your Word had some errors which the system fixed automatically. Please close and open Word. Until you do so certain functionality may be disabled." GOTO CHECKEXCEL :ENABLEEXCELADDIN reg delete HKCU\Software\Microsoft\Office\14.0\Excel\Resiliency\DisabledItems /va /f msg * "Your Excel had some errors which the system fixed automatically. Please close and open Excel. Until you do so certain functionality may be disabled." GOTO CHECKPPT :ENABLEPPTADDIN reg delete HKCU\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DisabledItems /va /f msg * "Your PowerPoint had some errors which the system fixed automatically. Please close and open PowerPoint. Until you do so certain functionality may be disabled." GOTO EOF :EOF exit /B |
I could probably make it shorter if I pick up more batch file scripting but this does the trick for me.
Let’s break it down for Outlook. I enumerate the registry key. The results of this are iterated over by a FOR loop. If the list isn’t empty – i.e. there are disabled add-ins – the loop exits and goes to a different section.
|
|
:CHECKOUTLOOK FOR /F "usebackq" %%I IN (`reg query HKCU\Software\Microsoft\Office\14.0\Outlook\Resiliency\DisabledItems`) DO ( IF %%I NEQ "" GOTO ENABLEOUTADDIN ) |
This section that the loop exits to simply deletes all entries under that key, shows a message to the user asking them to close and open Outlook, and goes up the batch file to check Word next.
|
|
:ENABLEOUTADDIN reg delete HKCU\Software\Microsoft\Office\14.0\Outlook\Resiliency\DisabledItems /va /f msg * "Your Outlook had some errors which the system fixed automatically. Please close and open Outlook. Until you do so certain functionality may be disabled." GOTO CHECKWORD |
Repeat and rinse for each application and there you have it! Like I said, easy peasy, quick and dirty!
Maybe I should improve the script later – I don’t know. An overhaul using PowerShell might be a good idea I think. Specifically, there are a few things I am already thinking of adding:
- Currently the message box goes away if the user clicks OK. Would be nice if I could keep an eye out for whether they actually close the program later, and if not keep popping up reminders – maybe a ballon tip?
- Would be nice if I could close the application for the user. I could do that in the batch file too via
taskkill but I was wary of doing that lest it cause any corruptions. I wouldn’t want Outlook OST and PST files or Word templates getting corrupted because I closed the program. Maybe PowerShell has a more graceful way of shutting down an app? I don’t think so, but that could be my ignorance.
- Currently I enable all add-ins. While that’s fine for our case maybe I should have a list of add-ins that are to be excluded from being enabled? Or only enable a whitelist of add-ins?
So that’s that. Next step is to find a way to trigger the batch file.
Scheduled task triggers and Event Viewer
Each time the dialog box asking a user to disable an add-in appears, an entry is logged in Event Viewer. This looked like a promising way to hook on to that event and warn the user not to click “YES”. These entries are logged under “Application and Services Logs” > “Microsoft Office Alerts”.
The joy of discovering that was short lived though, as I realized the same sort of alerts are generated for many other Office related things: spell check notifications, connectivity to Exchange, etc.
All these alerts had the same source and ID and there was nothing for me to distinguish between them! Sure the data part was different, and while Event Viewer (and thus Task Scheduler) supports XPath for searching the Event Logs it has limitations in that I can’t do wildcard searches. Thus while I could do an XPath search for all events that have the exact error message in the first Event Log entry above, I can’t do an XPath search for all events that contain the text “Do you want to disable this add-in?”. This is a big limitation because now I will have to (a) find the exact message for each add-in and program, and (b) create XPath queries for each of these – eugh! That’s too much work for now (and not very elegant either!) so I decided to not pursue that route.
Once a user decides to enable or disable an add-in though, I found a different alert is generated for that. Under the “Application” log, from source “Microsoft Office 14” (since we have Office 2010), alerts with event ID 2001 are generated each time a user selects to disable an add-in (and alerts with event ID 2000 are generated when they choose not to disable).
That’s convenient, coz now I can create a task that is triggered on such events and whose action is to run the previous batch file. Nice!
Putting it all together
End result is a task I can import as in the case of the laptop lid issue. Here’s the XML file of the task:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2014-09-17T11:01:41.2438879</Date> <Author>RAKHESH.LOCAL\Admin</Author> </RegistrationInfo> <Triggers> <EventTrigger> <ExecutionTimeLimit>PT1M</ExecutionTimeLimit> <Enabled>true</Enabled> <Subscription><QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='Microsoft Office 14'] and EventID=2001]]</Select></Query></QueryList></Subscription> </EventTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>--REPLACE--</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\NRPortbl\enable-addins.bat</Command> <Arguments>2>nul</Arguments> </Exec> </Actions> </Task> |
Once again, I install it for the users I want via a batch file like this:
|
|
copy /Y "\\server\AddIn-Fix\enable-addins.bat" C:\NRPortbl powershell -Command "(gc \\server\AddIn-Fix\schtask.xml) -replace '--REPLACE--', $("$env:USERDOMAIN" + '\' + "$env:USERNAME") | Out-File -Encoding ASCII C:\schtask.xml" schtasks /Create /XML "C:\schtask.xml" /TN "AddIn-Fix" del /f C:\schtask.xml schtasks /Run /TN "AddIn-Fix" pause |
Not done yet!
I am not done yet though. It’s not practical installing it like this for each user in my domain. I chose the above approach just to get it installed for a few test users; next step is to roll it out via GPO to the whole domain. Stay tuned for a post on that later …!
And one more thing …
Something I learnt while reading about add-ins.
Update
Thanks to Adam Fowler and Daniel Steefkerk for mentioning this blog post on Twitter and pointing me out to two other tools that do similar things:
- OfficeIns (from NirSoft) – lets you enumerate and enable/ disable Office add-ins, even remotely. Nice!
- Office Add-In Monitor – a small tray utility that lets you specify a list of add-ins to monitor and will “protect” them from being disabled.
I haven’t tried either of these but thought I’d link them here for completeness. Speaking of completeness, if you are on Office 2013 and above you now get a much better prompt when an add-in is disabled, and you have the option of enabling it from there.
Posted: September 4th, 2014 | Tags: active directory, adminsdholder, event 4780, event logs | Category: Windows | § Here’s something that I learnt the other day.
At work we use a bunch of admin accounts for various tasks. Previously all these admin accounts were part of the Domain Admins group, but recently in a drive to tighten down things we removed many of these accounts the from Domain Admins group. These accounts are still members of the other built in groups such as Account Operators and/ or Server Operators though, but not Domain Admins.
After removal we noticed that the accounts that were not Domain Admins could no longer reset passwords or unlock accounts for any admin accounts. Not surprising – since the Domain Admins group is what has such rights on all accounts once these users are removed from the Domain Admins group they naturally lost their rights. This needed fixing so here’s what we did: all our admin accounts (both Domain Admins and others) were in an OU called “Admin Accounts”, so we put the accounts that were not in the Domain Admins group into a group called Limited Admins and delegated this group rights to reset passwords on the “Admin Accounts” OU.
Notice the Limited Admins group has a reset password Access Control Entry (ACE) on the “Admin Accounts” OU. This is a result of the delegation. If I check an individual account in this OU, the ACE entry is present on it too.
Once this was done and dusted a funny thing happened. Initially the Local Admin groups members could reset everyone’s passwords but soon they complained they were unable to. We checked the OU and an example Domain Admin account and noticed the previous ACE was no longer present. The ACE was still present on the OU and on accounts that were not members of the Domain Admins group, but it was missing from accounts that were members of the Domain Admins group or even groups such as Account Operators and Server Operators. Very odd!
We checked whether any of the other admins were removing these rights intentionally but none were. Next we checked the Event Viewer but that didn’t have anything to add. Finally we enabled auditing of account management activities to see if that sheds some light. An important point (which I had missed out initially) is that to view the extra details one must check the Event Viewer of the Domain Controller with the PDC Emulator role. To find out the DC with the PDC Emulator role open “AD Users and Computers”, right click on the domain name, select Operations Master:
Sure enough when we went through the Event Viewer of this DC there was an entry which explained what was happening:
Interesting! At least this explains what was happening. And now that we knew what was happening the next step was to read more about the AdminSDHolder object and tweak things so our accounts didn’t get their ACEs stripped. This post took longer than expected to type up, so more on that in my next post …
Posted: June 3rd, 2013 | Tags: event logs, reports | Category: PowerShell | § Playing around with Get-WinEvent today. I find it very useful, especially when dealing with remote computers (as I have to at work). Launching Event Viewer, connecting to a remote computer (or even local computer), and then sifting through logs (or creating filters to sift) seems very cumbersome when I can acheive the same results much faster via PowerShell.
As you might have seen the Event Viewer has various logs. Using Get-WinEvent you can select which logs to focus on. To get a list of available logs do the following:
Probably better to filter through format-table for neater output:
|
|
Get-WinEvent -ListLog * | ft LogName -AutoSize |
To view details of a specific log, replace * with the name (and pipe output to format-list to view all the details):
|
|
Get-WinEvent -ListLog $logname | fl * |
To view all events in a log do the following:
|
|
Get-WinEvent -LogName System |
There’s a lot of output, so good to restrict the number of entries:
|
|
Get-WinEvent -LogName System -MaxEvents 50 |
Strangely there’s no easy way to restrict the entries starting at a certain time. There is, but no easy switchy way. Instead you have to do the following:
|
|
Get-WinEvent -FilterHashTable @{LogName="System";StartTime=(get-date).AddHours(-2)} |
We use the -FilterHashTable switch here. This takes a hash table containing the log name as well as other parameters to filter on (you can start time, end time, provider name, ID, etc, and can combine multiple parameters). In the example above I want all events from the “System” log for the last 2 hours – so I use the get-date cmdlet, use it’s method AddHours() and set the number of hours to be added as -2.
In the next example I filter all events from the “System” log with event ID 7036 starting from now yesterday up to an hour ago.
|
|
Get-WinEvent -FilterHashTable @{LogName="System"; StartTime=(get-date).AddDays(-1); EndTime=(get-date).AddHours(-1); ID=7036} |
To change the displayed order of events from newest-first to oldest-first use the -Oldest switch.
Beats piping the output to a sort cmdlet to reverse-sort!
Similar to how you can list the lognames you can list providers too:
|
|
Get-WinEvent -ListProvider * |
This gives a list of the providers (the applications or sources that log events) and the logs to which they send events. The list can be huge, so a good idea is to pipe the output through where-object to filter by the providers you are interested in:
|
|
Get-WinEvent -ListProvider * | ?{ $_.Name -match "PowerShell" } |
Note: The case doesn’t really matter above (“PowerShell”) because the -match operator is case in-sensitive by default. Use -cmatch if you care about case.
Back to the -FormatHashTable switch: this one takes a “ProviderName” key too containing the name of the provider you wish to filter on. The name can contain wildcards if you want to search multiple providers. For instance, the example below searches the “Application” log for all entries by the Citrix providers (there are many hence the wildcard) logged in the past three hours:
|
|
Get-WinEvent -FilterHashtable @{LogName="Application"; ProviderName="Citrix*"; StartTime=(get-date).AddHours(-3)} |
Note: In the example above, I can omit the logname. The hashtable requires either the log name or the provider name (or the path to a log). If you don’t care about the log name or provider name, mention one of these but leave the value as a wildcard. Like thus:
|
|
Get-WinEvent -FilterHashtable @{LogName="*"; StartTime=(get-date).AddHours(-3)} |
The above example gets all logs from the past 3 hours.
The default output of Get-WinEvent includes a lot of fields. Best to use format-table or select-object to only show what you want. In the example below I use select-object to select just the Message, ID, and TimeCreated properties. Further I pipe the output to a CSV file (doing that just to show how easy it is to quickly pull some remote logs into a CSV file):
|
|
Get-WinEvent -ComputerName $computer -FilterHashtable @{LogName="*"; StartTime=(get-date).AddHours(-3)} | select Message,Id,TimeCreated | Export-Csv c:pathtocsvfile |
I needed to filter the event logs from a remote computer for power off events. The user was powering it off himself every now and then, but wouldn’t believe me when I said so. No problem, thanks to the event logs all his shutdown requests are logged so it’s only a matter of culling it out.
I could have user Event Viewer but PowerShell is way easier. I only need to check the System event logs for any events with ID 1074. Further, for every shutdown, events with this ID are logged twice – one starting with the line “The process C:Windowssystem32winlogon.exe …” the other starting with the line “The process Explorer.EXE has initiated the power off …” – so I’d like to filter the output to just include one of these lines. Finally, I’d also like the day of the week to be shown.
So here’s what I did:
|
|
Get-WinEvent -ComputerName $computer -FilterHashTable @{Logname="System";ID="1074"} | ?{ $_.Message -match "^The process Explorer.EXE has initiated the power off" } | ft TimeCreated,@{Name="Day";Expression={ $_.TimeCreated.DayOfWeek }} |
So far so good. I use Get-WinEvent to return the event logs I want, use the Message property of these returned objects to filter logs containing just the text we want. And finally I use the TimeCreated property of these objects to display the time and day. This TimeCreated property is the subject of this post so let’s focus on that further.
First, how do we get the members and properties of the objects returned by Get-WinEvent? Here’s how:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
PS> Get-WinEvent -MaxEvents 1 | gm TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord Name MemberType Definition ---- ---------- ---------- Dispose Method System.Void Dispose() Equals Method bool Equals(System.Object obj) FormatDescription Method string FormatDescription(), string FormatDescription(System.Collections.Generic.IE... GetHashCode Method int GetHashCode() GetPropertyValues Method System.Collections.Generic.IList[System.Object] GetPropertyValues(System.Diagnosti... GetType Method type GetType() ToString Method string ToString() ToXml Method string ToXml() Message NoteProperty System.String Message=A process has exited.... ... TimeCreated Property System.Nullable`1[[System.DateTime, mscorlib, Version=2.0.0.0, Culture=neutral, Pu... UserId Property System.Security.Principal.SecurityIdentifier UserId {get;} Version Property System.Nullable`1[[System.Byte, mscorlib, Version=2.0.0.0, Culture=neutral, Public... |
Notice the TimeCreated property.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
PS> Get-WinEvent -MaxEvents 1 | select TimeCreated | gm TypeName: Selected.System.Diagnostics.Eventing.Reader.EventLogRecord Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() TimeCreated NoteProperty System.DateTime TimeCreated=02/06/2013 11:01:17 PS> (Get-WinEvent -MaxEvents 1).TimeCreated | gm TypeName: System.DateTime Name MemberType Definition ---- ---------- ---------- Add Method System.DateTime Add(System.TimeSpan value) AddDays Method System.DateTime AddDays(double value) AddHours Method System.DateTime AddHours(double value) ... Day Property System.Int32 Day {get;} DayOfWeek Property System.DayOfWeek DayOfWeek {get;} DayOfYear Property System.Int32 DayOfYear {get;} Hour Property System.Int32 Hour {get;} Kind Property System.DateTimeKind Kind {get;} Millisecond Property System.Int32 Millisecond {get;} Minute Property System.Int32 Minute {get;} Month Property System.Int32 Month {get;} Second Property System.Int32 Second {get;} Ticks Property System.Int64 Ticks {get;} TimeOfDay Property System.TimeSpan TimeOfDay {get;} Year Property System.Int32 Year {get;} DateTime ScriptProperty System.Object DateTime {get=if ((& { Set-StrictMode -Version 1; $this.DisplayHin... |
The TimeCreated property is an object of class DateTime. To get the day of the date instance, use the TimeCreated.DayofWeek property. Which is what I extract via the Format-Table expression in my initial code:
|
|
... | ft TimeCreated,@{Name="Day";Expression={ $_.TimeCreated.DayOfWeek }} |
This post from the “Hey, Scripting Guy! Blog” is a good read on Get-WinEvent and the DateTime class.
Focussing on the DateTime class, this is the type of the object returned by the get-date cmdlet too. Although not obvious from the syntax of the get-date cmdlet, you can use it to return a DateTime object instance of the date you specify as string. Like thus:
|
|
PS> get-date 02 June 2013 11:18:45 PS> get-date "31/05/2013 12:24:11" 31 May 2013 12:24:11 |
What’s more, you can even format the string:
|
|
PS> get-date "31/05/2013 12:24:11" -Format "dd" 31 PS> get-date "31/05/2013 12:24:11" -Format "ddd" Fri PS> get-date "31/05/2013 12:24:11" -Format "dddd" Friday PS> get-date "31/05/2013 12:24:11" -Format "'The day is' dddd" The day is Friday |
The -Format switch takes a format specifier. As seen above “dd” stands for the date, “ddd” stands for the day in short-hand, “dddd” stands for the date in longhand, and so on.
You can also typecast a string to the DateTime class:
|
|
PS> [datetime]"05/31/2013" 31 May 2013 00:00:00 |
The typecast technique has a limitation though in that it expects the input to be in the format of US, i.e. “MM/dd/YYYY”. The DateTime class has a static member called Parse(), however, that is smart enough the use the country/ culture of the computer.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
PS> [datetime] | gm -Static TypeName: System.DateTime Name MemberType Definition ---- ---------- ---------- Compare Method static int Compare(System.DateTime t1, System.DateTime t2) DaysInMonth Method static int DaysInMonth(int year, int month) Equals Method static bool Equals(System.DateTime t1, System.DateTime t2), static bool Equals(System.Obj... FromBinary Method static System.DateTime FromBinary(long dateData) FromFileTime Method static System.DateTime FromFileTime(long fileTime) FromFileTimeUtc Method static System.DateTime FromFileTimeUtc(long fileTime) FromOADate Method static System.DateTime FromOADate(double d) IsLeapYear Method static bool IsLeapYear(int year) Parse Method static System.DateTime Parse(string s), static System.DateTime Parse(string s, System.IFo... ParseExact Method static System.DateTime ParseExact(string s, string format, System.IFormatProvider provide... ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) SpecifyKind Method static System.DateTime SpecifyKind(System.DateTime value, System.DateTimeKind kind) TryParse Method static bool TryParse(string s, System.DateTime&, mscorlib, Version=2.0.0.0, Culture=neutr... TryParseExact Method static bool TryParseExact(string s, string format, System.IFormatProvider provider, Syste... MaxValue Property static System.DateTime MaxValue {get;} MinValue Property static System.DateTime MinValue {get;} Now Property System.DateTime Now {get;} Today Property System.DateTime Today {get;} UtcNow Property System.DateTime UtcNow {get;} PS> [datetime]::Parse("31/05/2013") 31 May 2013 00:00:00 |
How do we parse the date if it’s in a different format though? Both the get-date cmdlet and the [datetime]::Parse() method fail if the input string does not match the date format of the computer:
|
|
PS> get-date "05/31/2013 12:24:11" Get-Date : Cannot bind parameter 'Date'. Cannot convert value "05/31/2013 12:24:11" to type "System.DateTime". Error: " String was not recognized as a valid DateTime." At line:1 char:9 + get-date <<<< "05/31/2013 12:24:11" + CategoryInfo : InvalidArgument: (:) [Get-Date], ParameterBindingException + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetDateCommand PS> [datetime]::Parse("05/31/2013 12:24:11") Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime." At line:1 char:18 + [datetime]::Parse <<<< ("05/31/2013 12:24:11") + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException |
It is possible to specify the date format of the input string. This only works with the Parse() method though. Like thus (thanks to this blog post):
|
|
PS> $usculture = [Globalization.cultureinfo]::GetCultureInfo("en-US") PS> [datetime]::Parse("05/31/2013 12:24:11",$usculture) 31 May 2013 12:24:11 |
The Globalization.cultureinfo class has a GetCultureInfo() method, so what we are doing above is we create a variable that is an instance of the “en-US” culture and then pass this variable to the Parse() method so it knows which format to parse the input in. Of course we could have also specified the whole thing on one line:
|
|
PS> [datetime]::Parse("05/31/2013 12:24:11",[Globalization.cultureinfo]::GetCultureInfo("en-US")) 31 May 2013 12:24:11 |
Let’s examine the Globalization.cultureinfo class. First, let’s examine its static members and properties:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
PS> [Globalization.cultureinfo] | gm -Static TypeName: System.Globalization.CultureInfo Name MemberType Definition ---- ---------- ---------- CreateSpecificCulture Method static System.Globalization.CultureInfo CreateSpecificCulture(string name) Equals Method static bool Equals(System.Object objA, System.Object objB) GetCultureInfo Method static System.Globalization.CultureInfo GetCultureInfo(int culture), stat... GetCultureInfoByIetfLanguageTag Method static System.Globalization.CultureInfo GetCultureInfoByIetfLanguageTag(s... GetCultures Method static System.Globalization.CultureInfo[] GetCultures(System.Globalizatio... ReadOnly Method static System.Globalization.CultureInfo ReadOnly(System.Globalization.Cul... ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) CurrentCulture Property static System.Globalization.CultureInfo CurrentCulture {get;} CurrentUICulture Property static System.Globalization.CultureInfo CurrentUICulture {get;} InstalledUICulture Property static System.Globalization.CultureInfo InstalledUICulture {get;} InvariantCulture Property static System.Globalization.CultureInfo InvariantCulture {get;} |
The GetCulture() method can be used to list all available cultures:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
PS> [globalization.cultureinfo]::GetCultures("") Cannot convert argument "0", with value: "", for "GetCultures" to type "System.Globalization.CultureTypes": "Cannot con vert value "" to type "System.Globalization.CultureTypes" due to invalid enumeration values. Specify one of the followi ng enumeration values and try again. The possible enumeration values are "NeutralCultures, SpecificCultures, InstalledW in32Cultures, AllCultures, UserCustomCulture, ReplacementCultures, WindowsOnlyCultures, FrameworkCultures"." At line:1 char:41 + [globalization.cultureinfo]::GetCultures <<<< ("") + CategoryInfo : NotSpecified: (:) [], MethodException + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument # the error message tells us what to pass to the method PS> [globalization.cultureinfo]::GetCultures("allCultures") LCID Name DisplayName ---- ---- ----------- 1 ar Arabic 2 bg Bulgarian 3 ca Catalan 4 zh-CHS Chinese (Simplified) 5 cs Czech 6 da Danish 7 de German ... |
To get details about a specific culture use the GetCultureInfo() method:
|
|
PS> [Globalization.cultureinfo]::GetCultureInfo("en-US") LCID Name DisplayName ---- ---- ----------- 1033 en-US English (United States) |
The LCID corresponds to the Locale ID assigned by Microsoft. To see all the properties use the get-member cmdlet or format-list to see the values:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
PS> [Globalization.cultureinfo]::GetCultureInfo("en-US") | gm TypeName: System.Globalization.CultureInfo Name MemberType Definition ---- ---------- ---------- ClearCachedData Method System.Void ClearCachedData() Clone Method System.Object Clone() Equals Method bool Equals(System.Object value) GetConsoleFallbackUICulture Method System.Globalization.CultureInfo GetConsoleFallbackUICulture() GetFormat Method System.Object GetFormat(type formatType) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() Calendar Property System.Globalization.Calendar Calendar {get;} CompareInfo Property System.Globalization.CompareInfo CompareInfo {get;} CultureTypes Property System.Globalization.CultureTypes CultureTypes {get;} DateTimeFormat Property System.Globalization.DateTimeFormatInfo DateTimeFormat {get;set;} DisplayName Property System.String DisplayName {get;} EnglishName Property System.String EnglishName {get;} ... PS> [Globalization.cultureinfo]::GetCultureInfo("en-US") | fl Parent : en LCID : 1033 KeyboardLayoutId : 1033 Name : en-US IetfLanguageTag : en-US DisplayName : English (United States) NativeName : English (United States) EnglishName : English (United States) TwoLetterISOLanguageName : en ThreeLetterISOLanguageName : eng ThreeLetterWindowsLanguageName : ENU CompareInfo : CompareInfo - 1033 TextInfo : TextInfo - 1033 IsNeutralCulture : False CultureTypes : SpecificCultures, InstalledWin32Cultures, FrameworkCultures NumberFormat : System.Globalization.NumberFormatInfo DateTimeFormat : System.Globalization.DateTimeFormatInfo Calendar : System.Globalization.GregorianCalendar OptionalCalendars : {System.Globalization.GregorianCalendar, System.Globalization.GregorianCalendar} UseUserOverride : False IsReadOnly : True |
On the topic of dates, the DateTimeFormat property seems interesting:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
PS> [Globalization.cultureinfo]::GetCultureInfo("en-US").DateTimeFormat AMDesignator : AM Calendar : System.Globalization.GregorianCalendar DateSeparator : / FirstDayOfWeek : Sunday CalendarWeekRule : FirstDay FullDateTimePattern : dddd, MMMM dd, yyyy h:mm:ss tt LongDatePattern : dddd, MMMM dd, yyyy LongTimePattern : h:mm:ss tt MonthDayPattern : MMMM dd PMDesignator : PM RFC1123Pattern : ddd, dd MMM yyyy HH':'mm':'ss 'GMT' ShortDatePattern : M/d/yyyy ShortTimePattern : h:mm tt SortableDateTimePattern : yyyy'-'MM'-'dd'T'HH':'mm':'ss TimeSeparator : : UniversalSortableDateTimePattern : yyyy'-'MM'-'dd HH':'mm':'ss'Z' YearMonthPattern : MMMM, yyyy AbbreviatedDayNames : {Sun, Mon, Tue, Wed...} ShortestDayNames : {Su, Mo, Tu, We...} DayNames : {Sunday, Monday, Tuesday, Wednesday...} AbbreviatedMonthNames : {Jan, Feb, Mar, Apr...} MonthNames : {January, February, March, April...} IsReadOnly : True NativeCalendarName : Gregorian Calendar AbbreviatedMonthGenitiveNames : {Jan, Feb, Mar, Apr...} MonthGenitiveNames : {January, February, March, April...} |
Notice the ShortDatePattern above. This is exactly what the -Format switch of Get-Date cmdlet expects, so one can use this to format the output of Get-Date in a different locale. Like thus:
|
|
PS> get-date 02 June 2013 12:33:36 PS> Get-Date -Format([Globalization.cultureinfo]::GetCultureInfo("en-US").DateTimeFormat.ShortDatePattern) 6/2/2013 PS> Get-Date -Format([Globalization.cultureinfo]::GetCultureInfo("zh-CN").DateTimeFormat.ShortDatePattern) 2013/6/2 |
So now we have seen to use the [datetime]::Parse() method to parse an input string into a DateTime object while specifying the country format of the input string. We have also seen how to output the result of get-date in the format of a different country. Both methods use the [Globalization.cultureinfo] class.
Lastly, there is an easy way to parse any string – irrespective of whether it matches the format of a country or not – into a DateTime object via the ParseExact() method. This is worth mentioning as without such a method one would have to resort to regular expressions and such!
In the example below we match an input string with time “02:50PM” by specifying the format as “hh:mmtt” to the ParseExact() method.
|
|
PS> [datetime]::ParseExact("02:50PM","hh:mmtt",$null) 02 June 2013 14:50:00 |
I am not sure what the third parameter of this method is supposed to be. Most examples put it as $null. It seems to take a “culture” as input, but I am not sure how it affects the output. Instead of $null the following too seem to work: $(get-culture), [Globalization.Cultureinfo]::GetCultureInfo("en-US") (“en-GB” too works), and [Globalization.Cultureinfo]::InvariantCulture.
The format can contain other text too. Escape the characters of such text with a slash ':
|
|
PS> [datetime]::ParseExact("At the beep the time will be 02:50PM","'At the beep the time will be' hh:mmtt",[Globalization.Cultureinfo]::GetCultureInfo("en-GB")) 02 June 2013 14:50:00 |
And just to show what happens if the format does not match:
|
|
PS> [datetime]::ParseExact("At the beep the time will be 02:50PM","'At the beep the time will be' hh:mmt",[Globalization.Cultureinfo]::GetCultureInfo("en-GB")) Exception calling "ParseExact" with "3" argument(s): "String was not recognized as a valid DateTime." At line:1 char:23 + [datetime]::ParseExact <<<< ("At the beep the time will be 02:50PM","'At the beep the time will be' hh:mmt",[Globaliz ation.Cultureinfo]::GetCultureInfo("en-GB")) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException |
Thanks to these two posts for showing me ParseExact().
I want to find out where from a user account is locked out in my domain.
The manual way to do this would be to open up Event Viewer, scan the event logs on the DC for event ID 4740, open it up and see the message to identify the machine from where this account was locked out. But using PowerShell we can obviously automate this way easily!
First things first: how to scan the event logs using PowerShell? You can use either of Get-EventLog or Get-WinEvent. The former only works on the classic event logs while the latter works on both the classic and newer event logs such as those found in Windows Vista and later. I find the latter faster too, so let’s use that. Here’s me running that cmdlet to filter the security logs for event ID 4740 on a remote DC:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | fl * Message : A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC01$ Account Domain: ENTERPRISE Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-1606980848-515967899-682003330-66682 Account Name: User01 Additional Information: Caller Computer Name: MANGO Id : 4740 Version : 0 Qualifiers : Level : 0 Task : 13824 Opcode : 0 Keywords : -9214364837600034816 RecordId : 148130232 ProviderName : Microsoft-Windows-Security-Auditing ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d LogName : Security ProcessId : 468 ThreadId : 1304 MachineName : DC01.enterprise.local UserId : TimeCreated : 23/05/2013 09:26:04 ActivityId : RelatedActivityId : ContainerLog : security MatchedQueryIds : {} Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark LevelDisplayName : Information OpcodeDisplayName : Info TaskDisplayName : User Account Management KeywordsDisplayNames : {Audit Success} Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventPrope rty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventP roperty...} |
There’s only one event here so the details of that are returned. It gives us all the info we need at a glance: user name “User01” is locked thanks to a bad password attempt from the computer “MANGO”.
Neat!
Now let’s go about making this prettier and better.
In the code above I am specifying the domain controller to query. That’s only helpful if I have an idea of the machine or site the user is trying to login to, and so know the domain controller responsible for that site. A better approach would be to query the domain controller with the PDC Emulator FSMO role for event ID 4740. This DC is the one that eventually processes the account lockout requests for all accounts in the domain.
The cmdlet Get-ADDomainContoller gives you the domain controller of the site you are in. Adding the switch -Filter * gives you all the domain controllers in the domain. And piping this through a where-object to filter out the domain controller with the “PDC Emulator” FSMO role gives you the domain controller we are interested in. Like thus:
|
|
Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"} |
The snippet above returns an object for the DC with the PDC Emulator role, to extract just the name do thus:
|
|
(Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"}).Name |
Next, let’s go about presenting the output above in a tidier format.
One thing to note is that all the info we want is in a property called Message.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | gm TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord Name MemberType Definition ---- ---------- ---------- Dispose Method System.Void Dispose() Equals Method bool Equals(System.Object obj) FormatDescription Method string FormatDescription(), string FormatDescription(System.Collections.Generic.IE... GetHashCode Method int GetHashCode() GetPropertyValues Method System.Collections.Generic.IList[System.Object] GetPropertyValues(System.Diagnosti... GetType Method type GetType() ToString Method string ToString() ToXml Method string ToXml() Message NoteProperty System.String Message=A user account was locked out.... ActivityId Property System.Nullable`1[[System.Guid, mscorlib, Version=2.0.0.0, Culture=neutral, Public... ... Properties Property System.Collections.Generic.IList`1[[System.Diagnostics.Eventing.Reader.EventProper... ... PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | select -ExpandProperty Message A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC01$ Account Domain: ENTERPRISE Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-1606980848-515967899-682003330-66682 Account Name: User01 Additional Information: Caller Computer Name: MANGO |
So one option would be to do some fancy filtering using foreach-object like thus:
|
|
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | %{ write-host -ForegroundColor Red "At" $_.TimeCreated; write-host -ForegroundColor White $_.Message; write-host } At 23/05/2013 09:26:04 A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC01$ Account Domain: ENTERPRISE Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-1606980848-515967899-682003330-66682 Account Name: User01 Additional Information: Caller Computer Name: MANGO |
This will list out the multiple lockout entries with the timestamp on top in red.
A better option, however, is to use the Properties property, which is an array containing exactly the info we want as values.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | select -ExpandProperty Properties Value ----- User01 MANGO S-1-5-21-1606980848-515967899-682003330-66682 S-1-5-18 DC01$ ENTERPRISE 999 PS> (Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01).Properties | gm TypeName: System.Diagnostics.Eventing.Reader.EventProperty Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() Value Property System.Object Value {get;} |
Format-Table is your friend here:
|
|
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName (Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"}).Name | ` ft @{Name="User";Expression={$_.Properties[0].Value}},@{Name="Computer";Expression={$_.Properties[1].Value}},@{Name="Time";Expression={$_.TimeCreated}} User Computer Time ---- -------- ---- User01 Computer01 23/05/2013 12:20:41 User02 Computer02 23/05/2013 11:55:56 User01 Computer01 23/05/2013 11:42:40 User03 Computer06 23/05/2013 11:36:53 User01 Computer01 23/05/2013 11:03:39 User01 Computer01 23/05/2013 10:25:37 |
A one line code that’s way better than opening Event Viewer and filtering through the logs manually.
And if you want to filter by the locked out status of a specific $user, pipe the output through a where-object like thus:
|
|
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName (Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"}).Name | ` Where-Object {$_.Properties[0].Value -match "$user"} | ` ft @{Name="User";Expression={$_.Properties[0].Value}},@{Name="Computer";Expression={$_.Properties[1].Value}},@{Name="Time";Expression={$_.TimeCreated}} |
|