 © Rakhesh Sasidharan
|
Had a request to use SolarWinds to highlight servers in a pending reboot status. Here’s what I did.
Sorry, this is currently broken. After implementing this I realized I need to enable PowerShell remoting on all servers for it to work, else the script just returns the result from the SolarWinds server. Will update this post after I fix it at my workplace. If you come across this post before that, all you need to do is enable PowerShell remoting across all your servers and change the script execution to “Remote Host”.
SolarWinds has a built in application monitor called “Windows Update Monitoring”. It does a lot more than what I want so I disabled all the components I am not interested in. (I could have also just created a new application monitor, I know, just was lazy).
The part I am interested in is the PowerShell Monitor component. By default it checks for the reboot required status by checking a registry key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired. Here’s the default script –
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$Error.Clear(); $regpath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired"; $res = Test-Path $regpath; if ($Error.Count -ne 0) { Write-Host "Message: $($Error[0])"; exit 1; } if ($res) { write-host "Message: Reboot required." write-host "Statistic: 1" exit 0 } else { write-host "Message: Reboot not required." write-host "Statistic: 0" exit 0 } |
Inspired by this blog post which monitors three more registry keys and also queries ConfigMgr, I replaced the default PowerShell script with the following –
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$res = $false if (Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" -EA Ignore) { $res = $true } if (Get-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -EA Ignore) { $res = $true } if (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -EA Ignore) { $res = $true } try { $util = [wmiclass]"\\.\root\ccm\clientsdk:CCM_ClientUtilities" $status = $util.DetermineIfRebootPending() if (($status -ne $null) -and $status.RebootPending) { $res = $true } } catch { } if ($res) { write-host "Message: Reboot required." write-host "Statistic: 1" exit 0 } else { write-host "Message: Reboot not required." write-host "Statistic: 0" exit 0 } |
Then I added the application monitor to all my Windows servers. The result is that I can see the following information on every node –
Following this I created alerts to send me an email whenever the status of the above component (“Machine restart status …”) went down for any node. And I also created a SolarWinds report to capture all nodes for which the above component was down.
Then I assigned this to a schedule to run once in a month after our patching window to email me a list of nodes that require reboots.
Posted: June 3rd, 2013 | Tags: reports | Category: PowerShell | § There are easier ways probably but this is what I use:
|
|
Get-DistributionGroupMember $groupname | ft @{Name="Name"; Expression={$_.Name}},@{Name="Email Address"; Expression={(Get-Recipient $_.Name).PrimarySmtpAddress}} |
Posted: June 3rd, 2013 | Tags: event logs, reports | Category: PowerShell | § Playing around with Get-WinEvent today. I find it very useful, especially when dealing with remote computers (as I have to at work). Launching Event Viewer, connecting to a remote computer (or even local computer), and then sifting through logs (or creating filters to sift) seems very cumbersome when I can acheive the same results much faster via PowerShell.
As you might have seen the Event Viewer has various logs. Using Get-WinEvent you can select which logs to focus on. To get a list of available logs do the following:
Probably better to filter through format-table for neater output:
|
|
Get-WinEvent -ListLog * | ft LogName -AutoSize |
To view details of a specific log, replace * with the name (and pipe output to format-list to view all the details):
|
|
Get-WinEvent -ListLog $logname | fl * |
To view all events in a log do the following:
|
|
Get-WinEvent -LogName System |
There’s a lot of output, so good to restrict the number of entries:
|
|
Get-WinEvent -LogName System -MaxEvents 50 |
Strangely there’s no easy way to restrict the entries starting at a certain time. There is, but no easy switchy way. Instead you have to do the following:
|
|
Get-WinEvent -FilterHashTable @{LogName="System";StartTime=(get-date).AddHours(-2)} |
We use the -FilterHashTable switch here. This takes a hash table containing the log name as well as other parameters to filter on (you can start time, end time, provider name, ID, etc, and can combine multiple parameters). In the example above I want all events from the “System” log for the last 2 hours – so I use the get-date cmdlet, use it’s method AddHours() and set the number of hours to be added as -2.
In the next example I filter all events from the “System” log with event ID 7036 starting from now yesterday up to an hour ago.
|
|
Get-WinEvent -FilterHashTable @{LogName="System"; StartTime=(get-date).AddDays(-1); EndTime=(get-date).AddHours(-1); ID=7036} |
To change the displayed order of events from newest-first to oldest-first use the -Oldest switch.
Beats piping the output to a sort cmdlet to reverse-sort!
Similar to how you can list the lognames you can list providers too:
|
|
Get-WinEvent -ListProvider * |
This gives a list of the providers (the applications or sources that log events) and the logs to which they send events. The list can be huge, so a good idea is to pipe the output through where-object to filter by the providers you are interested in:
|
|
Get-WinEvent -ListProvider * | ?{ $_.Name -match "PowerShell" } |
Note: The case doesn’t really matter above (“PowerShell”) because the -match operator is case in-sensitive by default. Use -cmatch if you care about case.
Back to the -FormatHashTable switch: this one takes a “ProviderName” key too containing the name of the provider you wish to filter on. The name can contain wildcards if you want to search multiple providers. For instance, the example below searches the “Application” log for all entries by the Citrix providers (there are many hence the wildcard) logged in the past three hours:
|
|
Get-WinEvent -FilterHashtable @{LogName="Application"; ProviderName="Citrix*"; StartTime=(get-date).AddHours(-3)} |
Note: In the example above, I can omit the logname. The hashtable requires either the log name or the provider name (or the path to a log). If you don’t care about the log name or provider name, mention one of these but leave the value as a wildcard. Like thus:
|
|
Get-WinEvent -FilterHashtable @{LogName="*"; StartTime=(get-date).AddHours(-3)} |
The above example gets all logs from the past 3 hours.
The default output of Get-WinEvent includes a lot of fields. Best to use format-table or select-object to only show what you want. In the example below I use select-object to select just the Message, ID, and TimeCreated properties. Further I pipe the output to a CSV file (doing that just to show how easy it is to quickly pull some remote logs into a CSV file):
|
|
Get-WinEvent -ComputerName $computer -FilterHashtable @{LogName="*"; StartTime=(get-date).AddHours(-3)} | select Message,Id,TimeCreated | Export-Csv c:pathtocsvfile |
I needed to filter the event logs from a remote computer for power off events. The user was powering it off himself every now and then, but wouldn’t believe me when I said so. No problem, thanks to the event logs all his shutdown requests are logged so it’s only a matter of culling it out.
I could have user Event Viewer but PowerShell is way easier. I only need to check the System event logs for any events with ID 1074. Further, for every shutdown, events with this ID are logged twice – one starting with the line “The process C:Windowssystem32winlogon.exe …” the other starting with the line “The process Explorer.EXE has initiated the power off …” – so I’d like to filter the output to just include one of these lines. Finally, I’d also like the day of the week to be shown.
So here’s what I did:
|
|
Get-WinEvent -ComputerName $computer -FilterHashTable @{Logname="System";ID="1074"} | ?{ $_.Message -match "^The process Explorer.EXE has initiated the power off" } | ft TimeCreated,@{Name="Day";Expression={ $_.TimeCreated.DayOfWeek }} |
So far so good. I use Get-WinEvent to return the event logs I want, use the Message property of these returned objects to filter logs containing just the text we want. And finally I use the TimeCreated property of these objects to display the time and day. This TimeCreated property is the subject of this post so let’s focus on that further.
First, how do we get the members and properties of the objects returned by Get-WinEvent? Here’s how:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
PS> Get-WinEvent -MaxEvents 1 | gm TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord Name MemberType Definition ---- ---------- ---------- Dispose Method System.Void Dispose() Equals Method bool Equals(System.Object obj) FormatDescription Method string FormatDescription(), string FormatDescription(System.Collections.Generic.IE... GetHashCode Method int GetHashCode() GetPropertyValues Method System.Collections.Generic.IList[System.Object] GetPropertyValues(System.Diagnosti... GetType Method type GetType() ToString Method string ToString() ToXml Method string ToXml() Message NoteProperty System.String Message=A process has exited.... ... TimeCreated Property System.Nullable`1[[System.DateTime, mscorlib, Version=2.0.0.0, Culture=neutral, Pu... UserId Property System.Security.Principal.SecurityIdentifier UserId {get;} Version Property System.Nullable`1[[System.Byte, mscorlib, Version=2.0.0.0, Culture=neutral, Public... |
Notice the TimeCreated property.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
PS> Get-WinEvent -MaxEvents 1 | select TimeCreated | gm TypeName: Selected.System.Diagnostics.Eventing.Reader.EventLogRecord Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() TimeCreated NoteProperty System.DateTime TimeCreated=02/06/2013 11:01:17 PS> (Get-WinEvent -MaxEvents 1).TimeCreated | gm TypeName: System.DateTime Name MemberType Definition ---- ---------- ---------- Add Method System.DateTime Add(System.TimeSpan value) AddDays Method System.DateTime AddDays(double value) AddHours Method System.DateTime AddHours(double value) ... Day Property System.Int32 Day {get;} DayOfWeek Property System.DayOfWeek DayOfWeek {get;} DayOfYear Property System.Int32 DayOfYear {get;} Hour Property System.Int32 Hour {get;} Kind Property System.DateTimeKind Kind {get;} Millisecond Property System.Int32 Millisecond {get;} Minute Property System.Int32 Minute {get;} Month Property System.Int32 Month {get;} Second Property System.Int32 Second {get;} Ticks Property System.Int64 Ticks {get;} TimeOfDay Property System.TimeSpan TimeOfDay {get;} Year Property System.Int32 Year {get;} DateTime ScriptProperty System.Object DateTime {get=if ((& { Set-StrictMode -Version 1; $this.DisplayHin... |
The TimeCreated property is an object of class DateTime. To get the day of the date instance, use the TimeCreated.DayofWeek property. Which is what I extract via the Format-Table expression in my initial code:
|
|
... | ft TimeCreated,@{Name="Day";Expression={ $_.TimeCreated.DayOfWeek }} |
This post from the “Hey, Scripting Guy! Blog” is a good read on Get-WinEvent and the DateTime class.
Focussing on the DateTime class, this is the type of the object returned by the get-date cmdlet too. Although not obvious from the syntax of the get-date cmdlet, you can use it to return a DateTime object instance of the date you specify as string. Like thus:
|
|
PS> get-date 02 June 2013 11:18:45 PS> get-date "31/05/2013 12:24:11" 31 May 2013 12:24:11 |
What’s more, you can even format the string:
|
|
PS> get-date "31/05/2013 12:24:11" -Format "dd" 31 PS> get-date "31/05/2013 12:24:11" -Format "ddd" Fri PS> get-date "31/05/2013 12:24:11" -Format "dddd" Friday PS> get-date "31/05/2013 12:24:11" -Format "'The day is' dddd" The day is Friday |
The -Format switch takes a format specifier. As seen above “dd” stands for the date, “ddd” stands for the day in short-hand, “dddd” stands for the date in longhand, and so on.
You can also typecast a string to the DateTime class:
|
|
PS> [datetime]"05/31/2013" 31 May 2013 00:00:00 |
The typecast technique has a limitation though in that it expects the input to be in the format of US, i.e. “MM/dd/YYYY”. The DateTime class has a static member called Parse(), however, that is smart enough the use the country/ culture of the computer.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
PS> [datetime] | gm -Static TypeName: System.DateTime Name MemberType Definition ---- ---------- ---------- Compare Method static int Compare(System.DateTime t1, System.DateTime t2) DaysInMonth Method static int DaysInMonth(int year, int month) Equals Method static bool Equals(System.DateTime t1, System.DateTime t2), static bool Equals(System.Obj... FromBinary Method static System.DateTime FromBinary(long dateData) FromFileTime Method static System.DateTime FromFileTime(long fileTime) FromFileTimeUtc Method static System.DateTime FromFileTimeUtc(long fileTime) FromOADate Method static System.DateTime FromOADate(double d) IsLeapYear Method static bool IsLeapYear(int year) Parse Method static System.DateTime Parse(string s), static System.DateTime Parse(string s, System.IFo... ParseExact Method static System.DateTime ParseExact(string s, string format, System.IFormatProvider provide... ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) SpecifyKind Method static System.DateTime SpecifyKind(System.DateTime value, System.DateTimeKind kind) TryParse Method static bool TryParse(string s, System.DateTime&, mscorlib, Version=2.0.0.0, Culture=neutr... TryParseExact Method static bool TryParseExact(string s, string format, System.IFormatProvider provider, Syste... MaxValue Property static System.DateTime MaxValue {get;} MinValue Property static System.DateTime MinValue {get;} Now Property System.DateTime Now {get;} Today Property System.DateTime Today {get;} UtcNow Property System.DateTime UtcNow {get;} PS> [datetime]::Parse("31/05/2013") 31 May 2013 00:00:00 |
How do we parse the date if it’s in a different format though? Both the get-date cmdlet and the [datetime]::Parse() method fail if the input string does not match the date format of the computer:
|
|
PS> get-date "05/31/2013 12:24:11" Get-Date : Cannot bind parameter 'Date'. Cannot convert value "05/31/2013 12:24:11" to type "System.DateTime". Error: " String was not recognized as a valid DateTime." At line:1 char:9 + get-date <<<< "05/31/2013 12:24:11" + CategoryInfo : InvalidArgument: (:) [Get-Date], ParameterBindingException + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetDateCommand PS> [datetime]::Parse("05/31/2013 12:24:11") Exception calling "Parse" with "1" argument(s): "String was not recognized as a valid DateTime." At line:1 char:18 + [datetime]::Parse <<<< ("05/31/2013 12:24:11") + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException |
It is possible to specify the date format of the input string. This only works with the Parse() method though. Like thus (thanks to this blog post):
|
|
PS> $usculture = [Globalization.cultureinfo]::GetCultureInfo("en-US") PS> [datetime]::Parse("05/31/2013 12:24:11",$usculture) 31 May 2013 12:24:11 |
The Globalization.cultureinfo class has a GetCultureInfo() method, so what we are doing above is we create a variable that is an instance of the “en-US” culture and then pass this variable to the Parse() method so it knows which format to parse the input in. Of course we could have also specified the whole thing on one line:
|
|
PS> [datetime]::Parse("05/31/2013 12:24:11",[Globalization.cultureinfo]::GetCultureInfo("en-US")) 31 May 2013 12:24:11 |
Let’s examine the Globalization.cultureinfo class. First, let’s examine its static members and properties:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
PS> [Globalization.cultureinfo] | gm -Static TypeName: System.Globalization.CultureInfo Name MemberType Definition ---- ---------- ---------- CreateSpecificCulture Method static System.Globalization.CultureInfo CreateSpecificCulture(string name) Equals Method static bool Equals(System.Object objA, System.Object objB) GetCultureInfo Method static System.Globalization.CultureInfo GetCultureInfo(int culture), stat... GetCultureInfoByIetfLanguageTag Method static System.Globalization.CultureInfo GetCultureInfoByIetfLanguageTag(s... GetCultures Method static System.Globalization.CultureInfo[] GetCultures(System.Globalizatio... ReadOnly Method static System.Globalization.CultureInfo ReadOnly(System.Globalization.Cul... ReferenceEquals Method static bool ReferenceEquals(System.Object objA, System.Object objB) CurrentCulture Property static System.Globalization.CultureInfo CurrentCulture {get;} CurrentUICulture Property static System.Globalization.CultureInfo CurrentUICulture {get;} InstalledUICulture Property static System.Globalization.CultureInfo InstalledUICulture {get;} InvariantCulture Property static System.Globalization.CultureInfo InvariantCulture {get;} |
The GetCulture() method can be used to list all available cultures:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
PS> [globalization.cultureinfo]::GetCultures("") Cannot convert argument "0", with value: "", for "GetCultures" to type "System.Globalization.CultureTypes": "Cannot con vert value "" to type "System.Globalization.CultureTypes" due to invalid enumeration values. Specify one of the followi ng enumeration values and try again. The possible enumeration values are "NeutralCultures, SpecificCultures, InstalledW in32Cultures, AllCultures, UserCustomCulture, ReplacementCultures, WindowsOnlyCultures, FrameworkCultures"." At line:1 char:41 + [globalization.cultureinfo]::GetCultures <<<< ("") + CategoryInfo : NotSpecified: (:) [], MethodException + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument # the error message tells us what to pass to the method PS> [globalization.cultureinfo]::GetCultures("allCultures") LCID Name DisplayName ---- ---- ----------- 1 ar Arabic 2 bg Bulgarian 3 ca Catalan 4 zh-CHS Chinese (Simplified) 5 cs Czech 6 da Danish 7 de German ... |
To get details about a specific culture use the GetCultureInfo() method:
|
|
PS> [Globalization.cultureinfo]::GetCultureInfo("en-US") LCID Name DisplayName ---- ---- ----------- 1033 en-US English (United States) |
The LCID corresponds to the Locale ID assigned by Microsoft. To see all the properties use the get-member cmdlet or format-list to see the values:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
PS> [Globalization.cultureinfo]::GetCultureInfo("en-US") | gm TypeName: System.Globalization.CultureInfo Name MemberType Definition ---- ---------- ---------- ClearCachedData Method System.Void ClearCachedData() Clone Method System.Object Clone() Equals Method bool Equals(System.Object value) GetConsoleFallbackUICulture Method System.Globalization.CultureInfo GetConsoleFallbackUICulture() GetFormat Method System.Object GetFormat(type formatType) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() Calendar Property System.Globalization.Calendar Calendar {get;} CompareInfo Property System.Globalization.CompareInfo CompareInfo {get;} CultureTypes Property System.Globalization.CultureTypes CultureTypes {get;} DateTimeFormat Property System.Globalization.DateTimeFormatInfo DateTimeFormat {get;set;} DisplayName Property System.String DisplayName {get;} EnglishName Property System.String EnglishName {get;} ... PS> [Globalization.cultureinfo]::GetCultureInfo("en-US") | fl Parent : en LCID : 1033 KeyboardLayoutId : 1033 Name : en-US IetfLanguageTag : en-US DisplayName : English (United States) NativeName : English (United States) EnglishName : English (United States) TwoLetterISOLanguageName : en ThreeLetterISOLanguageName : eng ThreeLetterWindowsLanguageName : ENU CompareInfo : CompareInfo - 1033 TextInfo : TextInfo - 1033 IsNeutralCulture : False CultureTypes : SpecificCultures, InstalledWin32Cultures, FrameworkCultures NumberFormat : System.Globalization.NumberFormatInfo DateTimeFormat : System.Globalization.DateTimeFormatInfo Calendar : System.Globalization.GregorianCalendar OptionalCalendars : {System.Globalization.GregorianCalendar, System.Globalization.GregorianCalendar} UseUserOverride : False IsReadOnly : True |
On the topic of dates, the DateTimeFormat property seems interesting:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
PS> [Globalization.cultureinfo]::GetCultureInfo("en-US").DateTimeFormat AMDesignator : AM Calendar : System.Globalization.GregorianCalendar DateSeparator : / FirstDayOfWeek : Sunday CalendarWeekRule : FirstDay FullDateTimePattern : dddd, MMMM dd, yyyy h:mm:ss tt LongDatePattern : dddd, MMMM dd, yyyy LongTimePattern : h:mm:ss tt MonthDayPattern : MMMM dd PMDesignator : PM RFC1123Pattern : ddd, dd MMM yyyy HH':'mm':'ss 'GMT' ShortDatePattern : M/d/yyyy ShortTimePattern : h:mm tt SortableDateTimePattern : yyyy'-'MM'-'dd'T'HH':'mm':'ss TimeSeparator : : UniversalSortableDateTimePattern : yyyy'-'MM'-'dd HH':'mm':'ss'Z' YearMonthPattern : MMMM, yyyy AbbreviatedDayNames : {Sun, Mon, Tue, Wed...} ShortestDayNames : {Su, Mo, Tu, We...} DayNames : {Sunday, Monday, Tuesday, Wednesday...} AbbreviatedMonthNames : {Jan, Feb, Mar, Apr...} MonthNames : {January, February, March, April...} IsReadOnly : True NativeCalendarName : Gregorian Calendar AbbreviatedMonthGenitiveNames : {Jan, Feb, Mar, Apr...} MonthGenitiveNames : {January, February, March, April...} |
Notice the ShortDatePattern above. This is exactly what the -Format switch of Get-Date cmdlet expects, so one can use this to format the output of Get-Date in a different locale. Like thus:
|
|
PS> get-date 02 June 2013 12:33:36 PS> Get-Date -Format([Globalization.cultureinfo]::GetCultureInfo("en-US").DateTimeFormat.ShortDatePattern) 6/2/2013 PS> Get-Date -Format([Globalization.cultureinfo]::GetCultureInfo("zh-CN").DateTimeFormat.ShortDatePattern) 2013/6/2 |
So now we have seen to use the [datetime]::Parse() method to parse an input string into a DateTime object while specifying the country format of the input string. We have also seen how to output the result of get-date in the format of a different country. Both methods use the [Globalization.cultureinfo] class.
Lastly, there is an easy way to parse any string – irrespective of whether it matches the format of a country or not – into a DateTime object via the ParseExact() method. This is worth mentioning as without such a method one would have to resort to regular expressions and such!
In the example below we match an input string with time “02:50PM” by specifying the format as “hh:mmtt” to the ParseExact() method.
|
|
PS> [datetime]::ParseExact("02:50PM","hh:mmtt",$null) 02 June 2013 14:50:00 |
I am not sure what the third parameter of this method is supposed to be. Most examples put it as $null. It seems to take a “culture” as input, but I am not sure how it affects the output. Instead of $null the following too seem to work: $(get-culture), [Globalization.Cultureinfo]::GetCultureInfo("en-US") (“en-GB” too works), and [Globalization.Cultureinfo]::InvariantCulture.
The format can contain other text too. Escape the characters of such text with a slash ':
|
|
PS> [datetime]::ParseExact("At the beep the time will be 02:50PM","'At the beep the time will be' hh:mmtt",[Globalization.Cultureinfo]::GetCultureInfo("en-GB")) 02 June 2013 14:50:00 |
And just to show what happens if the format does not match:
|
|
PS> [datetime]::ParseExact("At the beep the time will be 02:50PM","'At the beep the time will be' hh:mmt",[Globalization.Cultureinfo]::GetCultureInfo("en-GB")) Exception calling "ParseExact" with "3" argument(s): "String was not recognized as a valid DateTime." At line:1 char:23 + [datetime]::ParseExact <<<< ("At the beep the time will be 02:50PM","'At the beep the time will be' hh:mmt",[Globaliz ation.Cultureinfo]::GetCultureInfo("en-GB")) + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException |
Thanks to these two posts for showing me ParseExact().
I want to find out where from a user account is locked out in my domain.
The manual way to do this would be to open up Event Viewer, scan the event logs on the DC for event ID 4740, open it up and see the message to identify the machine from where this account was locked out. But using PowerShell we can obviously automate this way easily!
First things first: how to scan the event logs using PowerShell? You can use either of Get-EventLog or Get-WinEvent. The former only works on the classic event logs while the latter works on both the classic and newer event logs such as those found in Windows Vista and later. I find the latter faster too, so let’s use that. Here’s me running that cmdlet to filter the security logs for event ID 4740 on a remote DC:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | fl * Message : A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC01$ Account Domain: ENTERPRISE Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-1606980848-515967899-682003330-66682 Account Name: User01 Additional Information: Caller Computer Name: MANGO Id : 4740 Version : 0 Qualifiers : Level : 0 Task : 13824 Opcode : 0 Keywords : -9214364837600034816 RecordId : 148130232 ProviderName : Microsoft-Windows-Security-Auditing ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d LogName : Security ProcessId : 468 ThreadId : 1304 MachineName : DC01.enterprise.local UserId : TimeCreated : 23/05/2013 09:26:04 ActivityId : RelatedActivityId : ContainerLog : security MatchedQueryIds : {} Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark LevelDisplayName : Information OpcodeDisplayName : Info TaskDisplayName : User Account Management KeywordsDisplayNames : {Audit Success} Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventPrope rty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventP roperty...} |
There’s only one event here so the details of that are returned. It gives us all the info we need at a glance: user name “User01” is locked thanks to a bad password attempt from the computer “MANGO”.
Neat!
Now let’s go about making this prettier and better.
In the code above I am specifying the domain controller to query. That’s only helpful if I have an idea of the machine or site the user is trying to login to, and so know the domain controller responsible for that site. A better approach would be to query the domain controller with the PDC Emulator FSMO role for event ID 4740. This DC is the one that eventually processes the account lockout requests for all accounts in the domain.
The cmdlet Get-ADDomainContoller gives you the domain controller of the site you are in. Adding the switch -Filter * gives you all the domain controllers in the domain. And piping this through a where-object to filter out the domain controller with the “PDC Emulator” FSMO role gives you the domain controller we are interested in. Like thus:
|
|
Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"} |
The snippet above returns an object for the DC with the PDC Emulator role, to extract just the name do thus:
|
|
(Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"}).Name |
Next, let’s go about presenting the output above in a tidier format.
One thing to note is that all the info we want is in a property called Message.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | gm TypeName: System.Diagnostics.Eventing.Reader.EventLogRecord Name MemberType Definition ---- ---------- ---------- Dispose Method System.Void Dispose() Equals Method bool Equals(System.Object obj) FormatDescription Method string FormatDescription(), string FormatDescription(System.Collections.Generic.IE... GetHashCode Method int GetHashCode() GetPropertyValues Method System.Collections.Generic.IList[System.Object] GetPropertyValues(System.Diagnosti... GetType Method type GetType() ToString Method string ToString() ToXml Method string ToXml() Message NoteProperty System.String Message=A user account was locked out.... ActivityId Property System.Nullable`1[[System.Guid, mscorlib, Version=2.0.0.0, Culture=neutral, Public... ... Properties Property System.Collections.Generic.IList`1[[System.Diagnostics.Eventing.Reader.EventProper... ... PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | select -ExpandProperty Message A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC01$ Account Domain: ENTERPRISE Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-1606980848-515967899-682003330-66682 Account Name: User01 Additional Information: Caller Computer Name: MANGO |
So one option would be to do some fancy filtering using foreach-object like thus:
|
|
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | %{ write-host -ForegroundColor Red "At" $_.TimeCreated; write-host -ForegroundColor White $_.Message; write-host } At 23/05/2013 09:26:04 A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC01$ Account Domain: ENTERPRISE Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-1606980848-515967899-682003330-66682 Account Name: User01 Additional Information: Caller Computer Name: MANGO |
This will list out the multiple lockout entries with the timestamp on top in red.
A better option, however, is to use the Properties property, which is an array containing exactly the info we want as values.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01 | select -ExpandProperty Properties Value ----- User01 MANGO S-1-5-21-1606980848-515967899-682003330-66682 S-1-5-18 DC01$ ENTERPRISE 999 PS> (Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName dc01).Properties | gm TypeName: System.Diagnostics.Eventing.Reader.EventProperty Name MemberType Definition ---- ---------- ---------- Equals Method bool Equals(System.Object obj) GetHashCode Method int GetHashCode() GetType Method type GetType() ToString Method string ToString() Value Property System.Object Value {get;} |
Format-Table is your friend here:
|
|
PS> Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName (Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"}).Name | ` ft @{Name="User";Expression={$_.Properties[0].Value}},@{Name="Computer";Expression={$_.Properties[1].Value}},@{Name="Time";Expression={$_.TimeCreated}} User Computer Time ---- -------- ---- User01 Computer01 23/05/2013 12:20:41 User02 Computer02 23/05/2013 11:55:56 User01 Computer01 23/05/2013 11:42:40 User03 Computer06 23/05/2013 11:36:53 User01 Computer01 23/05/2013 11:03:39 User01 Computer01 23/05/2013 10:25:37 |
A one line code that’s way better than opening Event Viewer and filtering through the logs manually.
And if you want to filter by the locked out status of a specific $user, pipe the output through a where-object like thus:
|
|
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -ComputerName (Get-ADDomainController -Filter * | where-object {$_.OperationMasterRoles -contains "PDCEmulator"}).Name | ` Where-Object {$_.Properties[0].Value -match "$user"} | ` ft @{Name="User";Expression={$_.Properties[0].Value}},@{Name="Computer";Expression={$_.Properties[1].Value}},@{Name="Time";Expression={$_.TimeCreated}} |
Posted: April 25th, 2013 | Tags: casting, format-table, partitions, reports | Category: PowerShell | § In the previous post I wanted to convert some output to percentage figures and resorted to type casting to get it done. Turns out I don’t need to do that. Was reading more about the Format-Table cmdlet and saw that the hash table that supplies calculated properties also supports a key called FormatString which let’s one specify the format of the output.
For a quick overview of FormatString read this MSDN page. You can see various format specifier strings mentioned there. These let you define the format of the output.
Say I want to see the current time and output the remaining minutes to the hour as a percentage.
I can get the current minute thus:
|
|
get-date | ft Minute -AutoSize |
I can use an Expression block to show the balance minutes:
|
|
get-date | ft @{Name="Bal Min"; Expression={(60-$_.Minute)/60}} -AutoSize |
And if I want to format the output such that it’s shown as a percentage (the value multiplied by 100 with a % sign suffixed) I can use FormatString with the “P” format specifier:
|
|
get-date | ft @{Name="Bal Min"; Expression={(60-$_.Minute)/60}; FormatString="P"} -AutoSize |
This gives the output as a percentage figure with two decimal places (the default). I can modify that by suffixing a number to the “P” specifying the desired number of decimal places. Like for instance:
|
|
get-date | ft @{Name="Bal Min"; Expression={(60-$_.Minute)/60}; FormatString="P1"} -AutoSize |
If I want to round, I can use the “r” specifier. I can do decimal, scientific, fixed point, and so on.
Returning to the code of the previous post, here’s a revised version:
|
|
gwmi Win32_volume | ` ?{ ($_.DriveLetter -notmatch "^$") -and ($_.DriveType -eq 3) } | ft DriveLetter,Label,@{Name="Capacity"; Expression={$_.Capacity/1024/1024/1024}; FormatString="F0"},@{Name="FreeSpace"; Expression={ $_.FreeSpace/$_.Capacity }; FormatString = "P1"} |
There’s two changes: (1) I don’t type cast the Capacity to [uint32] any more to round it, rather I use the “F0” format specifier which stands for a fixed-point number with 0 decimal digits (i.e. a number like 42.9517669677734 gets converted to 43); (2) I don’t type cast for the free space to percentage either, I just use the “P1” format specifier which stands for a percentage figure with 1 decimal digit (i.e. a number like 48.6%).
Neat!
The Win32_LoggedOnUser class gives a list of logged on users to a computer. It isn’t just users logged on interactively to the console or Remote Desktop (which is a good thing) but even users connected remotely via shared folders and such (not a good thing).
But just for the curious (and since I fiddled with it today) here’s how you can format the output of this class properly.
You can use PowerShell to get instances of this class via the Get-WMIObject cmdlet thus:
The output has a lot of material, so best to filter by the Antecedent property.
|
|
gwmi Win32_LoggedOnUser | ft Antecedent |
Instead of Format-Table you may use Select-Object or anything else you fancy.
To query remote computers using the -ComputerName switch.
|
|
PS> gwmi Win32_LoggedOnUser -ComputerName GARFIELD | Select-Object Antecedent .rootcimv2:Win32_Account.Domain="GARFIELD",Name="SYSTEM" .rootcimv2:Win32_Account.Domain="GARFIELD",Name="LOCAL SERVICE" .rootcimv2:Win32_Account.Domain="GARFIELD",Name="NETWORK SERVICE" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="xrakheshx" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="xrakheshx" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="xrakheshx" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="xrakheshx" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="xrakheshx" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="user1" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="user1" .rootcimv2:Win32_Account.Domain="MYDOMAIN",Name="user1" .rootcimv2:Win32_Account.Domain="GARFIELD",Name="ANONYMOUS LOGON" |
The output isn’t precise. You get a list of local accounts as well, and there are repeat entries.
In my case I want to limit to the domain accounts. Also I want to skip accounts starting and ending with the “x” character (as these are my admin accounts) and any accounts entering with a “$” character (as these are machine accounts). And I want to eliminate the duplicates. So here’s what I did:
|
|
gwmi Win32_LoggedOnUser -ComputerName GARFIELD | ` where-object { (($_.Antecedent -match "MYDOMAIN") -and ($_.Antecedent -notmatch '.*Name="x.+x"') -and ($_.Antecedent -notmatch '.*$')) } | ` %{ $_.Antecedent -replace '.*Name="(.*)"','$1' } | select-object -Unique |
Once again, the beauty of PowerShell is that you can glue things together. So, for instance, if I want to get a list of machines in my domain along with the currently logged in users, I can do that.
To get a list of machines in a particular OU I use the following (this requires the ActiveDirectory module to be imported first!):
|
|
Get-ADComputer -SearchBase "OU=Muscat,OU=Win_7,OU=computers,DC=rakhesh,DC=com" -Filter * |
I already have the code for getting the logged in user on a machine, so all I need to do is pipe the output of the Get-ADComputer to Format-Table and tell it to populate the user column dynamically. Like thus:
|
|
Get-ADComputer -SearchBase "OU=Muscat,OU=Win_7,OU=computers,DC=rakhesh,DC=com" -Filter * | ` ft Name,@{Name="Logged in User"; Expression={ gwmi Win32_LoggedOnUser -ComputerName $_.Name | where-object { (($_.Antecedent -match "MYDOMAIN") -and ( $_.Antecedent -notmatch '.*Name="x.+x"') -and ($_.Antecedent -notmatch '.*$')) } | %{ $_.Antecedent -replace '.*Name="(.*)"','$1' } | select-object -Unique } } |
The code within the Expression block is similar to the code for querying a single machine, except that I replace the machine name with $_.Name.
The output is a list of machines with the logged in user(s). If there are no logged in users that field is empty {} else it’s a single user name or a list of user names.
Of course, the Win32_LoggedOnUser class isn’t useful if users access each other’s machines via shared folders and such; but in that case it’s just a matter of replacing the Expression block above with code that gives more focussed results. Two great posts on how to list logged in users on a machine are this and this.
I wanted to expand the code above to also include IP addresses too. A PowerShell one-liner to get IP address from a name is the following:
|
|
PS> [System.Net.Dns]::GetHostAddresses("www.msn.com") IPAddressToString : 207.68.173.76 Address : 1286423759 AddressFamily : InterNetwork ScopeId : IsIPv6Multicast : False IsIPv6LinkLocal : False IsIPv6SiteLocal : False |
To limit the output to just the IP address do the following:
|
|
PS> [System.Net.Dns]::GetHostAddresses("www.msn.com") | Select IPAddressToString -ExpandProperty IPAddressToString |
And to restrict to just IPv4 addresses add the following:
|
|
PS> [System.Net.Dns]::GetHostAddresses("www.msn.com") | where-object { $_.AddressFamily -eq "InterNetwork" } | Select IPAddressToString -ExpandProperty IPAddressToString |
Going by these it’s pretty obvious what we have to do to add an IP address column:
|
|
Get-ADComputer -SearchBase "OU=Muscat,OU=Win_7,OU=computers,DC=rakhesh,DC=com" -Filter * | ` ft Name,@{Name="Logged in User"; Expression={ gwmi Win32_LoggedOnUser -ComputerName $_.Name | where-object { (($_.Antecedent -match "MYDOMAIN") -and ( $_.Antecedent -notmatch '.*Name="x.+x"') -and ($_.Antecedent -notmatch '.*$')) } | %{ $_.Antecedent -replace '.*Name="(.*)"','$1' } | select-object -Unique } },@{Name="IP Address"; Expression={ [System.Net.Dns]::GetHostAddresses($_.Name) | where-object { $_.AddressFamily -eq "InterNetwork" } | Select IPAddressToString -ExpandProperty IPAddressToString } } |
|