Capture Windows logs using PowerShell

Capturing Windows logs using PowerShell

Introduction

Today we are going to learn how we can capture windows logs using Powershell. While working on windows sometimes it becomes important to capture a set of logs that you can review later, or you have a user waiting to resume his work and he doesn’t like you taking his workstation.

In that case, you can use the below commands and capture whatever information which you require:

Before running the following commands, please create the folder c:\diag 

md c:\diag

System Events

get-eventlog system | sort-object timegenerated | select-object timegenerated,entrytype,machinename,eventid,source,username,message | export-csv c:\diag\system.csv -notype

Application Event

get-eventlog application |      sort-object timegenerated | select-object      timegenerated,entrytype,machinename,eventid,source,username,message |      export-csv c:\diag\application.csv -notype

SMB Event Logs

SMB Client

 
get-winevent -logname Microsoft-Windows-SMBClient/Connectivity |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Microsoft-Windows-SMBClient-Connectivity.csv -notype
  
get-winevent -logname Microsoft-Windows-SMBClient/Operational |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Microsoft-Windows-SMBClient-Operational.csv -notype
  
get-winevent -logname Microsoft-Windows-SMBClient/Security |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Microsoft-Windows-SMBClient-Security.csv -notype

SMB Server

get-winevent -logname Microsoft-Windows-SMBServer/Operational |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Microsoft-Windows-SMBServer-Operational.csv -notype
  
get-winevent -logname Microsoft-Windows-SMBServer/Connectivity |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Microsoft-Windows-SMBServer-Connectivity.csv -notype
  
get-winevent -logname Microsoft-Windows-SMBServer/Security |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Microsoft-Windows-SMBServer-Security.csv -notype

List of installed Windows Updates and Hotfixes

wmic qfe list brief /format:texttablewsys >c:\diag\hotfix.txt

List of filter drivers

fltmc >c:\diag\fltmc.txt
fltmc instances >>c:\diag\fltmc.txt

System Information

msinfo32 /nfo c:\diag\msinfo32.nfo

Hyper-V Event Logs

get-winevent -logname      microsoft-windows-Hyper-V-VMMS-ADMIN |  sort-object timeCreated |      select-object timecreated, machinename, id, ContainerLog,      LevelDisplayName, userid, message | export-csv      c:\diag\Hyper-V-VMMS-ADMIN.csv -notype


get-winevent -logname      microsoft-windows-Hyper-V-VMMS-operational |  sort-object timeCreated      | select-object timecreated, machinename, id, ContainerLog,      LevelDisplayName, userid, message | export-csv      c:\diag\Hyper-V-VMMS-operational.csv -notype


get-winevent -logname      microsoft-windows-Hyper-V-Worker-ADMIN |  sort-object timeCreated |      select-object timecreated, machinename, id, ContainerLog,      LevelDisplayName, userid, message | export-csv      c:\diag\Hyper-V-Worker-Admin.csv -notype

Failover Clustering Logs

Failover Clustering Events

get-winevent -logname microsoft-windows-failoverclustering/operational |  sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\failoverclustering-operational.csv -notype

Cluster Logs

Get-ClusterLog -Destination c:\diag\

Cluster Registry Hive

reg save "HKEY_LOCAL_MACHINE\Cluster" c:\diag\cluster.hiv

Performance Monitor sample

  • Create a new Data Collector Set with the following command:
logman create counter PerfLog-Short -o "c:\diag\%computername%_PerfLog-Short.blg" -f bincirc -v mmddhhmm -max 300 -c "\LogicalDisk(*)\*" "\Memory\*" "\.NET CLR Memory(*)\*" "\Cache\*" "\Network Interface(*)\*" "\Netlogon(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:00:01
  • Start the Data Collector Set with the following command
logman start PerfLog-Short
  • Let the monitor run for ~10 minutes
  • Stop the Data Collector Set with the following command
logman stop PerfLog-Short

Storport Trace

  • Create and start a new Event Trace Session with the following command
logman create trace "storport" -ow -o c:\diag\storport.etl -p "Microsoft-Windows-StorPort" 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets
  • Let the trace run for ~10-20 minutes
  • Stop the Event Trace Session with the following command
logman stop storport -ets

Now since you know how we can capture windows logs using PowerShell. the Next Time when you stuck in a situation where the user doesn’t want to stay with you while you are working on the logs. You can use these commands and review the data on your workstation.

For more information on Tools and Processes Please refer to https://knowitlikepro.com/category/tools-and-software/

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply