I am trying to extract some part of the message from the event log output.
I ran the below command:
$filterXml = ‘<QueryList>
<Query Id="0" Path="atm">
<Select Path="atm">*[System[(Level=2)]]</Select>
</Query>
</QueryList>’
$event = Get-WinEvent –FilterXml $filterXml
I am using different methods to get the desired output required by running the below commands but none worked out properly. Maybe I did not try and worked out it perfectly.
$event.Message.Substring(56,139)
$event.Message.split(":")
$event =
[int]($event.message | Select-String "jobId").Matches.Groups[2].Value
My output:
Message: Shell.SmartM.atm.Service.atmServiceException: {jobId:38895,name:All Reports: Kiran, Kumar,reportConfigurationId:1805
0,status:Error} --- Shell.SmartM.atm.Service.DataException: An error occurred while attempting to retrieve data from system. --- System.InvalidOperationException: Request to system failed with status code NotFound --- System.Exception: {Errors:[An exception has occurred. Please contact your
System administrator for help in enabling debug mode.]} .....
App Domain: /LM/W3SVC/2/
ProcessId: 3696
Win32 ThreadId: 5536
Extended Properties:
UserId: LOCALHOST
I am trying to get values from the above output for
jobid:
name:
Shell.SmartM.atm.Service.DataException:
System.InvalidOperationException:
System.Exception: {Errors:
I am creating an event log with PowerShell using the following command:
New-EventLog -LogName "TestLog" -Source "TestLog_Source"
The log gets created but all of its properties are blank.
I've tried removing the log and re-running the command and it has not worked.
Log Name:
Source:
Event ID:
Level:
User:
OpCode:
More information: Event Log Online Help
I also notice that the application is not actually logging anything to the log either. The above is what the first column of the event log properties at the bottom shows me. There are other event logs on the server that show those values populated.
I am trying to script the elimination/backup of the OEM partition (which just brings back the system to an outdated version of no practical use).
On many systems, using DISKPART list partition returns more recovery type partitions: one is the official Microsoft Recovery Tools partition (WinRE) and others come from the OEMs.
The first step is to safely identify the position of the WinRE partition. I did not find any straight way in bcdedit or PS other than:
$renv=(bcdedit /enum "{default}" | Select-String "^recoverysequence" | Out-String | Select-String "{.+}").Matches.Value
(bcdedit /enum $renv | Select-String "^device" | Out-String | Select-String "\[.+\]").Matches.Value
This returns a string like:
[\Device\HarddiskVolume1]
where the volume number is the partition to use in Diskpart. (Remaining recovery partitions and the OEM type partitions can be backupped).
Is this the correct procedure to identify the WinRE partition?
Any more straight and/or better approach?
There's a command line tool called ReagentC, and it's in the path, so you can call it from any administrative command prompt.
reagentc /info
...will produce some output like:
Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier: 496c58c4-71cb-11e9-af8f-001c42903d2e
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0
Also, if you're writing code to do the work, you can discover the recovery partition by calling a winapi function to do the work. It's an obnoxiously complicated api to call...but for what it's worth, it's DeviceIOControl with the control code of IOCTL_DISK_GET_PARTITION_INFO_EX. If you're not using C or some language that defines unions, this is a pain. The structure you get back varies with whether the disk is GPT or MBR format.
If the disk is MBR, the returned partition type will be 0x27, and if it's a GPT drive the partition type will be the guid: de94bba4-06d1-4d40-a16a-bfd50179d6ac.
Aside from streamlining the Select-String with a Lookbehind-RE
I dont't see a better approach ATM.
$renv=(bcdedit /enum "{default}" | Select-String "(?<=^recoverysequence\s+)({.+})").Matches.Value
(bcdedit /enum $renv | Select-String "(?<=^device.+)\[.+\]").Matches.Value
[\Device\HarddiskVolume5]
Is there a way I could make msiexec return the error/success message instead of the default exit code? for instance:
msiexec /i "D:/path/installer.msi"
might return 1603, and referencing the lookup table explains that
A fatal error occurred during installation.
I would like the message, or even the error code ERROR_INSTALL_FAILURE to be returned instead of the exit code 1603.
Note: Not sure if the effort poured into this answer serves a real-world purpose, but it may be of interest for demonstrating various advanced PowerShell techniques: Advanced regex matching using the automatic $matches variable, scraping a web page via Invoke-WebRequest, and calling the Windows API via Add-Type.
Find function friendlyMsiExec below, which
scrapes the MSDN page to get the official table of defined MSI error codes (exit codes)
if that fails - scraping is not the most robust technique (page structures and URLs change) - the function issues a warning and uses a hard-coded table instead.
Invokes msiexec synchronously, looks up the exit code in the scraped/built-in table and outputs the error message corresponding to the exit code.
Once defined, you can invoke it as follows:
> friendlyMsiExec /i "D:/path/installer.msi" # assume the exit code is 1603
A fatal error occurred during installation. (1603)
Note:
The exit code will be available as $LASTEXITCODE after the function returns.
Scraping is not only not the most robust, but the page download and parsing takes a few seconds, although in the context of an MSI installation that probably won't matter much.
An exit code may also be a regular Windows API error code ("any error in Winerror.h"), so, as a fallback, the FormatMessage Windows API function is consulted, courtesy of an adaptation of this helpful C# answer.
function friendlyMsiExec {
# Try to scrape the MSDN page for the complete list of error codes (exit codes).
# Note: This is not the most robust approach as web pages aren't designed for
# programmatic data extraction, and the format of the page may change over time.
$htErrors = #{}
# Table is in a <table> element with attritubte 'summary="table"'.
$tbl = (Invoke-WebRequest 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376931(v=vs.85).aspx').ParsedHtml.getElementsByTagName('table') | ? { $_.getAttribute('summary') -eq 'table' }
# Parse the text representation (.InnerText) using regular expressions.
$tbl.InnerText -split '\r?\n' | % { if ($_ -match "^(ERROR_.+?)(\d+)(.+)$") { $htErrors.Add([int] $matches[2], #( $matches[1], $matches[3] )) } }
if ($htErrors.Count -eq 0) { # Scraping failed, use hard-coded table (current as of 2 Nov 2016).
Write-Warning "Scraping the MSDN page for error codes failed, falling back to hard-coded table."
$htErrors = #{
0 = 'ERROR_SUCCESS', 'The action completed successfully.'
13 = 'ERROR_INVALID_DATA', 'The data is invalid.'
87 = 'ERROR_INVALID_PARAMETER', 'One of the parameters was invalid.'
120 = 'ERROR_CALL_NOT_IMPLEMENTED', 'This value is returned when a custom action attempts to call a function that cannot be called from custom actions. The function returns the value ERROR_CALL_NOT_IMPLEMENTED. Available beginning with Windows Installer version 3.0.'
1259 = 'ERROR_APPHELP_BLOCK', 'If Windows Installer determines a product may be incompatible with the current operating system, it displays a dialog box informing the user and asking whether to try to install anyway. This error code is returned if the user chooses not to try the installation.'
1601 = 'ERROR_INSTALL_SERVICE_FAILURE', 'The Windows Installer service could not be accessed. Contact your support personnel to verify that the Windows Installer service is properly registered.'
1602 = 'ERROR_INSTALL_USEREXIT', 'The user cancels installation.'
1603 = 'ERROR_INSTALL_FAILURE', 'A fatal error occurred during installation.'
1604 = 'ERROR_INSTALL_SUSPEND', 'Installation suspended, incomplete.'
1605 = 'ERROR_UNKNOWN_PRODUCT', 'This action is only valid for products that are currently installed.'
1606 = 'ERROR_UNKNOWN_FEATURE', 'The feature identifier is not registered.'
1607 = 'ERROR_UNKNOWN_COMPONENT', 'The component identifier is not registered.'
1608 = 'ERROR_UNKNOWN_PROPERTY', 'This is an unknown property.'
1609 = 'ERROR_INVALID_HANDLE_STATE', 'The handle is in an invalid state.'
1610 = 'ERROR_BAD_CONFIGURATION', 'The configuration data for this product is corrupt. Contact your support personnel.'
1611 = 'ERROR_INDEX_ABSENT', 'The component qualifier not present.'
1612 = 'ERROR_INSTALL_SOURCE_ABSENT', 'The installation source for this product is not available. Verify that the source exists and that you can access it.'
1613 = 'ERROR_INSTALL_PACKAGE_VERSION', 'This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.'
1614 = 'ERROR_PRODUCT_UNINSTALLED', 'The product is uninstalled.'
1615 = 'ERROR_BAD_QUERY_SYNTAX', 'The SQL query syntax is invalid or unsupported.'
1616 = 'ERROR_INVALID_FIELD', 'The record field does not exist.'
1618 = 'ERROR_INSTALL_ALREADY_RUNNING', 'Another installation is already in progress. Complete that installation before proceeding with this install.'
1619 = 'ERROR_INSTALL_PACKAGE_OPEN_FAILED', 'This installation package could not be opened. Verify that the package exists and is accessible, or contact the application vendor to verify that this is a valid Windows Installer package.'
1620 = 'ERROR_INSTALL_PACKAGE_INVALID', 'This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.'
1621 = 'ERROR_INSTALL_UI_FAILURE', 'There was an error starting the Windows Installer service user interface. Contact your support personnel.'
1622 = 'ERROR_INSTALL_LOG_FAILURE', 'There was an error opening installation log file. Verify that the specified log file location exists and is writable.'
1623 = 'ERROR_INSTALL_LANGUAGE_UNSUPPORTED', 'This language of this installation package is not supported by your system.'
1624 = 'ERROR_INSTALL_TRANSFORM_FAILURE', 'There was an error applying transforms. Verify that the specified transform paths are valid.'
1625 = 'ERROR_INSTALL_PACKAGE_REJECTED', 'This installation is forbidden by system policy. Contact your system administrator.'
1626 = 'ERROR_FUNCTION_NOT_CALLED', 'The function could not be executed.'
1627 = 'ERROR_FUNCTION_FAILED', 'The function failed during execution.'
1628 = 'ERROR_INVALID_TABLE', 'An invalid or unknown table was specified.'
1629 = 'ERROR_DATATYPE_MISMATCH', 'The data supplied is the wrong type.'
1630 = 'ERROR_UNSUPPORTED_TYPE', 'Data of this type is not supported.'
1631 = 'ERROR_CREATE_FAILED', 'The Windows Installer service failed to start. Contact your support personnel.'
1632 = 'ERROR_INSTALL_TEMP_UNWRITABLE', 'The Temp folder is either full or inaccessible. Verify that the Temp folder exists and that you can write to it.'
1633 = 'ERROR_INSTALL_PLATFORM_UNSUPPORTED', 'This installation package is not supported on this platform. Contact your application vendor.'
1634 = 'ERROR_INSTALL_NOTUSED', 'Component is not used on this machine.'
1635 = 'ERROR_PATCH_PACKAGE_OPEN_FAILED', 'This patch package could not be opened. Verify that the patch package exists and is accessible, or contact the application vendor to verify that this is a valid Windows Installer patch package.'
1636 = 'ERROR_PATCH_PACKAGE_INVALID', 'This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.'
1637 = 'ERROR_PATCH_PACKAGE_UNSUPPORTED', 'This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.'
1638 = 'ERROR_PRODUCT_VERSION', 'Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs in Control Panel.'
1639 = 'ERROR_INVALID_COMMAND_LINE', 'Invalid command line argument. Consult the Windows Installer SDK for detailed command-line help.'
1640 = 'ERROR_INSTALL_REMOTE_DISALLOWED', 'The current user is not permitted to perform installations from a client session of a server running the Terminal Server role service.'
1641 = 'ERROR_SUCCESS_REBOOT_INITIATED', 'The installer has initiated a restart. This message is indicative of a success.'
1642 = 'ERROR_PATCH_TARGET_NOT_FOUND', 'The installer cannot install the upgrade patch because the program being upgraded may be missing or the upgrade patch updates a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.'
1643 = 'ERROR_PATCH_PACKAGE_REJECTED', 'The patch package is not permitted by system policy.'
1644 = 'ERROR_INSTALL_TRANSFORM_REJECTED', 'One or more customizations are not permitted by system policy.'
1645 = 'ERROR_INSTALL_REMOTE_PROHIBITED', 'Windows Installer does not permit installation from a Remote Desktop Connection.'
1646 = 'ERROR_PATCH_REMOVAL_UNSUPPORTED', 'The patch package is not a removable patch package. Available beginning with Windows Installer version 3.0.'
1647 = 'ERROR_UNKNOWN_PATCH', 'The patch is not applied to this product. Available beginning with Windows Installer version 3.0.'
1648 = 'ERROR_PATCH_NO_SEQUENCE', 'No valid sequence could be found for the set of patches. Available beginning with Windows Installer version 3.0.'
1649 = 'ERROR_PATCH_REMOVAL_DISALLOWED', 'Patch removal was disallowed by policy. Available beginning with Windows Installer version 3.0.'
1650 = 'ERROR_INVALID_PATCH_XML', 'The XML patch data is invalid. Available beginning with Windows Installer version 3.0.'
1651 = 'ERROR_PATCH_MANAGED_ADVERTISED_PRODUCT', 'Administrative user failed to apply patch for a per-user managed or a per-machine application that is in advertise state. Available beginning with Windows Installer version 3.0.'
1652 = 'ERROR_INSTALL_SERVICE_SAFEBOOT', 'Windows Installer is not accessible when the computer is in Safe Mode. Exit Safe Mode and try again or try using System Restore to return your computer to a previous state. Available beginning with Windows Installer version 4.0.'
1653 = 'ERROR_ROLLBACK_DISABLED', 'Could not perform a multiple-package transaction because rollback has been disabled. Multiple-Package Installations cannot run if rollback is disabled. Available beginning with Windows Installer version 4.5.'
1654 = 'ERROR_INSTALL_REJECTED', 'The app that you are trying to run is not supported on this version of Windows. A Windows Installer package, patch, or transform that has not been signed by Microsoft cannot be installed on an ARM computer.'
3010 = 'ERROR_SUCCESS_REBOOT_REQUIRED', 'A restart is required to complete the install. This message is indicative of a success. This does not include installs where the ForceReboot action is run. '
}
}
# Execute msiexec synchronously.
$psInfo = Start-Process -PassThru -NoNewWindow -Wait msiexec -ArgumentList $Args
# Get the exit code.
$ec = $psInfo.ExitCode
# Look up the exit code returned in the hashtable and extract the error *message*.
if ($htErrors[$ec]) {
# Use subscript [0] to extract the *symbolic name* instead.
$errMsg = $htErrors[$ec][1] # -replace '\r'
} else { # not found in table
# See if it's a Windows (system) error code.
# Helper type for getting Windows (system) error messages by error code.
# Returns $null if no message is found.
# Example:
# [net.same2u.pshelper.WinErrMsg]::Get(2) # -> "The system cannot find the file specified."
Add-Type -TypeDefinition #'
using System;
using System.Runtime.InteropServices;
using System.Text;
namespace net.same2u.pshelper {
public static class WinErrMsg {
[DllImport("kernel32.dll")]
static extern int FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, System.Text.StringBuilder lpBuffer, int nSize, IntPtr Arguments);
public static string Get(int errCode) {
const int CAPACITY = 512;
const int FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000;
StringBuilder sb = new StringBuilder(CAPACITY);
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, IntPtr.Zero, errCode, 0, sb, sb.Capacity, IntPtr.Zero);
// Remove trailing CRLF
int i = sb.Length;
if (i>0 && sb[i - 1] == 10) i--;
if (i>0 && sb[i - 1] == 13) i--;
sb.Length = i;
return sb.Length > 0 ? sb.ToString() : null;
}
}
}
'#
$errMsg = [net.same2u.pshelper.WinErrMsg]::Get($ec)
# Determine fallback message, if no match was found.
if (-not $errMsg) { $errMsg = "An unknown exit code was reported."}
}
# Set $LASTEXITCODE, so that the caller can inspect the exit code later.
Set-Variable -Scope 1 LASTEXITCODE $ec
# Output the message, suffixed with the exit code.
"$errMsg ($ec)"
}
No, the msi can't replace the Error Code with the message itself.
Like Ansgar Wiechers said the msi was meant to create an log file on each machine you execute it, on the same folder ( e.g. C:\Windows\Temp). With the /l parameters you can modify the output in that file. If you need an comprehensive log you should start with voicewarmupx.
Well an MSI install doesn't always return 1603. The primary reason for a 1603 is a failing custom action where Windows Installer doesn't know why the custom action code failed, and that custom action code was not robust enough to handle its own errors and provide a message before causing the install to fail (and probably roll back). The verbose log should tell you why it failed.
So if it's your MSI you have the opportunity to correct it, otherwise you are at the mercy of the quality of development of the MSI.
Also, your question contains a contradiction: you say you would like the error code ERROR_INSTALL_FAILURE to be returned instead of the exit code, but the 1603 exit code is ERROR_INSTALL_FAILURE.
I run the command wevtutil qe Application /rd:false /f:text and I get an output as shown below. After sometime new event logs could have generated and I want to read only these new event logs i.e. Event[2], Event[3], Event[4] etc.
How can I use wevtutil tool to generate only these new event logs?
Event[0]:
Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: 2016-04-21T23:15:16.832
Event ID: 1000
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: WIN-IONOGQTF9O5
Description:
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Event[1]:
Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: Date: 2016-04-21T23:15:13.097
Event ID: 3011
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: WIN-IONOGQTF9O5
Description:
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
weventil is not PowerShell so I was mislead. However, you could just do this:
Get-EventLog -LogName Application -Newest -After ( Get-Date ).AddDays(-1)
/rd:false will read the oldest first so if your looking for newest it may not be the best query.
I'm not aware of a read/unread tag for eventlogs, you could create a custom object and add one but that may not be the best way to go around it.
You can also do the below
$lastRanDate = "2018-11-30T17:20:55" ##import from a txt file
$date = Get-date -UFormat %Y-%m-%dT%H:%M:%S
##Get's current date and formats as following example 2018-12-01T17:17:45
$difference = New-TimeSpan -Start $lastRanDate -End $date
##Calculate difference between start time and end time
$difference = $difference.TotalMilliseconds
wevtutil epl Application "C:\Users\Pipastrilo\Desktop\appTest.evtx" /q:"*[System[TimeCreated[timediff(#SystemTime) <= $difference]]]"
## exportLog logName Path query(TimeCreated between current and HowManayMillisecondsAgo
$lastRanDate = $date
##export $lastRunDate for future searches