I can get all event log messages via WMI in powershell like
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"
To enumerate all event logs I use
Get-WmiObject win32_nteventlogfile
FileSize LogfileName Name NumberOfRecords
-------- ----------- ---- ---------------
26218496 Application C:\WINDOWS\System32\Winevt\Logs\Application.evtx 75510
69632 HardwareEvents C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx 0
69632 Internet Explorer C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx 0
69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx 0
69632 OAlerts C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx 39
69632 Parameters C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx 0
12652544 Security C:\WINDOWS\System32\Winevt\Logs\Security.evtx 18840
69632 State C:\WINDOWS\System32\Winevt\Logs\State.evtx 0
8458240 System C:\WINDOWS\System32\Winevt\Logs\System.evtx 15108
69632 Windows Azure C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx 0
2166784 Windows PowerShell C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx 1656
So far found not a way to parse all other logs showing up under Applications and Service Logs
With Powershell I can get the log files via
Get-WinEvent -ListLog *
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
Circular 15728640 1656 Windows PowerShell
Circular 1052672 0 Windows Azure
Circular 20971520 15123 System
Circular 20971520 19404 Security
Circular 1052672 39 OAlerts
Circular 20971520 0 Key Management Service
Circular 1052672 0 Internet Explorer
Circular 20971520 0 HardwareEvents
Circular 26214400 75525 Application
Circular 1052672 0 WitnessClientAdmin
Circular 1052672 Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular 1052672 Windows Networking Vpn Plugin Platform/Operational
Circular 1052672 0 SMSApi
Circular 1052672 66 Setup
Circular 1052672 0 OpenSSH/Operational
Circular 1052672 0 OpenSSH/Admin
Circular 1052672 Network Isolation Operational
Circular 1052672 0 Microsoft-WS-Licensing/Admin
Circular 1052672 0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular 1052672 0 Microsoft-Windows-WWAN-SVC-Events/Operational
But when I try to read other log files then I get nothing. When I try to read e.g. the Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant file I get nothing back:
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"
The log file has a different name
Directory of C:\Windows\System32\winevt\Logs
12/26/2019 07:55 PM 69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
In the event viewer the name is displayed as
What would be the correct log file name I need to enter to the WMI query to read the events?
Better late than never I guess.
Create the following key in registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic
No values required, just the key.
You should then be able to run a query like this
select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'
Related
I am trying to monitor the running process in my machine.
To achieve this i leveraged Telegraf, Influxdb, Grafana
In telegraf I used procstat plugin and i used the tag procstat_lookup
My telegraf conf file:
[[inputs.procstat]]
pid_tag = true
exe = ""
systemd_unit = "sshd"
[[inputs.procstat]]
pid_tag = true
exe = ""
systemd_unit = "influxd"
When i run the query Select * from procstat_lookup where time >= now() - 120s in Ubuntu Machine I get the output:
time exe pattern pid_count pid_finder result result_code running
systemd_unit
---- --- ------- --------- ---------- ------ ----------- ------- ------------
1569906900000000000 1 pgrep success 0 1 apache2
1569906900000000000 1 pgrep success 0 1 sshd
But when i run the same query in Centos Machine I get the output:
time pid_count systemd_unit
---- --------- ------------
1569909600000000000 1 apache2
1569909600000000000 1 sshd
I wonder why there is a different output for the same configuration in the two different OS
I'm using check_mk as monitoring solution and I disabled WMI service cause it create timeout when check_mk query for information.
Get-WmiObject / Get-Disk / Get-PSDrive use WMI service to get information and I would like to get disk information like total space, used space etc without using WMI beacause I can't.
Do you know any workaround do to that?
TL;DR -
(echo select disk=0 & echo list partition & (for /l %A in (1,1,10) do #echo select disk=next &#echo list partition)) | diskpart | findstr /i /v /r "^$ > microsoft ^reached ^select ^there ^the\ start"
Details -
The 'diskpart.exe' command can get you what you want. It requires admin rights, but since you mentioned disabling services, that didn't sound like an issue.
Rather than interacting with DISKPART's unique menu system, this example will blindly request the list of partitions on the first 11 disks (and filter away unnecessary lines..). Should be enough.
:-)
Cmd:
(echo select disk=0 & echo list partition & (for /l %A in (1,1,10) do #echo select disk=next &#echo list partition)) | diskpart | findstr /i /v /r "^$ > microsoft ^reached ^select ^there ^the\ start"
Output From My Live System:
Disk 0 is now the selected disk.
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1863 GB 1024 KB
Disk 1 is now the selected disk.
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 350 MB 1024 KB
Partition 2 Primary 270 GB 351 MB
Partition 3 Recovery 845 MB 271 GB
Partition 4 Primary 204 GB 272 GB
Disk 2 is now the selected disk.
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB
I use ipptool to get the status of the current print job.
C:\Users\Administrator>ipptool http://localhost/ipp/printers get-completed-jobs.test
job-id job-state job-name job-originating-user-name job-media-sheets-completed
------ --------- -------- ------------------------- --------------------------
14 canceled RedHat 1
13 completed RedHat 1
12 completed RedHat 1
11 completed RedHat 1
How do I get the specified job-id and job-state?
What method does Powershell use to intercept strings?
Question 1:
Get the following stringļ¼
14 canceled
Question 2 :
Get the following string:
13 completed
12 completed
Question 3 :
How do I get the most recent job-id and job-state?
The cmdlet ConvertFrom-SourceTable available for download from the PowerShell gallery (GitHub: iRon7/ConvertFrom-SourceTable) is capable of reading this type of data tables:
$Jobs = ConvertFrom-SourceTable '
job-id job-state job-name job-originating-user-name job-media-sheets-completed
------ --------- -------- ------------------------- --------------------------
14 canceled RedHat 1
13 completed RedHat 1
12 completed RedHat 1
11 completed RedHat 1
'
In your case, it is probably something like:
$Jobs = $(.\ipptool http://localhost/ipp/printers get-completed-jobs.test) | ConvertFrom-SourceTable
The rest of your questions are actually a matter of basic PowerShell commands.
As in this example, the Jobs object will give you access to e.g. the status of job 14:
$Jobs | ?{$_."job-id" -eq 14} | Select -Expand "job-state"
canceled
And "How do I get the most recent job-id and job-state?":
(presuming that the most recent job is always on top)
$Jobs | Select "job-id", "job-state" -First 1
job-id job-state
------ ---------
14 canceled
(For other ConvertFrom-SourceTable examples see: https://stackoverflow.com/search?q=ConvertFrom-SourceTable)
The setup: An automated test station, built around a Windows 7 PC. The UUT (Unit Under Test) are connected and disconnected often, creating many COM ports.
The Problem: The test is searching for the device at a specific COM port, requiring the user to manually remove the "ghost" com ports.
The question: Since the software is used by several test stations in parallel, at a production floor, I cannot install additional software (e.g. Devcon, part of Windows SDK). Is there a command line option to remove the COM ports?
Based on This blog entry
The only thing that actually worked for me is not the intended solution... But it fit the case at hand:
Created a batch file at C:\windows\system32
The content:
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\COM Name Arbiter" /v ComDB /t REG_BINARY /d 0206 /f
The actual value of the registry key (0206 in my example) can either be read from that key (use regedit) or calculated from binary:
com8 com7 com6 com5 com4 com3 com2 com1 com16 com15 com14 com13 com12 com11 com10 com9
0 0 0 0 0 0 1 1 0 0 0 0 0 1 1 0
since I wished to keep com1, com2, com10 and com11 - 0000 0011 0000 0110 - which stand for 0206
executing this batch file will remove the unnecessary comports while leaving the one's I intended
*The batch should be at system32 to be executed as elevated (administrator)
*for more details refer to this PDF
I've hacked together a solution that allows me to commit changes to my Go language application to Azure Websites, compile into a Go binary, and then update the Web.Config to have the httpPlatformHandler use the newly created binary. This allows me to easily deploy changes to my Go app and have them (almost) instantly available on my Azure website. It's a neat prototype, and you can check it out here: https://github.com/wadewegner/azure-website-go-builder/
If you look at the last line of the deploy.cmd you'll see that I use Powershell to kill a w3wp.exe process. This forces it to restart and use the updated Web.Config.
powershell "stop-process (Get-Process w3wp | Sort-Object ws | Select -first 1).Id"
This is a hack and not ideal. In a default scenario there are two w3wp.exe processes running - one for our website and one for the SCM website (which is a management website). It will not work if we have more than one instance of our Azure website running. It also assumes that the right process to kill is the one with the smaller memory footprint - this is a bad assumption to make.
In Azure Websites we don't have a lot of facilities at our disposal for finding and killing processes.
When I run Get-Process w3wp ... I get this kind of output today:
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
364 40 7196 16032 85 0.55 5516 w3wp
667 77 61972 77372 350 5.72 3448 w3wp
However, with two instances of my website, it could be:
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
364 40 7196 16032 85 0.55 5516 w3wp
364 40 7196 16032 85 0.55 5517 w3wp
667 77 61972 77372 350 5.72 3448 w3wp
(Manually updated to make my point.)
So, the question is, what's the right way to choose the two processes I want to kill? I don't want to kill 3448.
Additionally, how do I find a better heuristic to choose the right processes?
I uploaded tlist.exe to run tlist -t and get this output:
D:\home\site\wwwroot>tlist -t
AdjustTokenPrivileges failed with 1300
w3wp.exe (5516)
20150107_070323.exe (4936)
w3wp.exe (3448)
cmd.exe (1976)
tlist.exe (5868)
This makes it clear that 5516 is the PID I want to kill.
Is there a way in Powershell to run Get-Process but if it somehow inspect child processes and filter out the w3wp.exe PID with the cmd.exe process?
Thank you!