Catching Get-EventLog errors - powershell

I'm writing a simple script to parse some event logs but I need to silence some errors for times when there are no results, or if the instanceid is invalid:
PS C:\> get-eventlog Application -instanceid 1111
Get-EventLog : No matches found
At line:1 char:13
+ get-eventlog <<<< Application -instanceid 1111
+ CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand
I can do that and silence it, but that would also silence other errors:
PS C:\> try { get-eventlog Application -instanceid 1111 -erroraction stop } catch { }
I tried this but it doesn't work:
PS C:\> try { get-eventlog Application -instanceid 1111 -erroraction stop } catch [ObjectNotFound] { }
Unable to find type [ObjectNotFound]: make sure that the assembly containing this type is loaded.
At line:1 char:91
+ try { get-eventlog Application -instanceid 1111 -erroraction stop } catch [ObjectNotFound] <<<< { }
+ CategoryInfo : InvalidOperation: (ObjectNotFound:String) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound

you can use -ErrorAction SilentlyContinue and check your $error variable after it,
$error[0]
It will always contains the last error object.

By no means the only option but you could try something like this:
$result = get-eventlog Application -instanceid 1111 -erroraction silentlycontinue
if($result){
Write-Host "Found some."
} else{
Write-Host "wah wah wah waaaah... you know like the trombone sound"
}
Once again I dont read a post fully. To make better on my answer I offer up this which might help your try block woes
try {
get-eventlog Application -instanceid 1111 -ErrorAction Stop
} Catch [Exception]{
$theError = $_
Switch($theError .Exception.GetType().FullName){
System.InvalidOperationException{Write-Host "This happened: $($theError.Exception.Message)"}
System.ArgumentException {Write-Host "This happened: $($theError.Exception.Message)"}
default{"Something else happened: $($theError.Exception.GetType().FullName)"}
}
}
Use -Stop to create a terminating error. Capture any exceptions and put the error object into variable so it can be used in other scopes later. Get the exception name and use a switch statement on it to determine appropriate action. In your case of "No matches found" that throws a [System.ArgumentException] which you can tell from looking at the value of $_.Exception.GetType().FullName. Capture the specific errors in the switch statement and if you have not already caught a particular exception before you can see the details in default.
For what its worth [System.InvalidOperationException] occurred when I replaced "Application" in the cmdlet call to "Fizgig"

you should try following syntax to get your error while not stopping script execution :
try
{
# check for eventLog
Get-EventLog -LogName "Application" -InstanceId 1111 -ErrorAction Stop
}
catch
{
# send error as ID
Write-Warning "Error -Message $($_.Exception.Message) -Line $($_.InvocationInfo.ScriptLineNumber) -Time $(Get-Date -Format 'HH.mm.ss.fff')"
}

Related

-ErrorAction with Get-ADComputer not hiding errors

I'm just beginning to dip into PowerShell with AD so I apologize if the question seems obvious.
I am trying to check if which of the devices provided in a list are in AD. So far I've used the code from:
Powershell - verify object exists in AD
It works just fine, but the "-ErrorAction SilentlyContinue" does not actually suppress the error messages. I get the below:
Get-ADComputer : Cannot find an object with identity: 'test' under:
'DC=test,DC=dom'.
At C:\Users\testaccount\Desktop\test.ps1:171
char:19
+ if (#(Get-ADComputer $target -ErrorAction SilentlyContinue).Count)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (test:ADComputer) [Get-ADComputer], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
The code I am using is as follows:
foreach ($target in $devicelist)
{
if (#(Get-ADComputer $target -ErrorAction SilentlyContinue).Count)
{
$existingdevices += $target
}
else
{
#display error notification
}
}
What I am looking for is suppressing the error message to no longer show in console - for the script to actually silently continue on error.
Any and all help will be appreciated!
So lets talk about whats happening.
There are 2 types of errors Terminating and Non-Terminating.
Terminating stops the execution of a command and throws an Exception. A non-terminating returns a write-out error message.
-ErrorAction takes care of Non-Terminating errors
Try{}Catch{} takes care of Terminating errors.
In your case
foreach ($target in $devicelist)
{
try{
if (#(Get-ADComputer $target -ErrorAction SilentlyContinue).Count)
{
$existingdevices += $target
}
else
{
#display non-terminating error notification
}
}catch{
#display Terminating error notification
}
}
Use output redirection: 2> $Null
Get-ADComputer -Server BlahBlah -Identity ComputerThatDoesntExist 2> $Null

PS Get-WinEvent throw 'The Handle is invalid'

I have a list of hostnames from which I'd like to extract all AppLocker related eventlogs, especially the ones with level warning and/or error.
I crafted this script:
$ComputersToCheck = Get-Content 'X:\ListWithTheNames.txt'
foreach($OneHost in $ComputersToCheck)
{
try
{
$EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ComputerName $OneHost -Credential $CredentialFromUser
foreach ($SingelEvent in $EventCollection)
{
if($SingelEvent.LevelDisplayName -ne "Information")
{
$pathtosaveto = 'SomeFileName.txt'
$ResultString += $SingelEvent | Select Message,MachineName,UserId | Export-Csv -Path $pathtosaveto -Append
}
}
}
catch
{
//handling exceptions
}
}
This works for a while, but after a certain ammount of time I got an error:
Get-WinEvent : The remote procedure call failed
At X:\FileName.ps1:22 char:28
+ $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : The remote procedure call failed,Microsoft.PowerShell.Commands.GetWinEventCommand
And right after the script start giving errors like this:
Get-WinEvent : The handle is invalid
At X:\FileName.ps1:22 char:28
+ $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : The handle is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand
My first thought was that it is related to the host the script try to reach, but the next in the list is the same type (Os, even the same model) as the previous.
I ran the script 3 times, and every time the output size was different (probably because not the same hosts were online with the same amount of logs).
The script should run against more than 700 hosts, to which a special account is needed which I prompt by the Get-Credential, store in a variable and pass it the the Get-WinEvent as a parameter.
To be honest I stuck with this issue, not really sure what cause this and why.
If anyone has an idea please share with me :)
Give this a try to attempt catching references to failed hosts and empty objects. You could write the exception received but I didn't include that in this to make the failedhosts file simple to read. Hope I got it right as I winged it and don't have a true case to test against.
$ComputersToCheck = Get-Content 'X:\ListWithTheNames.txt'
foreach($OneHost in $ComputersToCheck) {
try {
$EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ComputerName $OneHost -Credential $CredentialFromUser -ErrorAction Stop
if($EventCollection) {
foreach ($SingelEvent in $EventCollection) {
if($SingelEvent.LevelDisplayName -ne "Information") {
$pathtosaveto = 'SomeFileName.txt'
$ResultString += $SingelEvent | Select Message,MachineName,UserId | Export-Csv -Path $pathtosaveto -Append
}
}
} else {
Out-File -InputObject $($OneHost + " Empty Event Collection") -FilePath "C:\FailedHosts.txt" -Append -Encoding ascii
}
}
catch {
Out-File -InputObject $($OneHost + " Failed Connection") -FilePath "C:\FailedHosts.txt" -Append -Encoding ascii
}
}

Write custom error to log on RPC server unavailable

I want to output a custom error message to a log, when a GWMI query fails. I can catch the exception, but apparently only the last one, because the output in my error file only has the name of the last computer in the list. I am using a list of computers I know do not have WMI enabled. There should be an entry for each one.
I have a list of domain computers in a text file, each on a single line, no trailing characters. I loop through the file to get network information, using GWMI. Some of the computers do not have WMI enabled, and I want to know which ones. My current script just throws a:
gwmi : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
At line:12 char:17
+ $base = gwmi win32_networkadapterconfiguration -computername $comp | whe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
+ FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
whenever it loops through a machine that does not have wmi enabled.
This does not identify the computer that threw the exception. What I would like is for every time the RPC server is unavailable... error is thrown, for a custom error message to be written to a log with the name of the computer that threw the exception.
My script:
$computers = Get-Content -path f:\scripts\docs\computer_list_test.txt
if (F:\scripts\wmi_mac_output.txt){
rm F:\scripts\wmi_mac_output.txt
}
foreach ($comp in $computers) {
try
{
$base = gwmi win32_networkadapterconfiguration -computername $comp -ErrorAction Stop | where {$_.dnsdomain -eq "mydomain.com"}
$machine = $base.DNSHostName
$mac = $base.MACAddress
$ip = $base.IPAddress
"<COMPUTER>`n`tname: $machine`n`tMAC: $mac`n`tIP: $ip`n</COMPUTER>" | Out-File F:\scripts\wmi_mac_output.txt
}
catch [Exception]
{
if ($_.Exception.GetType().Name -eq "COMException")
{
"$comp has no winrm" > f:\scripts\docs\error.txt
}
}
}
Thank you.
I can catch the exception, but apparently only the last one, because the output in my error file only has the name of the last computer in the list.
The issue is that the error.txt is being overwritten instead of appended.
"$comp has no winrm" > f:\scripts\docs\error.txt
Change to:
"$comp has no winrm" >> f:\scripts\docs\error.txt

Problems with catch in PowerShell

I have a problem with the catch command. I have the following script I'm trying to process:
Try
{
Add-Computer -DomainName "MyDomain.Dom" -Credential $DomainCred -PassThru -ErrorAction Stop
}
Catch [System.InvalidOperationException]
{
"Your computer is unable to contact the domain"
}
Every time I run this though I am not getting anything in the catch block. Here is the error reported that I get from the script:
PSMessageDetails :
Exception : System.InvalidOperationException: This command cannot be executed on target computer('') due to following error: The specified domain either does not exist or could not
be contacted.
TargetObject :
CategoryInfo : InvalidOperation: (MYPC:String) [Add-Computer], InvalidOperationException
FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.AddComputerCommand
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
PipelineIterationInfo : {0, 1}
Any ideas?
A working solution (thanks to PK and Patrick for their combined contributions):
Try
{
Add-Computer -DomainName "MyDomain.Dom" -Credential $DomainCred -PassThru -ErrorAction Stop
}
Catch [System.Management.Automation.RuntimeException]
{
"Your computer is unable to contact the domain"
}
Try catching System.Management.Automation.RuntimeException instead of System.InvalidOperationException.
Try
{
Add-Computer -DomainName "MyDomain.Dom" -Credential $DomainCred
}
Catch [System.Management.Automation.RuntimeException]
{
'Error: {0}' -f $_.Exception.Message
}
Add "-ErrorActionPreference Stop" to your cmdlet.
For instance,
Add-Computer -DomainName "MyDomain.Dom" -Credential $DomainCred -EA Stop
There does seem to be a few inconsistencies with the ways that different cmdlets process errors, especially those "add-on" cmdlets like the Active Directory ones. However, I think the basic idea is that PowerShell catch only catches terminating errors, of which your exception above isn't by default. So by using -EA Stop you're forcing it be a terminating error, which triggers the catch block.
Here's Ed Wilson on the subject: Write PowerShell Functions That Accept Pipelined Input
I was able to get this to work:
Try
{
Add-Computer -DomainName "MyDomain.Dom" -Credential $DomainCred -PassThru -ErrorAction Stop
}
Catch
{
"Your computer is unable to contact the domain"
}
-PassThru on the Add-Computer command returns the results of the command to the shell.
-ErrorAction Stop tells PowerShell to stop when it encounters an error; this suppresses the error output you were seeing.
FullName
--------
System.Management.Automation.RuntimeException
The object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatStartData" is not valid or not in the correct sequence. This is likely caused by a user-specified "f
ormat-list" command which is conflicting with the default formatting.
+ CategoryInfo : InvalidData: (:) [out-lineoutput], InvalidOperationException
+ FullyQualifiedErrorId : ConsoleLineOutputOutOfSequencePacket,Microsoft.PowerShell.Commands.OutLineOutputCommand
Putting the -Passthru on it allowed it to catch the error.

PowerShell 2.0 and how to handle exceptions?

Why I get error message printed on the console when running these two simple samples ?
I want that I get "Error testing :)" printed on the console insted of:
Get-WmiObject : The RPC server is
unavailable. (Exception from HRESULT:
0x800706BA) At line:3 char:15
+ Get-WmiObject <<<< -ComputerName possibly.nonexisting.domain.com
-Credential (Get-Credential) -Class Win32_logicaldisk
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject],
COMException
+ FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
or
Attempted to divide by zero. At line:3
char:13
+ $i = 1/ <<<< 0
+ CategoryInfo : NotSpecified: (:) [],
ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RuntimeException
First example:
try
{
$i = 1/0
Write-Host $i
}
catch [Exception]
{
Write-Host "Error testing :)"
}
Second example:
try
{
Get-WmiObject -ComputerName possibly.nonexisting.domain.com -Credential (Get-Credential) -Class Win32_logicaldisk
}
catch [Exception]
{
Write-Host "Error testing :)"
}
Thank you very much!
First example
The error happens at compile/parsing time (PowerShell is clever enough), so that the code is not even executed and it cannot catch anything, indeed. Try this code instead and you will catch an exception:
try
{
$x = 0
$i = 1/$x
Write-Host $i
}
catch [Exception]
{
Write-Host "Error testing :)"
}
Second example
If you set $ErrorActionPreference = 'Stop' globally then you will get "Error testing :)" printed, as expected. But your $ErrorActionPreference is presumably 'Continue': in that case there is no terminating error/exception and you just get the non terminating error message printed to the host by the engine.
Instead of the global $ErrorActionPreference option you can also play with Get-WmiObject parameter ErrorAction. Try to set it to Stop and you will catch an exception.
try
{
Get-WmiObject -ErrorAction Stop -ComputerName possibly.nonexisting.domain.com -Credential (Get-Credential) -Class Win32_logicaldisk
}
catch [Exception]
{
Write-Host "Error testing :)"
}