Gathering Event Log Information
In PowerShell, the
Get-EventLog cmdlet can be used to gather information from a Windows
event log and list the event logs that are present on a system. To
gather event log information, the name of the event log must be
specified, as shown in the following example:
PS C:\> get-eventlog -logname application
Index Time Type Source EventID Message
----- ---- ---- ------ ------- -------
1778 Oct 05 19:44 Info MSExchangeFBPublish 8280 When initializing ses...
1777 Oct 05 19:38 Info MSExchangeIS 9826 Starting from 10/5/20...
1776 Oct 05 19:38 Info MSExchange ADAccess 2080 Process MSEXCHANGEADT...
1775 Oct 05 19:16 Info MSExchange ADAccess 2080 Process MAD.EXE (PID=...
...
To create a list of all the event logs on the local system, use the list switch parameter, as shown in the following command:
PS C:\> get-eventlog -list
Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
20,480 0 OverwriteAsNeeded 1,778 Application
15,168 0 OverwriteAsNeeded 44 DFS Replication
512 0 OverwriteAsNeeded 1,826 Directory Service
16,384 0 OverwriteAsNeeded 38 DNS Server
20,480 0 OverwriteAsNeeded 0 Hardware Events
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
512 7 OverwriteOlder 155 PowerShell
131,072 0 OverwriteAsNeeded 9,596 Security
20,480 0 OverwriteAsNeeded 3,986 System
15,360 0 OverwriteAsNeeded 278 Windows PowerShell
PS C:\>
To gather in-depth
information about a particular set of events or event, the information
returned from the Get-EventLog cmdlet can be further filtered. For
example:
PS C:\> $Errors = get-eventLog -logname application | where {$_.eventid -eq 8196}
PS C:\> $Errors[0] | fl -Property *
EventID : 8196
MachineName : dc01.companyabc.com
Data : {}
Index : 1772
Category : (0)
CategoryNumber : 0
EntryType : Information
Message : License Activation Scheduler (SLUINotify.dll) was not able
to automatically activate. Error code:
0x8007232B
Source : Software Protection Platform Service
ReplacementStrings : {0x8007232B}
InstanceId : 1073750020
TimeGenerated : 10/5/2009 6:56:36 PM
TimeWritten : 10/5/2009 6:56:36 PM
UserName :
Site :
Container :
PS C:\>
Managing the Files and Directories
A set of core cmdlets can be used to access and manipulate PowerShell
data stores. Because the Windows file system is just another PowerShell
data store, it is accessed through the FileSystem provider. Each mounted
drive or defined location is represented by a PSDrive and can be
managed by using the core cmdlets. Details about how these core cmdlets
are used are discussed in the following sections.
Listing Directories of Files
In PowerShell, you can
use several cmdlets to explore the file system. The first cmdlet,
Get-Location, is used to display the current working location:
PS C:\> get-location
Path
----
C:\
PS C:\>
To get information about a specified directory or file, you can use the Get-Item cmdlet:
PS C:\temp> get-item autorun.inf
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 8/7/2007 10:06 PM 63 autorun.inf
PS C:\temp>
To get information about directories or files under a specified directory, you can use the Get-ChildItem cmdlet:
PS C:\> get-childitem c:\inetpub\wwwroot
Directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/4/2009 11:09 PM aspnet_client
-a--- 10/4/2009 2:10 PM 689 iisstart.htm
-a--- 10/4/2009 2:10 PM 184946 welcome.png
PS C:\>
Creating Directories or Files
Creating a directory or file in PowerShell is a simple process and just involves the use of the New-Item cmdlet:
PS C:\> new-item -path c:\ -name work -type dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/7/2009 11:44 AM work
PS C:\>
In the preceding example, it should be noted that the itemtype
parameter is a parameter that must be defined. If this parameter is not
defined, PowerShell prompts you for the type of item to be created. An
example of this is shown here:
PS C:\work> new-item -path c:\work -name script.log
Type: file
Directory: C:\work
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/7/2009 8:58 PM 0 script.log
PS C:\work>
In the previous example, PowerShell prompts you to define the value for the itemtype parameter. However, because you wanted to create a file, the value is defined as “file.”
Note
With files, in addition to
using the New-Item cmdlet, you can use several other cmdlets to create
files. Examples of these are Add-Content, Set-Content, Out-Csv, and
Out-File. However, the main purpose of these cmdlets is for adding or
appending content within a file.
Deleting Directories and Files
To delete directories and
files in PowerShell, the Remote-Item cmdlet is used. Usage of this
cmdlet is shown in the next example:
PS C:\work> remove-item script.log
Notice how PowerShell doesn’t
prompt you for any type of confirmation. Considering that the deletion
of an item is a very permanent action, you might want to use one of the
PowerShell common parameters to confirm the action before executing the
command. For example:
PS C:\work> remove-item test.txt -confirm
Confirm
Are you sure you want to perform this action?
Performing operation "Remove File" on Target "C:\work\test.txt".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
In the prior example, the confirm common parameter is used to verify the deletion of the test.txt
file. Usage of this parameter can help prevent you from making mistakes
when executing commands that might or might not be intended actions.
Note
In addition to the Remove-Item cmdlet, you can use the Clear-Content cmdlet to wipe content from a file instead of deleting it.
Renaming Directories and Files
To rename directories and files in PowerShell, use the Rename-Item cmdlet:
PS C:\> rename-item c:\work scripts
When using the
Rename-Item cmdlet, the argument for the first parameter named path is
defined as the path to the directory or file being renamed. The
secondary parameter, newName, is then defined as the new name for the
directory or file.
Moving or Copying Directories and Files
To move and copy directories or
files in PowerShell, you can use either the Move-Item or Copy-Item
cmdlets. An example of using the Move-Item cmdlet is as follows:
PS C:\> move-item -path c:\scripts -dest c:\work
PS C:\> get-childitem c:\work
Directory: C:\work
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/7/2009 9:20 PM scripts
PS C:\>
The syntax for using the Copy-Item cmdlet is very similar, as shown in the next example:
PS C:\work> copy-item 4444.log .\logs
PS C:\work> gci .\logs
Directory: C:\work\logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/7/2009 10:41 PM 6 4444.log
PS C:\work>
Reading Information from Files
To read information from a file, you can use the Get-Content cmdlet. An example of using this cmdlet is as follows:
PS C:\work\logs> get-content 4444.log
PowerShell was here!
When the Get-Content cmdlet is
executed, it reads content from the specified file line-by-line and
returns an object for each line that is read. For example:
PS C:\work\logs> $logs = get-content 4444.log
PS C:\work\logs> $logs[0]
PowerShell was here!
PS C:\work\logs>
Managing the Registry
PowerShell
has a built-in provider, Registry, for accessing and manipulating the
Registry on a local machine. The Registry hives available in this
provider are HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU).
These hives are represented in a PowerShell session as two additional
PSDrive objects named HKLM: and HKCU:.
Note
The WshShell object has access
to not only the HKLM: and HKCU: hives, but also HKEY_CLASSES_ROOT
(HKCR), HKEY_USERS, and HKEY_CURRENT_CONFIG. To access these additional
Registry hives in PowerShell, you use the Set-Location cmdlet to change
the location to the root of the Registry provider.
Because the Windows Registry is
treated as a hierarchy data store, like the Windows file system, it can
also be managed by the PowerShell core cmdlets. For example, to read a
Registry value, you use the Get-ItemProperty cmdlet:
PS C:\> $Path = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion"
PS C:\> $Key = get-itemproperty $Path
PS C:\> $Key.ProductName
Windows Server 2008 R2 Enterprise
PS C:\>
To create or modify a Registry value, you use the Set-ItemProperty cmdlet:
PS C:\> $Path = "HKCU:\Software"
PS C:\> set-itemproperty -path $Path -name "PSinfo" –type "String" –value "Power-
Shell_Was_Here"
PS C:\>
PS C:\> $Key = get-itemproperty $Path
PS C:\> $Key.PSinfo
PowerShell_Was_Here
PS C:\>
Remember that the Windows Registry has different types of Registry values. You use the Set-ItemProperty cmdlet to define the Type
parameter when creating or modifying Registry values. As a best
practice, you should always define Registry values when using the
Set-ItemProperty cmdlet. Otherwise, the cmdlet defines the Registry
value with the default type, which is String. Other possible types are
as follows:
ExpandString
Binary
DWord
MultiString
Qword
Note
Depending on the Registry
value you’re creating or modifying, the data value you set the named
value to needs to be in the correct format. So, if the Registry value is
type REG_BINARY, you use a binary value, such as $Bin = 101, 118, 105.
To delete a Registry value, you use the Remove-ItemProperty cmdlet, as shown here:
PS C:\> $Path = "HKCU:\Software"
PS C:\> remove-itemproperty -path $Path -name "PSinfo"
PS C:\>
