Richard Siddaway's Blog

TCP/IP Alternative Configuration: pt II Set DHCP

The next step on our journey to an alternative configuration is setting the NIC to use DHCP

I will keep cheating for now and specify the NIC – on my machine I now it is the NIC whose Win32_NetworkAdapterConfiguration has an Index of 7

$index = 7            
Get-WmiObject -Class Win32_NetworkAdapterConfiguration `
-Filter "Index=$index" |            
Invoke-WmiMethod -Name EnableDHCP

This sets the IP address to be obtained automatically via DHCP BUT it doesn’t set the DNS server to be delivered via DHCP. The old static DNS entries are retained.

To resolve this we use the SetDNSServerSearchOrder method without any arguments

$index = 7            
            
$nic = Get-WmiObject -Class Win32_NetworkAdapterConfiguration `
-Filter "Index=$index"             
            
Invoke-WmiMethod -InputObject $nic -Name EnableDHCP            
Invoke-WmiMethod -InputObject $nic -Name SetDNSServerSearchOrder            
            

I’ve modified the script slightly so we create an object for the WMI class and then use that object as the InputObject on two calls to Invoke-WmiMethod

We could have just as easily used

$nic.EnableDHCP()

$nic.SetDNSServerSearchOrder()

Now that we have the NIC set to use DHCP we need to configure the Alternative Configuration

More information on working with network adapters can be found in PowerShell and WMI – www.manning.com/powershellandwmi

Scripting Games 2012 comments: #19 default parameters

I often saw scripts that did something like this

function test1 {            
 param (            
   [string]$computername            
 )            
            
if (!$computername){            
  $computername = $env:COMPUTERNAME            
}            
            
Get-WmiObject -Class Win32_OperatingSystem -ComputerName $computername              
}

A function, or script, defines a parameter. The first thing the function does it test the value of the parameter and if it doesn’t exist it sets it to a default value.

No, no, no – you are making work for yourself. 

Get PowerShell to do the work for you

function test2 {            
 param (            
   [string]$computername = $env:COMPUTERNAME            
 )            
            
Get-WmiObject -Class Win32_OperatingSystem -ComputerName $computername              
}

See the difference?

The parameter definition now contains a default value.  If you don’t specify the parameter and a value the default kicks in and the function works.

Cuts down typing and gets PowerShell to do the work.

Scripting Games 2012 comments: #18 computer names

I have mentioned computer names a few times. One oddity is accessing the local machine.

There are three options

• dot  .
• localhost
• $env:COMPUTERNAME

There are a number of occasions when . and localhost fail.

For example

PS> Get-EventLog -List -ComputerName .

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded      21,647 Application
     512      7 OverwriteOlder              0 DemoMate
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
   8,192      0 OverwriteAsNeeded          10 Media Center
     512      7 OverwriteOlder              0 MyNewLog
     128      0 OverwriteAsNeeded         364 OAlerts
  20,480      0 OverwriteAsNeeded           1 Scripts
                                              Security
  20,480      0 OverwriteAsNeeded      56,135 System
  15,360      0 OverwriteAsNeeded      10,918 Windows PowerShell

PS> Get-EventLog -List -ComputerName localhost
Get-EventLog : The network path was not found.
At line:1 char:13
+ Get-EventLog <<<<  -List -ComputerName localhost
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.GetEventLogCommand

PS> Get-EventLog -List -ComputerName 'localhost'
Get-EventLog : The network path was not found.
At line:1 char:13
+ Get-EventLog <<<<  -List -ComputerName 'localhost'
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.GetEventLogCommand

PS> Get-EventLog -List -ComputerName $env:COMPUTERNAME

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded      21,647 Application
     512      7 OverwriteOlder              0 DemoMate
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
   8,192      0 OverwriteAsNeeded          10 Media Center
     512      7 OverwriteOlder              0 MyNewLog
     128      0 OverwriteAsNeeded         364 OAlerts
  20,480      0 OverwriteAsNeeded           1 Scripts
                                              Security
  20,480      0 OverwriteAsNeeded      56,135 System
  15,360      0 OverwriteAsNeeded      10,918 Windows PowerShell

Get-EventLog fails with localhost

I always recommend using $env:COMPUTERNAME

Test-Connection on PowerShell v3

Following on from the previous post I performed the same tests on PowerShell v3

The behaviour is the same except that

Test-Connection -ComputerName . -Count 4 –AsJob

now give the 4 pings when you receive the job information

Test-Connection oddities

I’ve playing around with Test-Connection because I wanted to set up a long running WMI based job and I thought that pinging a machine lots of times would be a good way to do it. Test-Connection uses the Win32-PingStatus class.

I started with this

PS> Test-Connection -ComputerName . -Count 4

Source        Destination     IPV4Address   IPV6Address  Bytes    Time(ms)
------        -----------     -----------   -----------  -----    --------
RSLAPTOP01    localhost       127.0.0.1        ::1          32       0
RSLAPTOP01    localhost       127.0.0.1        ::1          32       0
RSLAPTOP01    localhost       127.0.0.1        ::1          32       0
RSLAPTOP01    localhost       127.0.0.1        ::1          32       0

Nothing special there.

I then tried this

PS> Test-Connection -ComputerName . -Count 4 -Quiet
False

Huh?

PS> Test-Connection -ComputerName localhost -Count 4 -Quiet
True

Odd

PS> Test-Connection -ComputerName $env:COMPUTERNAME -Count 4 -Quiet
True

Very odd – seems like “.” isn’t liked when running –Quiet.  Another good reason to avoid it

I then tried it as a job

PS> Test-Connection -ComputerName . -Count 4 -AsJob

Id       Name     State      HasMoreData   Location     Command
--       ----     -----      -----------   --------     -------
3        Job3     Running    False         .            Test-Connection

PS> Get-Job

Id       Name     State      HasMoreData   Location     Command
--       ----     -----      -----------   --------     -------
1        Job1     Completed  True          .            Test-Connection
3        Job3     Completed  True          .            Test-Connection

PS> Receive-Job -Id 3

Source   Destination  IPV4Address  IPV6Address  Bytes    Time(ms)
------   -----------  -----------  -----------  -----    --------
RSLAPTOP01 localhost    127.0.0.1        ::1       32       0

Only one ping is returned instead of the 4 I was expecting.

Not major problems but something to remember

Scripting Games 2012 comments: #17 opening a csv file

Some of the events involved creating a CSV file. While it wasn’t explicitly asked that you opened the file many entrants chose to add that code to their scripts.

There were a number of options presented – most involving opening Excel and importing the CSV file.

There is a much quicker way

Invoke-Item -Path test.csv

Invoke-Item causes any file to open in the default application associated with that file.  This will work for Office documents, text files and anything else that you can double click on a get it to open in an application.

If you use Invoke-Item on a .ps1 file – it will open in notepad just as if you’d double clicked it.

Scripting Games 2012 comments: #16 reading environmental variables

Windows maintains a set of environmental variables. Some, but not all, can be seen via the env: PowerShell drive

Get-ChildItem -Path env:

You can also use WMI to see some of the variables

Get-WmiObject -Class Win32_Environment | ft Name, VariableValue –a

Now how do you read them in your scripts?

I noticed a lot of people doing this

$name = (Get-Item env:\Computername).Value

It works but its a bit long winded.  A better method is this

$name = $env:COMPUTERNAME

$env: is the environment provider surfaced as a namespace

You can also use this technique with other providers e.g.

PS> $variable:MaximumAliasCount
4096

It doesn’t work with all providers e.g. the registry.

TCP/IP Alternative Configuration: pt I The configuration

A question on the forum got me wondering about setting the Alternative Configuration on a TCP/IP properties of a network adapter. NICs are normally configured to either DHCP or a static address. If you use DHCP another tab “Alternative Configuration” appears on the IPv4 properties dialog. This can be set to APIPA (an address in the range 169.254.x.x/16 – ie DHCP failed) or a static address. DHCP will be tried first and if it fails the Alternative Configuration kicks in.

I had never seen anything on configuring this so started to dig.

It turns out that the information is held in the registry – big surprise! The data is a little difficult to track down

## http://technet.microsoft.com/en-us/library/bb457118.aspx            
$index = 7            
$HKLM = 2147483650 #HKEY_LOCAL_MACHINE            
$data = @{}            
            
$nic = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "Index=$index"            
            
$key = "SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\$($nic.SettingID)"            
            
$rc = Invoke-WmiMethod -Class StdRegProv -Name EnumValues -ArgumentList $hklm, $key            
            
if ($rc.ReturnValue -eq 0) {            
              
  $num = $rc.Types.count -1            
              
  for ($i=0; $i -le $num; $i++){            
                 
     switch ($rc.Types[$i]) {            
       1 {$value = Invoke-WmiMethod -Class StdRegProv -Name GetStringValue -ArgumentList $hklm, $key, $($rc.sNames[$i]) |             
           select -ExpandProperty sValue}            
       2 {$value = Invoke-WmiMethod -Class StdRegProv -Name GetExpandedStringValue -ArgumentList $hklm, $key, $($rc.sNames[$i]) |             
           select -ExpandProperty sValue}            
       3 {$value = Invoke-WmiMethod -Class StdRegProv -Name GetBinaryValue -ArgumentList $hklm, $key, $($rc.sNames[$i]) |             
           select -ExpandProperty uValue}            
       4 {$value = Invoke-WmiMethod -Class StdRegProv -Name GetDWORDValue -ArgumentList $hklm, $key, $($rc.sNames[$i]) |             
          select -ExpandProperty uValue}            
       7 {$value = Invoke-WmiMethod -Class StdRegProv -Name GetMultiStringValue -ArgumentList $hklm, $key, $($rc.sNames[$i]) |             
         select -ExpandProperty sValue}            
       default {Write-Warning "Could not process $($rc.sNames[$i]) - type $($rc.Types[$i])"}            
     }            
            
     $data += @{$($rc.sNames[$i]) = $value}            
            
                   
  }  ## end for            
              
}            
else {            
 Write-Error "WMI call to registry provider failed"            
}              
            
$data.GetEnumerator() | sort key

I’ve cheated for now and defined the NIC I’m interested in – Index =7 is my LAN connection.

I need to work with the HKLM hive so define the appropriate constant.

After getting the WMI object for the NIC – filter on Index I use the SettingID to define the registry key I need. The settingID looks like this - {01F4E3B7-5F1F-40BD-8252-DCC3331891C1}

The EnumValues method gives me the registry value names and types for that key. I can loop through them and call the appropriate method to read the registry value.

The data is output sorted by value name and looks like this

Name                           Value
----                           -----
AddressType                    0
DefaultGateway                 
DefaultGatewayMetric           
DhcpConnForceBroadcastFlag     0
DhcpGatewayHardware            {192, 168, 1, 1...}
DhcpGatewayHardwareCount       1
DhcpInterfaceOptions           {6, 0, 0, 0...}
DhcpServer                     255.255.255.255
Domain                                   
EnableDeadGWDetect             1
EnableDHCP                     0
IPAddress                      10.10.54.202
IsServerNapAware               0
Lease                          0
LeaseObtainedTime              1336923004
LeaseTerminatesTime            2147483647
NameServer                     10.10.54.201
RegisterAdapterName            0   
RegistrationEnabled            1   
SubnetMask                     255.255.255.0
T1                             1336923004
T2                             1336923004
UseZeroBroadcast               0  

This shows we have a static address – the fact that IPAddress is set and that EnableDHCP=0

Next time we will look at enabling DHCP and then setting the alternative configuration

PowerShell User Group Recodings

A number of the recent UK PowerShell group sessions are available as recordings for download.  The slides and demo scripts are usually included in the download package. They can be downloaded from my skydrive under the PowerShell User group folder.
https://skydrive.live.com/#cid=43CFA46A74CF3E96&id=43CFA46A74CF3E96%212469

The following sessions are available

2011 09 PowerShell remoting and end point customisation
2011 11 Whats new in PowerCLI 5
2011 12 Intro to WMI
2011 12 WSMAN_WMI_and_CIM
2012 January PowerShell v3 CTP 2 overview
2012 February PowerShell and SQL Server
2012 March CIM cmdlets
2012 April Powershell in Windows Server 8

This list will be updated periodically

Enjoy

Scripting Games 2012 comments: #15 pipelines

There are a few comments to make about using the pipeline but one of the obvious issues I saw from the games was this type of approach

$p = Get-Process
$p | where {$_.Name -like "powershell*"}

The only time this is valid is if you need to access exactly the same data later in your script.

In all other cases use

Get-Process | where {$_.Name -like "powershell*"}

if you want to split the lines to make it more readable the pipe symbol acts as a line continuation character so

Get-Process |
where {$_.Name -like "powershell*"}

is just as valid

PowerShell is all about the pipeline – use it to your advantage

UK PowerShell Group–May 2012

When: Tuesday, May 29, 2012 7:30 PM (BST)

Where: Virtual
*~*~*~*~*~*~*~*~*~*

This is the second of two meetings dealing with the new PowerShell functionality in Windows Server 8

Notes

Richard Siddaway has invited you to attend an online meeting using Live Meeting.
Join the meeting.
Audio Information
Computer Audio
To use computer audio, you need speakers and microphone, or a headset.
First Time Users:
To save time before the meeting, check your system to make sure it is ready to use Microsoft Office Live Meeting.
Troubleshooting
Unable to join the meeting? Follow these steps:

1. Copy this address and paste it into your web browser:
   https://www.livemeeting.com/cc/usergroups/join
2. Copy and paste the required information:
   Meeting ID: C5C7CT
   Entry Code: P[h/PKJ'7
   Location: https://www.livemeeting.com/cc/usergroups

If you still cannot enter the meeting, contact support

Notice
Microsoft Office Live Meeting can be used to record meetings. By participating in this meeting, you agree that your communications may be monitored or recorded at any time during the meeting.

Scripting Games 2012 comments: #14 local computer name

There are a number of ways to pass the names of the local machine into a script or function:

• use the actual name
• use the IP address (if the processing in the script can work with IP addresses)
• use 127.0.0.1 – the loop back address (if the processing in the script can work with IP addresses)
• use a dot  “.”  to signify the local machine
• use “localhost”
• use the environmental variable holding the machine name

Normally we don’t use any of the first three because you either have to type out the name – chance of error or the functionality within the script won’t accept IP addresses. Also the PSsession cmdlets only use computer names by default

Traditionally we have used . or localhost especially when working with WMI

Get-WmiObject -Class Win32_OperatingSystem -ComputerName .
Get-WmiObject -Class Win32_OperatingSystem -ComputerName localhost

There are a number of cmdlets that will accept a computer name as a parameter

PS> Get-Help * -Parameter ComputerName | select name

Name
----
Get-WinEvent
Get-Counter
Test-WSMan
Invoke-WSManAction
Connect-WSMan
Disconnect-WSMan
Get-WSManInstance
Set-WSManInstance
Remove-WSManInstance
New-WSManInstance
Invoke-Command
New-PSSession
Get-PSSession
Remove-PSSession
Receive-Job
Enter-PSSession
Get-EventLog
Clear-EventLog
Write-EventLog
Limit-EventLog
Show-EventLog
New-EventLog
Remove-EventLog
Get-WmiObject
Invoke-WmiMethod
Get-Process
Remove-WmiObject
Register-WmiEvent
Get-Service
Set-Service
Set-WmiInstance
Get-HotFix
Test-Connection
Restart-Computer
Stop-Computer

This works:

Get-Process -ComputerName .

but this throws an error

PS> Get-Process -ComputerName localhost
Get-Process : Couldn't connect to remote machine.
At line:1 char:12
+ Get-Process <<<<  -ComputerName localhost
    + CategoryInfo          : NotSpecified: (:) [Get-Process], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetProcessCommand

I’ve seen similar errors with Get-Eventlog

PS> Get-EventLog -List -ComputerName .

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded      21,814 Application
     512      7 OverwriteOlder              0 DemoMate
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
   8,192      0 OverwriteAsNeeded           3 Media Center
     512      7 OverwriteOlder              0 MyNewLog
     128      0 OverwriteAsNeeded         357 OAlerts
  20,480      0 OverwriteAsNeeded           1 Scripts
                                              Security
  20,480      0 OverwriteAsNeeded      56,225 System
  15,360      0 OverwriteAsNeeded      10,646 Windows PowerShell

PS> Get-EventLog -List -ComputerName localhost
Get-EventLog : The network path was not found.
At line:1 char:13
+ Get-EventLog <<<<  -List -ComputerName localhost
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.GetEventLogCommand

My solution and recommendation is to use the environmental variable for the computer name.

PS> Get-ChildItem -Path env: | where {$_.name -like "*computer*"}

Name                           Value
----                           -----
COMPUTERNAME                   RSLAPTOP01

The environment provider doesn’t allow the use of filters so we have to use where

How do we use this:

Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME
Get-Process -ComputerName $env:COMPUTERNAME
Get-EventLog -List -ComputerName $env:COMPUTERNAME

It can also be used as the default value on a function parameter that asks for a computername – that way you get the local machine if you don’t specify a value to the parameter.

I have never seen this fail – doesn’t mean it can’t just that I’ve never seen it – and it has the advantage of being easier to read than using a dot

Scripting Games 2012 comments: #13 Default Printer

In one of the events you had to find the default printer. This can be done using WMI.

The full list of printers can seen using:

Get-WmiObject -Class Win32_Printer

If you want to examine the printer objecy – to determine what information is available - use get-member or select the first printer in the list

Get-WmiObject -Class Win32_Printer | select -f 1 | fl *

you will see that there is a property Default

PS> Get-WmiObject -Class Win32_Printer | Get-Member Default

   TypeName: System.Management.ManagementObject#root\cimv2\Win32_Printer

Name    MemberType Definition
----    ---------- ----------
Default Property   System.Boolean Default {get;set;}

which is Boolean i.e. it has to return true or false

Your first thought might ne to do this:

Get-WmiObject -Class Win32_Printer | where {$_.Default -eq $true}

but it would be better coding practice to do this:

Get-WmiObject -Class Win32_Printer | where {$_.Default}

On the local machine this is OK but if you are working remotely than all of the Win32_Printer objects would be returned and the filtering performed locally. Could be an expensive operation.

The better option is to use the –Filter parameter on Get-WmiObject

Get-WmiObject -Class Win32_Printer -Filter "Default = $true"

this only returns a single  object

If you want to use WQL then it becomes

Get-WmiObject -Query "SELECT * FROM Win32_Printer WHERE Default = $true"

In either case the filtering is done early to reduce the amount of data you are dealing with.

Remember – Filter early & format late

For more information on working with printers see chapter 10 of PowerShell and WMI – http://www.manning.com/powershellandwmi

Scripting Games 2012 comments: #12 date conversions

A few times in the games you were asked for date time based information. Now WMI has a lot of classes that return WMI information. It is in an awkward format though

PS> Get-WmiObject -Class Win32_OperatingSystem | fl *time*

CurrentTimeZone : 60
LastBootUpTime  : 20120505101515.296000+060
LocalDateTime   : 20120505192615.170000+060

This translates as:

Year – four digits
Month – two digits
Day - two digits
Hour - two digits
Minute - two digits
Second - two digits
.
millionth of second but is usually constrained to milliseconds
+
minutes difference from GMT (UTC)

Its readable but only if you are used to it.

Ideally we want to convert this to a more reasonable looking date such as

05 May 2012 19:35:03

It is possible to take the WMI information, break it up into its components – its is returned as a string – and create a datetime object. Alternatively you can hunt through the .NET classes and find some date conversion methods.

That’s the hard way.

The easy way is to use the built in functionality on the WMI class!

If you put a WMI class through get-member you will discover a couple of Scriptmethods at the end of the data

PS> Get-WmiObject -Class Win32_OperatingSystem | Get-Member -MemberType ScriptMethod

   TypeName: System.Management.ManagementObject#root\cimv2\Win32_OperatingSystem

Name                MemberType   Definition
----                ----------   ----------
ConvertFromDateTime ScriptMethod System.Object ConvertFromDateTime();
ConvertToDateTime   ScriptMethod System.Object ConvertToDateTime();

They are simple to use

If you need the rest of the data on the object

PS> $os = Get-WmiObject -Class Win32_OperatingSystem
PS> $os.ConvertToDateTime($os.LastBootUpTime)

05 May 2012 10:15:15

or if only want the last bootup time

PS> $os = [wmiclass]"\\.\root\cimv2:Win32_OperatingSystem"
PS> $os.ConvertToDateTime($(Get-WmiObject Win32_OperatingSystem | select -ExpandProperty LastBootUpTime))

05 May 2012 10:15:15

There are variations on these themes.

The conversion routines can be used in calculated fields in select and format cmdlets

See PowerShell and WMI chapters 3 and 4 for more details - http://www.manning.com/powershellandwmi

Scripting Games 2012 comments: #11–its true

The games are over for another year. The number of entries was huge – 150% increase over last year. Congratulations to the winners and to everyone who took part.

One thing I noticed was the number of scripts that made testing booleans harder than it needed to be.

A boolean can take one of two values – True or False. These are represented in PowerShell by $true and $false respectively

Lets create a couple of variables

PS> $x = $true
PS> $x
True
PS> $y = $false
PS> $y
False

A common test was:

PS> $a = $true
PS> $b = $false

PS> if ($a -eq $true){"Do something"}
Do something

or you might see

PS> if ($b -ne $true){"Do something else"}
Do something else

These work and are perfectly understandable.

They can be made simpler

PS> if ($a){"Do something"}
Do something

we get two ways of testing false using the –not operator and its alias of !

PS> if (-not $b){"Do something else"}
Do something else
PS> if (! $b){"Do something else"}
Do something else

Just as a final test to show this really works

PS> if ($b){"Do something"}else{"Do something else"}
Do something else

The thing to remember is that on an if statement or anywhere else where a condition is being tested it has to resolve to true or false. In this case the variable (or object property) already carries a boolean value so we can use it directly.

Its not a big saving but will mount up over time – keeps the scripts simpler and therefore keeps the errors down

PowerShell news April 2012

As April comes to close so does the extension for grading scripts in the recent games. I’ve been so busy grading haven’t had time to blog about the games. I’ll start to catch up on the backlog over the next few weeks.  This years games have been huge with more than 150% growth in the number of scripts submitted. That is a lot of PowerShell.

The Deep Dive starts tonight – with keynotes tomorrow. This is shaping up to be the PowerShell event of the year.

Powershell and WMI will be available very soon.

Advanced Powershell - http://www.manning.com/jones2/ is well on the way and still on target for a release soon after Windows 8 and Powershell v3

Windows 8/windows 2012 release candidate will be with us in early June. Already had one user group session on the topic and there will be another one in May

UK PowerShell Group–April 2012 slides and recording

The slides, demo script and recording are available from

https://skydrive.live.com/?cid=43cfa46a74cf3e96#cid=43CFA46A74CF3E96&id=43CFA46A74CF3E96%212957

Thank you again to everyone who attended the Live Meeting this evening

Reminder–UK User group 24 April

Quick reminder that 24 April sees the first of 2 sessions on new PowerShell functionality in Windows 2012 – Windows Server 8

Details from

http://msmvps.com/blogs/richardsiddaway/archive/2012/04/13/uk-powershell-group-24-april-2012.aspx

Scripting Games 2012 comments: #10 Advanced event 5

http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/06/2012-scripting-games-advanced-event-5-list-errors.aspx

This is the one I was asked to supply a commentary for

http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/20/expert-commentary-2012-scripting-games-advanced-event-5.aspx

This one has raised an interesting interpretation issues.  The last design point asks:

• Your output should be organized such that the largest source of errors appears at the top of the output.

The figure shows the data sorted by Event source  

I read the design point as log with the largest number of errors comes first.  The script I produced for the commentary doesn’t meet that last design point so I’ve revised it

#Requires -Version 2            
function Get-EventEntryCount{             
[CmdletBinding()]             
param (             
 [parameter(Position=0,            
   ValueFromPipeline=$true,             
   ValueFromPipelineByPropertyName=$true)]            
 [Alias("CN", "Computer")]              
 [string[]]$computername="$env:COMPUTERNAME",            
            
 [parameter(Position=1)]            
 [ValidateSet("Error", "Information", "FailureAudit", "SuccessAudit", "Warning", "All", "*")]            
 [string]$eventtype="Error"             
)             
BEGIN{            
  $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()            
  $testadmin = `
  (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole(`
  [Security.Principal.WindowsBuiltinRole]::Administrator)            
              
  if (!$testadmin){            
   Throw "Must be run with elevated privileges"            
  }            
}#begin             
PROCESS{            
  foreach ($computer in $computername ){            
    switch ($computer) {            
     "."         {$computer="$env:COMPUTERNAME"}            
     "localhost" {$computer="$env:COMPUTERNAME"}            
    }            
            
    Write-Verbose "Processing computer: $computer"            
                
    $data = @()            
    if (Test-Connection -ComputerName $computer -Count 1 -Quiet){            
            
    Write-Verbose "Starting Remote Registry service on $computer"            
    $origrrsrv = Get-WmiObject -Class Win32_Service -Filter "Name='RemoteRegistry'" `
    -ComputerName $computer            
            
    if ($origrrsrv.StartMode -eq "Disabled") {            
      Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Manual"            
    }            
            
    if ($origrrsrv.State -ne "Running") {            
      $origrrsrv.StartService() | Out-Null            
    }            
            
    Write-Verbose "Retrieving logs for $computer"            
                  
    Get-EventLog -List -ComputerName $computer |            
    foreach {            
      $log = $_.Log            
      Write-Verbose "Processing log: $log"            
                    
      if ($_.Entries.Count -gt 0) {            
         Write-Debug "Processing event type $eventtype"            
                      
         $n = Get-EventLog -LogName $($_.Log) -EntryType $eventtype -ComputerName $computer `
         -ErrorAction SilentlyContinue            
                      
         if ($n -ne $null){            
           Write-Debug "Entries found"            
           $n | group Source -NoElement |             
           foreach{            
                       
              $data += New-Object -TypeName PSObject -Property @{            
                 ComputerName = $computer            
                 LogName = $log            
                 EntryType = $eventtype            
                 EntrySource = $($_.Name)            
                 EntryCount = $($_.Count)            
             }            
           }            
         }            
       }  # end if entries            
       else {            
         Write-Verbose "$($computer): $log is empty"            
       }            
                    
            
        if ($origrrsrv.State -eq "Stopped") {            
          $origrrsrv.StopService() | Out-Null            
        }            
            
        if ($origrrsrv.StartMode -eq "Disabled") {            
          Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Disabled"            
        }            
            
     } # end of log processing foreach            
   }            
   else {            
     Write-Warning "Cannot contact $computer"            
   } # end if ping            
   Write-Output $data             
 } ## end computer foreach            
}#process             
END{}#end            
            
<# 
.SYNOPSIS
Counts the number of entries of a given type
in the event logs of a system

.DESCRIPTION
One or more computers - from pipeline or parameter -  are
accessed to read the envent logs and count the entries of a 
given type. Empty logs are tested and the count is set to zero

.PARAMETER  computername
Name of computer for which log information
is to be retrieved

.PARAMETER  eventtype
Log entry type to count.
Accepted values are - 
"Error", "Information", "FailureAudit", 
"SuccessAudit", "Warning", "All", "*"

.EXAMPLE
Get-EventEntryCount 

Accesses logs on local machine. Peforms default display

.EXAMPLE
Get-EventEntryCount -computername "." | 
sort LogName, EntryCount -Descending | 
Format-Table EntrySource, EntryCount -GroupBy LogName

Accesses logs on local machine. Format display and group by logname

.EXAMPLE
"dc02", "webr201", "server02" | 
Get-EventEntryCount | 
sort Computer, LogName, EntryCount -Descending | 
Format-Table Logname, EntrySource, EntryCount -GroupBy Computer

Accesses logs on remote machines. Computer names accepted from pipeline.
Format display and group by computer

.EXAMPLE
Get-EventEntryCount -computername "dc02", "webr201", "server02" |
sort Computer, LogName, EntryCount -Descending | 
Format-Table Logname, EntrySource, EntryCount -GroupBy Computer

Accesses logs on remote machines. Computer names accepted as array.
Format display and group by computer

.INPUTS
Computer name - string or string array
Envent type - string. Must be member of set

.OUTPUTS
Returns a custom object with
properties:
ComputerName - name of computer
LogName - name of log
EntryType - Type of log entry
EntryCount - count of entries
EntrySource - event source

.NOTES


.LINK

#>            
            
}

Scripting Games 2012 comments: #9 Beginners event 5

Beginners event 5

http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/06/2012-scripting-games-beginner-event-5-provide-a-source-and-errors.aspx

Looking for problem applications. Need report from each server form application log listing source and number of errors.

Requirements:

• should be capable of running against remote machine
• doesn't need to run remotely for this scenario
• don't need to check for admin rights
• assume have permissions to query application log
• use standard PowerShell cmdlets
• solution should be simple and straightforward
• don't need to write to text file BUT should should be easily redirectable when needed
• don't need comment based help
• extra points for sorting so source with greatest number of errors at top of list

Reading the event log using standard PowerShell cmdlets -  what do we have available?

Get-Command *event* -CommandType cmdlet

shows a bunch of cmdlets. Lets narrow it down

Get-Command *eventlog* -CommandType cmdlet

shows that Get-EventLog is a good choice.

NOTE: Get-WinEvent is also available but the syntax can be more convoluted. As we are reading a classic event log Get-Eventlog is the simplest solution.

What parameters do we have available?

PS> Get-Help Get-EventLog

NAME
    Get-EventLog

SYNOPSIS
    Gets the events in an event log, or a list of the event logs, on the local or remote computers.

SYNTAX
 

Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject]
[-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>]
[-Message <string>] [-Newest <int>] [-Source<string[]>] [-UserName <string[]>] [<CommonParameters>]

Look at the synopsis – local or remote computers. Computername for local/remote machines. EntryType gives the type of entry. Thats about it.

PS> Get-Help Get-EventLog -Parameter EntryType

-EntryType <string[]>
    Gets only events with the specified entry type. Valid values are Error, Information, FailureAudit, SuccessAudit, and Warning. The default is all events.

    Required?                    false
    Position?                    named
    Default value                All events
    Accept pipeline input?       false
    Accept wildcard characters?  false

What does an entry look like?

PS> Get-EventLog -LogName Application | select -f 1 | Format-List

Index              : 83084
EntryType          : Information
InstanceId         : 1073872902
Message            : BBSvc has stopped.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {BBSvc}
Source             : BBSvc
TimeGenerated      : 17/04/2012 18:00:17
TimeWritten        : 17/04/2012 18:00:17
UserName           :

We have an entry type so we can select on that and we have a source.  How can we can the total number of entries per source?

PS> Get-EventLog -LogName Application -EntryType Error | group Source

Count Name                      Group
----- ----                      -----
  166 SideBySide                {System.Diagnostics.EventLogEntry, System.Di
   27 Application Error         {System.Diagnostics.EventLogEntry, System.Di
    1 System Restore            {System.Diagnostics.EventLogEntry}
    2 Microsoft-Windows-Rest... {System.Diagnostics.EventLogEntry, System.Di
    3 VSS                       {System.Diagnostics.EventLogEntry, System.Di
   20 Application Hang          {System.Diagnostics.EventLogEntry, System.Di
    1 MsiInstaller              {System.Diagnostics.EventLogEntry}

All we need is the Count and the name so we can use the –NoElement parameter

PS> Get-EventLog -LogName Application -EntryType Error | group Source -NoElement

Count Name
----- ----
  166 SideBySide
   27 Application Error
    1 System Restore
    2 Microsoft-Windows-Rest...
    3 VSS
   20 Application Hang
    1 MsiInstaller

But  we want them in descending order – actually requirements state largest number of errors at the top of the list which we already have but we will show willing and actually sort the list

PS> Get-EventLog -LogName Application -EntryType Error |
group Source -NoElement | sort Count -Descending

Count Name
----- ----
  166 SideBySide
   27 Application Error
   20 Application Hang
    3 VSS
    2 Microsoft-Windows-Rest...
    1 MsiInstaller
    1 System Restore

If you want to see the whole name

PS> Get-EventLog -LogName Application -EntryType Error | group Source -NoElement |
sort Count -Descending | Format-table Count, Name -AutoSize

Count Name
----- ----
  166 SideBySide
   27 Application Error
   20 Application Hang
    3 VSS
    2 Microsoft-Windows-RestartManager
    1 MsiInstaller
    1 System Restore

We haven’t shown how to access a remote machine

PS> Get-EventLog -LogName Application -EntryType Error -Computername $env:COMPUTERNAME |
group Source -NoElement | sort Count -Descending | Format-table Count, Name –AutoSize

saving to a file:

PS> Get-EventLog -LogName Application -EntryType Error -Computername $env:COMPUTERNAME |
group Source -NoElement | sort Count -Descending | Format-table Count, Name -AutoSize |
Out-File beg5.txt

is legitimate and gives you exactly what you see on screen – though object police will scream at you for using format-table so if you want to conform try

PS> Get-EventLog -LogName Application -EntryType Error -Computername $env:COMPUTERNAME |
group Source -NoElement | sort Count -Descending | Out-File beg5.txt

but long source names may be truncated

if you really want to demonstrate you know what you are doing

PS> Get-EventLog -LogName Application -EntryType Error -Computername $env:COMPUTERNAME |
group Source -NoElement | sort Count -Descending | Tee-Object -FilePath beg5.txt

tee-object writes to a file and passes along pipeline to finally display

don’t use Add-Content or Set-Content as as all you will get is a set of lines like this

Microsoft.PowerShell.Commands.GroupInfoNoElement

These cmdlets don’t resolve the objects to the data

The Get-WinEvent syntax would be

Get-WinEvent -ComputerName $env:COMPUTERNAME -FilterHashtable @{'LogName'='Application'; 'Level'=2}

which to my mind isn’t as simple as Get-EventLog.

And finally if you just can’t live without aliases – get-eventlog doesn’t have one.