Richard Siddaway's Blog

WQL Wildcards

WQL is a SQL like language. We use parts of it in the filter parameter of Get-WmiObject.

Get-WmiObject -Class Win32_Service -Filter "Name like '%DNS%'" -ComputerName DC02

WQL has a number of operators including

=, <, >, <=, >=    which mean what you would expect

!= or <>   mean not equal

IS NULL and IS NOT NULL can be used to test nulls

LIKE is used to test character matching and use the following

[ ]
Any one character within the specified range ([a=f]) or set ([abcdef]).

^
Any one character not within the range ([^a=f]) or set ([^abcdef].)

%
Any string of 0 (zero) or more characters.

_ (underscore)
Any one character. Any literal underscore used in the query string must be escaped by placing it inside [] (square brackets).

% is in effect the equivalent of the wildcard * we are used to in PowerShell strings

In PowerShell v2 we can use

Get-Service *dns* -ComputerName DC02

as an alternative.

Get-WinEvent pt2

In this post http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!1976.entry I showed how to use Get-WinEvent to read event logs.  You can also use it to read backup files - .evt files

Get-WinEvent -Path H:\test\applog.evt -MaxEvents 10 -Oldest

-MaxEvents is to restrict the output while testing.  -Oldest is required as the files aer read in chronological order and you get an error without it

PS> Get-WinEvent -Path H:\test\applog.evt -MaxEvents 10
Get-WinEvent : Event log file 'H:\test\applog.evt' can only be read in the forward chronological order because it is an ETL or an EVT file. All events returned from  a query containing this file will be returned in the forward chronological order. If you want to see events from 'H:\test\applog.evt', re-run your command specifying '-Oldest' switch.
At line:1 char:13
+ Get-WinEvent <<<<  -Path H:\test\applog.evt -MaxEvents 10
    + CategoryInfo          : InvalidArgument: (H:\test\applog.evt:String) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : SpecifyOldestForEtlEvt,Microsoft.PowerShell.Commands.GetEventCommand

Now we have the makings of a system to analyse current and historical logs

PowerShell UG meeting

When: Wednesday, Jan 21, 2009 6:30 PM (GMT)

Where: Reading UK

*~*~*~*~*~*~*~*~*~*

The meeting for 21 January is at 6.30pm

Memphis Room

Building 3

Microsoft Campus TVP

Reading  UK

We have a Live Meeting with Jeffrey Snover talking about PowerShell v2

Pizza break

Jeremy Pack PowerShell demo

If you haven't already done so please let me know if you are coming

Richard Siddaway has invited you to attend an online meeting using Live Meeting.
Join the meeting.
Audio Information
Computer Audio
To use computer audio, you need speakers and microphone, or a headset.
First Time Users:
To save time before the meeting, check your system to make sure it is ready to use Microsoft Office Live Meeting.
Troubleshooting
Unable to join the meeting? Follow these steps:

1. Copy this address and paste it into your web browser:
   https://www.livemeeting.com/cc/usergroups/join
2. Copy and paste the required information:
   Meeting ID: BHMJ3Z
   Entry Code: xr5f$:Z/c
   Location: https://www.livemeeting.com/cc/usergroups

If you still cannot enter the meeting, contact support

Notice
Microsoft Office Live Meeting can be used to record meetings. By participating in this meeting, you agree that your communications may be monitored or recorded at any time during the meeting.

Forfiles

In the January 2009 issue of Windows IT  pro there is an article by Mark Minasi http://windowsitpro.com/article/articleid/100643/forfiles-processes-scriptswithout-scripts.html about using the forfiles utility from the command line. This is available in Vista or the resource kits.

PowerShell can achieve exactly the same goals- and with it being built into the next versions of Windows is a better way forward:

To view the files in a folder

Get-ChildItem -Path f:\personal

To only view files starting with s*

Get-ChildItem -Path f:\personal\s*

Get-ChildItem -Path f:\personal -Filter S*

Alternatively try

Get-ChildItem -Path f:\personal -include *.pdf -Recurse

The include parameter only works when –recurse is specified to also test subfolders

OK straight forward stuff so far but the next bit was interesting – how to filter by date of modification

Want to see anything altered in the last 10 days

Get-ChildItem -Path f:\personal | Where{$_.LastWriteTime -gt (get-date).AddDays(-10)}

Want to see anything altered since a specific date

Get-ChildItem -Path f:\personal | Where{$_.LastWriteTime -gt [datetime]"01/02/2009"}

or before a specific date

Get-ChildItem -Path f:\personal | Where{$_.LastWriteTime -lt [datetime]"01/02/2009"}

Other properties such as file size could also be used. The other good thing about using PowerShell is a consistent syntax.

PowerShell Jobs on Vista Home

One issue that came up during the testing for CTP 3 was that of using Winrm on Vista Home. This has implications for PowerShell remoting and running asynchronous jobs. Initiallly we found that the only way to be able to use Winrm was if UAC was disabled. Not satisfactory.

The solution is to disable UAC filtering for local accounts by creating the following DWORD registry entry and setting its value to 1: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy

This works on Vista Home and if you are in a workgroup .

The other thing to be aware of is that the configuration of Winrm is now accomplihed using some specific cmdlets and functions. The details are contained in the Release Notes but briefly

If you have upgraded from the Windows PowerShell V2 CTP2 release to the Windows PowerShell V2 CTP3 release, run the following command to configure your system for WS-Management remoting:

Unregister-PSSessionConfiguration * –force

Register-PSSessionConfiguration Microsoft.PowerShell –force;

Enable-PSRemoting –force

If  this is a new installation of PowerShell version 2 then ensure that the Winrm service is running and

use

Enable-PSRemoting –force

To see what other commands act on remoting and session configuration

get-command *pssession
Get-Command *psremoting

Provider Help

One useful nugget from the PowerShell help system.  If you want to find out more about working with a particular provider try

Get-Help Registry

for instance.  You can substitute other provider names as required.

You can find the provider names using get-psprovider.

Note that not all providers will give you a help file.

CTP3 – Test-Connection

Another useful piece of functionality built into CTP 3 is Test-Connection.  Think ping in PowerShell.

The cmdlet uses the Win32_PingStatus class and can return an interesting set of properties

Address
BufferSize
NoFragmentation
PrimaryAddressResolutionStatus
ProtocolAddress
ProtocolAddressResolved
RecordRoute
ReplyInconsistency
ReplySize
ResolveAddressNames
ResponseTime
ResponseTimeToLive
RouteRecord
RouteRecordResolved
SourceRoute
SourceRouteType
StatusCode
Timeout
TimeStampRecord
TimeStampRecordAddress
TimeStampRecordAddressResolved
TimestampRoute
TimeToLive
TypeofService

By default the following are returned

PS> Test-Connection -Destination test1

Source        Destination     IPV4Address      IPV6Address                              Bytes    Time(ms)
------        -----------     -----------      -----------                              -----    --------
test1         pcrs2           192.168.196.137  fe80::141b:35ab:a790:e260                32       0
test1         pcrs2           192.168.196.137  fe80::141b:35ab:a790:e260                32       0
test1         pcrs2           192.168.196.137  fe80::141b:35ab:a790:e260                32       0
test1         pcrs2           192.168.196.137  fe80::141b:35ab:a790:e260                32       0

Notice that IPv4 and IPv6 addresses are returned

CTP3 – Get-WinEvent

Windows Vista and 2008 introduced the new Windows eventing technology.  We have looked at the classic event logs using the *EventLog cmdlets discussed in recent posts.

PowerShell CTP 2 introduced a Get-Event cmdlet that could be used to read the new breed of event logs. In CTP 3 this has been renamed to Get-WinEvent.

We start by getting a list of the logs available

Get-WinEvent -ListLog *

The classic logs will be displayed as well as the new ones.  We can also read .evt files with get-WinEvent.  This means we can read backup files for logs.

Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.

We can read classic logs

Get-WinEvent -LogName Application -MaxEvents 10

MaxEvents restricts the number of events that are returned.

We can also read from the bottom of the log

Get-WinEvent -LogName Application -MaxEvents 10 -Oldest

The new style logs are accessed as

Get-WinEvent -LogName Microsoft-Windows-Help/Operational

One really useful piece of information is the event log sources – this can be found

Get-WinEvent -ListLog * | Select Logname, ProviderNames

This leads to us being able to query the event log directly by Provider (source)

CTP3 – Remote Access

The ability to administer remote machines was one of the biggest requests for PowerShell v2.  As well as the ability to use PowerShell remoting through WSMAN a number of PowerShell cmdlets get direct access to remote machines by having a –ComputerName parameter.  Get-WMIObject had this in PowerShell version 1 and the ability has spread. 

To find out which cmdlets have this paramerter try this

Get-Help * -Parameter ComputerName | Sort Name

The list I got back included

Add-Computer
Clear-EventLog
Enter-PSSession
Get-Counter
Get-EventLog
Get-HotFix
Get-Process
Get-PSSession
Get-Service
Get-WinEvent
Get-WmiObject
Invoke-Command
Invoke-WmiMethod
Limit-EventLog
New-EventLog
New-PSSession
Out-SDMRSOPLoggingReport
Receive-Job
Remove-Computer
Remove-EventLog
Remove-PSSession
Remove-WmiObject
Rename-Computer
Reset-ComputerMachinePassword
Restart-Computer
Set-Service
Set-WmiInstance
Show-EventLog
Stop-Computer
Write-EventLog

As a special New Year competition – one of these is the odd one out.  Which one and why?

A special No Prize to the first correct answer. 

And an even bigger No Prize if you know where that phrase comes from.

CTP3 – Get-Counter

All admins will be familiar with performance counters and their use in diagnosing issues with systems.  Now you can access them in PowerShell using Get-Counter.

Get-Counter -ListSet *

will provide a list of the counters available on your system.  This is rather a lot of information so we can use

Get-Counter -ListSet * | Select CounterSetName

to just show us the names of the sets of counters.  Everyone wants to know how their processor is doing so we can see what is available in the processor set

PS> Get-Counter -ListSet processor

CounterSetName     : Processor
MachineName        : .
CounterSetType     : MultiInstance
Description        : The Processor performance object consists of counters that measure aspects of processor activity The processor is the part of the computer that performs arithmetic and logical computations, initiates operations on peripherals, and runs the threads of processes.  A computer can have multiple processors.  The processor object represents each processor as an instance of the object.
Paths              : {\Processor(*)\% Processor Time, \Processor(*)\% User Time, \Processor(*)\% Privileged Time, \Processor(*)\Interrupts/sec...}
PathsWithInstances : {\Processor(0)\% Processor Time, \Processor(1)\% Processor Time, \Processor(_Total)\% Processor Time, \Processor(0)\% User Time...}
Counter            : {\Processor(*)\% Processor Time, \Processor(*)\% User Time, \Processor(*)\% Privileged Time, \Processor(*)\Interrupts/sec...}

We need the counter paths to be able to use them

PS> (Get-Counter -ListSet processor).Paths
\Processor(*)\% Processor Time
\Processor(*)\% User Time
\Processor(*)\% Privileged Time
\Processor(*)\Interrupts/sec
\Processor(*)\% DPC Time
\Processor(*)\% Interrupt Time
\Processor(*)\DPCs Queued/sec
\Processor(*)\DPC Rate
\Processor(*)\% Idle Time
\Processor(*)\% C1 Time
\Processor(*)\% C2 Time
\Processor(*)\% C3 Time
\Processor(*)\C1 Transitions/sec
\Processor(*)\C2 Transitions/sec
\Processor(*)\C3 Transitions/sec

So using

PS> Get-Counter -Counter "\Processor(*)\% Processor Time"

gives samples like this – once every second.

05/01/2009 20:15:56       \\pcrs2\processor(0)\% processor time :
                          7.24578223708658

                          \\pcrs2\processor(1)\% processor time :
                          1.4486436269045

                          \\pcrs2\processor(_total)\% processor time :
                          4.34721293199554

Notice that I get a value for each processor & the total.

We can control the number of samples and the interval with –MaxSamples and –SampleInterval respectively.  Sample interval is in seconds.

Best of all by using the –computername parameter we can access counters on remote machines.  This will give us a quick way of checking on our servers.

One more reason PowerShell should be always open and ready to use.

One thing I must do is try this with PowerGadgets……

alternatively a simple WPF application with some counters updating would be cool.  Hmm  something to think about.

CTP3 – CheckPoint-Computer

In this post - http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!1967.entry – we looked at how to list the available restore points with Get-ComputerRestorePoint.  We can use PowerShell to create a new restore point

Checkpoint-Computer -Description "testing cmdlet" -RestorePointType MODIFY_SETTINGS

The only parameters are a description and the type.  Available types are APPLICATION_INSTALL , APPLICATION_UNINSTALL, DEVICE_DRIVER_INSTALL, MODIFY_SETTINGS and CANCELLED_OPERATION

CTP3 - PowerShell start up speed

One thing I have really noticed is how quickly CTP3 starts and is ready to use.  Much the fastest start we’ve had in PowerShell

TechEd Online Bloggers

One of the innovations at TechEd thsi year was a blog aggregator.  It is still going at http://msdn.microsoft.com/en-us/events/teched/cc531163.aspx

The bloggers that contribute are a really good cross-section of the IT Community.  The current list of contributors can be found at http://msdn.microsoft.com/en-us/events/teched/cc512825.aspx 

You should recognise a number of the names.

One of the good things is that Microsoft staff including PSS engineers are contributing as well.

An RSS feed is available from http://teched.indepthtalk.net/Feed.rss

Very strongly recommended

CTP3 – Get-ComputerRestorePoint

With CTP3 we get a number of cmdlets for working with the system restore points on a computer:

Checkpoint-Computer – creates a system restore point

Restore-Computer – restores to a specified restore point

Disable\Enable-ComputerRestore – controls the system restore feature for a specified file system drive

Get-ComputerRestorePoint – allows us to view the restore points

Note: These cmdlets only work on the local machine.  If you need to access this functionality on a remote machine you will need to use the PowerShell remoting features.

Get-ComputerRestorePoint displays the restore points available on the machine.

This is working with the SystemRestore WMI class.  The formating produced by the cmdlet is not reproduced if you select the properties you want to view.  You can relate the EventType numbers to their names by running

Select-String -Path c:\windows\system32\windowspowershell\v1.0\*.ps1xml -Pattern "EventType" -SimpleMatch

The formatting information is held in C:\windows\system32\windowspowershell\v1.0\DotNetTypes.Format.ps1xml.  Formatting for the Restore point type can aslo be found there.

The –LastStatus parameter enables us to view the results of the last system restore.