Windows

Problem

You want to stop (or kill) a process on the system.

Solution

To stop a process, use the StopProcess cmdlet, as shown in Example 212.

Example 212. Stopping a process using the StopProcess cmdlet

PS >notepad PS >GetProcess Notepad

Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName

42 3 1276 3916 32 0.09 3520 notepad

PS >StopProcess ProcessName notepad PS >GetProcess Notepad

Problem

You want to launch a new process on the system, but also want to configure its startup environment.

Solution

To launch a new process, use the [System.Diagnostics.Process]::Start() method. To control its startup environment, supply it with a System.Diagnostics. ProcessStartInfo object that you prepare, as shown in Example 211.

Example 211. Configuring the startup environment of a new process

$credential = GetCredential

Problem

You want to see which processes are running on the system.

Solution

To retrieve the list of currently running processes, use the GetProcess cmdlet: PS >GetProcess

Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName

274 6 1328 3940 33 1084 alg 85 4 3816 6656 57 5.67 3460 AutoHotkey 50 2 2292 1980 14 384.25 1560 BrmfRsmg 71 3 2520 4680 35 0.42 2592 cmd

946 7 3676 6204 32 848 csrss 84 4 732 2248 22 3144 csrss 68 4 936 3364 30 0.38 3904 ctfmon

243 7 3648 9324 48 2.02 2892 Ditto (...)

Discussion

Working with system processes is a natural aspect of system administration. It is also the source of most of the regular expression magic and kung fu that makes system administrators proud. After all, who wouldn’t boast about this Unix oneliner to stop all processes using more than 100 MB of memory:

ps el | awk '{ if ( $6 > (1024*100)) { print $3 } }' | grep v PID | xargs kill

While helpful, it also demonstrates the inherently fragile nature of pure text processing. For this command to succeed, it must:

Problem

You want to access event log entries from a remote machine.

Solution

To access event logs on a remote machine, create a new System.Diagnostics. EventLog class with the log name and computer name. Then access its Entries property:

PS >$log = NewObject Diagnostics.EventLog "System","LEEDESK" PS >$log.Entries | GroupObject Source

Count Name Group

Problem

You want to add an entry to an event log.

Solution

To write to an event log, use the –List parameter on the GetEventLog cmdlet to retrieve the proper event log. Then, set its source to a registered event log source and call its WriteEntry() method:

PS >$log = GetEventLog List | WhereObject { $_.Log eq "ScriptEvents" } PS >$log.Source = "PowerShellCookbook" PS >$log.WriteEntry("This is a message from my script.") PS > PS >GetEventLog ScriptEvents Newest 1 | Select Source,Message

Source
Message

Problem

You want to create or remove an event log.

Solution

To create an event log, use the [System.Diagnostics.EventLog]:: CreateEventSource() method from the .NET Framework:

$newLog =

NewObject Diagnostics.EventSourceCreationData

"PowerShellCookbook","ScriptEvents"

[Diagnostics.EventLog]::CreateEventSource($newLog)

To delete an event log, use the [System.Diagnostics.EventLog]::Delete() method from the .NET Framework:

[Diagnostics.EventLog]::Delete("ScriptEvents")

Discussion

Problem

You want to store the information in an event log in a file for storage or later review.

Solution

To store event log entries in a file, use the GetEventLog cmdlet to retrieve the entries in the event log, and then pipe them to the ExportCliXml cmdlet to store them in a file.

GetEventLog System | ExportCliXml c:\temp\SystemLogBackup.clixml

Discussion

Once you’ve exported the events from an event log, you can archive them, or use the ImportCliXml cmdlet to review them on any machine that has PowerShell installed:

Problem

You want to find the event log entries that occur most frequently.

Solution

To find event log entries by frequency, use the GetEventLog cmdlet to retrieve the entries in the event log, and then pipe them to the GroupObject cmdlet to group them by their message.

PS >GetEventLog System | GroupObject Message

Count Name Group

23 The Background Intelli... {LEEDESK, LEEDESK, LEEDESK, LEEDESK... 23 The Background Intelli... {LEEDESK, LEEDESK, LEEDESK, LEEDESK...

3 The Logical Disk Manag... {LEEDESK, LEEDESK, LEEDESK}

Problem

You want to retrieve a specific event log entry.

Solution

To retrieve a specific event log entry, use the GetEventLog cmdlet to retrieve the entries in the event log, and then pipe them to the WhereObject cmdlet to filter them to the one you are looking for.

PS >GetEventLog System | WhereObject { $_.Index –eq 2920 }

Index Time Type Source EventID Message

2920 May 06 09:18 Info Service Control M... 7036 The Logical Disk...

Discussion