Windows

Problem

You want to retrieve all event log entries that contain a given term.

Solution

To find specific event log entries, use the GetEventLog cmdlet to retrieve the items, and then pipe them to the WhereObject cmdlet to filter them, as shown in Example 202.

Example 202. Searching the event log for entries that mention the term “disk”

PS >GetEventLog System | WhereObject { $_.Message match "disk" }

Index Time Type Source EventID Message

Problem

You want to retrieve the most recent entries from an event log.

Solution

To retrieve the most recent entries from an event log, use the –Newest parameter of the GetEventLog cmdlet, as shown in Example 201.

Example 201. Retrieving the 10 newest entries from the System event log

PS >GetEventLog System Newest 10 | FormatTable Index,Source,Message A

Index Source Message

Problem

You want to determine which event logs exist on a system.

Solution

To list event logs on a system, use the –List parameter of the GetEventLog cmdlet: PS >GetEventLog List

Max(K) Retain OverflowAction Entries Name

512 0 OverwriteAsNeeded 2,157 ADAM (Test)

512 7 OverwriteOlder 2,090 Application

512 7 OverwriteOlder 0 Internet Explorer

8,192 45 OverwriteOlder 0 Media Center

512 7 OverwriteOlder 0 ScriptEvents

512 7 OverwriteOlder 2,368 System

15,360 0 OverwriteAsNeeded 0 Windows PowerShell

Event logs form the core of most monitoring and diagnosis on Windows. To support this activity, PowerShell offers the GetEventLog cmdlet to let you query and work with event log data on a system. In addition to PowerShell’s builtin GetEventLog cmdlet, its support for the .NET Framework means that you can access event logs on remote computers, add entries to event logs, and even create and delete event logs.

Problem

You want to determine whether any files have been modified or damaged in a set of files.

Solution

To verify the integrity of file sets, use the GetFileHash script provided “Program: Get the MD5 or SHA1 Hash of a File” to generate the signatures of those files in question. Do the same for the files on a known good system. Finally, use the CompareObject cmdlet to compare those two sets.

Discussion

To generate the information from the files in question, use a command like:

Problem

You want to determine the differences between two files.

Solution

To determine simple differences in the content of each file, store their content in variables, and then use the CompareObject cmdlet to compare those variables:

PS >"Hello World" > c:\temp\file1.txt PS >"Hello World" > c:\temp\file2.txt PS >"More Information" >> c:\temp\file2.txt PS >$content1 = GetContent c:\temp\file1.txt PS >$content2 = GetContent c:\temp\file2.txt PS >CompareObject $content1 $content2

InputObject SideIndicator

Problem

You want to compare the output of two commands.

Solution

To compare the output of two commands, store the output of each command in variables, and then use the CompareObject cmdlet to compare those variables:

PS >notepad PS >$processes = GetProcess PS >StopProcess ProcessName Notepad PS >$newProcesses = GetProcess PS >CompareObject $processes $newProcesses

InputObject SideIndicator

System.Diagnostics.Process (notepad) <=

Discussion

When working in PowerShell, it is common to work with collections of objects. Most PowerShell commands generate objects, as do many of the methods that you work with in the .NET Framework. To help work with these object collections, PowerShell introduces the CompareObject cmdlet. The CompareObject cmdlet provides functionality similar to wellknown diff commands, but with an objectoriented flavor.

Problem

You want to automate the configuration of a program, but that program does not document its registry configuration settings.

Solution

To discover a registry setting for a program, use Sysinternals’ Process Monitor to observe registry access by that program. Process Monitor is available from http:// www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx.

Discussion

Discussion

Although PowerShell does not directly let you access and manipulate the registry of a remote computer, it still supports this by working with the .NET Framework. The functionality exposed by the .NET Framework is a bit more developeroriented than we want, so we can instead use a script to make it easier to work with.

Example 188 lets you set the value of a property on a given remote registry key. In order for this script to succeed, the target computer must have the remote registry service enabled and running.