Power Shell theory questions

Hello!

I'v been using MS Log Parser for many years for parsing Windows logs and have decided to try to find the same information using PS. The results puzzled me a great deal so I would appreciate any help in interpreting them.

1) For finding event 4660 (File deletion) I'm used to run the following command:



LogParser  -o:csv -tabs:ON SELECT  TimeGenerated, EventID, Extract_Token(Strings, 1, |) AS USER, Extract_Token(Strings, 3, |) AS LogonID, Extract_Token(Strings, 5, |) AS HandleID FROM Security WHERE EventID = 4660 ORDER BY TimeGenerated DESC

This command works exactly as expected and it takes about 2 seconds to complete:

The ~same command in PS:
get-eventlog  -LogName security  where {$_.ID -eq 4660} |Select TimeCreated, Message |FT -AutoSize

It takes about 4 MINUTES to complete and it shows only one event:

Q1: Is it normal that PS command requires much more time to complete (1.7 SECONDS vs ~ 4 MINUTES) compared to Log Parser?

Q2: Why does PS show only one of thre existing events?

Q3: Why does -AutoSize do not work?

Please see the next post.

July 6th, 2015 10:13am

When I tried to use a variable in the above command it returned no results at all:

Q4: I thought the code should return the same results with- or without variables... I was wrong?

Thank you in advance,

Michael



  • Edited by MF47 16 hours 54 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 10:17am

Hi,

Try Get-WinEvent instead:

http://ss64.com/ps/get-winevent.html

Get-EventLog is for older OSes and will be slower.

July 6th, 2015 10:18am

Hi Mike,

Get-WinEvent took about 2 minutes and showed all events:

It means Get-EventLog is not just "slower" but useless at all...

Get-WinEvent -FilterHashTable @{Logname='Security';ID=4660} works almost immediately!

Thank you very much!

Regards,

Michael


  • Edited by MF47 16 hours 33 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 10:23am

Get-WinEvent -FilterHashTable @{Logname='Security';ID=4660}

HELP Get-WinEvent -Full

July 6th, 2015 10:27am
P.S. What about -AutoSize - it does not work in Get-WinEvent as well...
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 10:36am
P.S. What about -AutoSize - it does not work in Get-WinEvent as well...

What do you mean by 'does not work'? The truncation? If so, that's normal.

July 6th, 2015 10:38am

"The truncation? If so, that's normal." - maybe I'm missing something but -AutoSize definition says https://technet.microsoft.com/en-us/library/hh849892.aspx?f=255&MSPPError=-2147217396

"Adjusts the column size and number of columns based on the width of the data."

I can see no difference with or without -AutoSize... Shouldn't the truncation with -AutoSize occur at the rightmost part of the console window?

Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 10:54am

Have a look to the following:

Using Format Commands to Change Output View

If you specify the AutoSize parameter when you run the Format-Table command, Windows PowerShell will calculate column widths based on the actual data you are going to display. This makes the Path column readable, but the company column remains truncated:

PS> Get-Process -Name powershell | Format-Table -Property Path,Name,Id,Company -
AutoSize

Path                                                    Name         Id Company
----                                                    ----         -- -------
C:\Program Files\Windows PowerShell\v1.0\powershell.exe powershell 2836 Micr...

"The Format-Table command assumes that the nearer a property is to the beginning of the property list, the more important it is. So it attempts to display the properties nearest the beginning completely. If the Format-Table command cannot display all the properties, it will remove some columns from the display and provide a warning."

You can force lengthy Format-Table data to wrap within its display column by using the Wrap parameter. Using the Wrap parameter alone will not necessarily do what you expect, since it uses default settings if you do not also specify AutoSize"


July 6th, 2015 11:01am
Use both
 -autosize -wrap
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 11:05am

Here's a few articles that may help you get the output you're looking for:

http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/20/change-a-powershell-preference-variable-to-reveal-hidden-data.aspx

http://poshoholic.com/2010/11/11/powershell-quick-tip-creating-wide-tables-with-powershell/

July 6th, 2015 11:12am

"The Format-Table command assumes that the nearer a property is to the beginning of the property list, the more important it is. So it attempts to display the properties nearest the beginning completely. If the Format-Table command cannot display all the properties, it will remove some columns from the display and provide a warning."

Use both
 -autosize -wrap

Here's a few articles that may help you get the output you're looking for: ...

Yes, I get it now.. In this case the definition "Adjusts the column size and number of columns based on the width of the data." is not complete.

Thank you all very much! You've helped me a lot!

Regards,

Michael


  • Marked as answer by MF47 15 hours 53 minutes ago
  • Unmarked as answer by MF47 15 hours 53 minutes ago
  • Edited by MF47 15 hours 53 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 11:19am

When I tried to use a variable in the above command it returned no results at all:

Q4: I thought the code should return the same results with- or without variables... I was wrong?

Thank you in advance,

Michael



  • Edited by MF47 Monday, July 06, 2015 2:15 PM
July 6th, 2015 2:13pm

Hi Mike,

Get-WinEvent took about 2 minutes and showed all events:

It means Get-EventLog is not just "slower" but useless at all...

Get-WinEvent -FilterHashTable @{Logname='Security';ID=4660} works almost immediately!

Thank you very much!

Regards,

Michael


  • Edited by MF47 Monday, July 06, 2015 2:36 PM
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 2:19pm

"The Format-Table command assumes that the nearer a property is to the beginning of the property list, the more important it is. So it attempts to display the properties nearest the beginning completely. If the Format-Table command cannot display all the properties, it will remove some columns from the display and provide a warning."

Use both
 -autosize -wrap

Here's a few articles that may help you get the output you're looking for: ...

Yes, I get it now.. In this case the definition "Adjusts the column size and number of columns based on the width of the data." is not complete.

Thank you all very much! You've helped me a lot!

Regards,

Michael


  • Marked as answer by MF47 Monday, July 06, 2015 3:15 PM
  • Unmarked as answer by MF47 Monday, July 06, 2015 3:15 PM
  • Edited by MF47 Monday, July 06, 2015 3:16 PM
July 6th, 2015 3:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics