Contents

Windows troubleshooting

²⁵/Aug 2018 By Olivier De Ram

VRAGEN:

run: eventvwr

custom views
windows
- application (non windows standard, puppet, vmware, mssql, …)
- security, aan en afmelden
- set-up: updates en installatie verwijderen programma’s
- system: OS meldingen
application and services: diep graven

–> Filter Log:

rechtsonderaan > event copy > copy as text

$first = 
$last = 
get-eventlog -Logname system -

 `get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' | Where-Object { $_.Message -like ‘*insta* }`

(task manager > performance > open resouce monitor)

Overview > CPU (ovenste tab) app aanvinken –> filtert alles

netstat -abo > C:\temp\log.txt

C:\ProgramData\chocolatey\bin\Procmon.exe –> selecteer lijn+kolom > exclude ‘name’ (=grep -v) / include ‘name’ (=grep)

Event ID 6005: “The event log service was started.” This is synonymous to system startup.
Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown.
Event ID 6008: “The previous system shutdown was unexpected.” Records that the system started after it was not shut down properly.
Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id. Add to that a couple more from the Server Fault answers listed in my OP:
Event ID 1074: “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown.
Event ID 1076: “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

$filter = "*abbix*"
get-winevent -logname 'Application'  | Where-Object { $_.Message -like $filter }

Hagfi.sh