Recently, I was helping a co-worker with an issue noted where Win 2019 MCS clones going into a janky state intermittently. I’m a big fan of the windows event viewer for immediate troubleshooting, however, the system was so degraded, we were unable to use compmgmt.msc to remote to the system to open eventvwr.msc
However, we were able to remote in via PowerShell
enter-PSsession -jankyVDA
I’m familiar with PS cmdlets get-winevent, but in this case, we didn’t want to filter through tons of errors, instead, we just wanted the ‘admin events view’, which is a filtered view of only warnings/errors:
How do I get only the admin events via PS? Thanks to this REDDIT post, I now know
https://www.reddit.com/r/PowerShell/comments/bitgnc/script_to_pull_all_administrative_events_in_event/
The code (below PS code was converted to HTML via this tool )
$xmlFilter = "$($env:TEMP)\adminFilter.xml" $header = "<QueryList>`r`n <Query Id=`"0`" Path=`"Application`">" $footer = " </Query>`r`n</QueryList>" $loglist = @() $EventLogs = Get-WinEvent -Force -ListLog * -ErrorAction SilentlyContinue foreach ($Log in $EventLogs) { if ($Log.LogType -eq "Administrative") { $loglist += $log.logName } } set-content $xmlFilter $header foreach ($logName in $loglist) { Add-Content $xmlFilter " <Select Path=`"$($logName)`">*[System[(Level=1 or Level=2 or Level=3)]]</Select>" } add-content $xmlFilter $footer #start notepad $xmlFilter $aa = Get-WinEvent -FilterXml ([xml](Get-Content $xmlFilter))
With the value of $aa created, we can easily export it via the below one-liner
export-csv -NoTypeInformation -Path c:\admin\RecentEvents.csv
Then you can grab the .csv , open it in excel on a working machine and review the events as required!
GetVpro 