Design a site like this with
Get started

Getting ‘administrative events’ from a janky system

Recently, I was helping a co-worker with an issue noted where Win 2019 MCS clones going into a janky state intermittently. I’m a big fan of the windows event viewer for immediate troubleshooting, however, the system was so degraded, we were unable to use compmgmt.msc to remote to the system to open eventvwr.msc

However, we were able to remote in via PowerShell

enter-PSsession -jankyVDA

I’m familiar with PS cmdlets get-winevent, but in this case, we didn’t want to filter through tons of errors, instead, we just wanted the ‘admin events view’, which is a filtered view of only warnings/errors:

How do I get only the admin events via PS? Thanks to this REDDIT post, I now know

The code (below PS code was converted to HTML via this tool )

to HTML )
$xmlFilter = "$($env:TEMP)\adminFilter.xml"
$header = "<QueryList>`r`n  <Query Id=`"0`" Path=`"Application`">"
$footer = "  </Query>`r`n</QueryList>"
$loglist = @()
$EventLogs = Get-WinEvent -Force -ListLog * -ErrorAction SilentlyContinue
foreach ($Log in $EventLogs) {
  if ($Log.LogType -eq "Administrative") {
    $loglist += $log.logName
set-content $xmlFilter $header
foreach ($logName in $loglist) { Add-Content $xmlFilter "    <Select Path=`"$($logName)`">*[System[(Level=1 or Level=2 or Level=3)]]</Select>" } 
add-content $xmlFilter $footer
#start notepad $xmlFilter 

$aa = Get-WinEvent -FilterXml ([xml](Get-Content $xmlFilter))

With the value of $aa created, we can easily export it via the below one-liner

export-csv -NoTypeInformation -Path c:\admin\RecentEvents.csv

Then you can grab the .csv , open it in excel on a working machine and review the events as required!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: