none
Export part of the message from an EventID to file RRS feed

  • Question

  • Hey everyone,

    following situation: 

    We are running a WDS Server and want to see how many Windows 7 or Windows 10 Images get installed. It's not possible to get that information from the WDS Console. So I checked the Eventlog and found EventID 4313. It is an information which Image was selected in the WDS-Setup. Of course I have no guarantee that it was finished successfully but that's ok.

    So far I wrote this:

    # ==============================================================================================
    # 
    # Microsoft PowerShell Source File -- Created with Notepad++
    # 
    # NAME: WDS-Statistik.ps1
    # 
    # AUTHOR: Andreas Vogelsang, 
    # DATE  : 30.06.2017
    # Version 1.1
    #
    # Changelog: 	1.0: Only the main command and the variables $date & $lastmonth (29.06.2017)
    #				1.1: Add commends and enable remote function (30.06.2017) 
    #				
    # 
    # COMMENT: Gets the selected Images from the WDS Server with using the Event-ID 4131 and save it in a file.
    # 
    # ==============================================================================================
    #set the remote machine
    $Machine = "wds"
    #Save current date in a variable 
    $date = Get-Date -Format dd.MM.yyyy
    #Take the current date and substract a month (he calculates with 31 days) and save it in $lastmonth
    $lastmonth = Get-Date -Format dd.MM.yyyy $(Get-Date).AddMonths(-1)
    #The main command, first get the EventID 4131 from wds from the logname Microsoft-Windows-Deployment-Services-Diagnostics/Operational then change the output format with fl and at last save it in csv file with current date
    get-Winevent -ComputerName $Machine -FilterHashTable @{ logname = "Microsoft-Windows-Deployment-Services-Diagnostics/Operational"; StartTime = $lastmonth; ID = 4131 } | fl | Out-file "C:\TempWDS\WDS Usage $(get-date -f dd-MM-yyyy).csv"


    The result looks like this:

    TimeCreated  : 01.06.2017 09:28:23
    ProviderName : Microsoft-Windows-Deployment-Services-Diagnostics
    Id           : 4131
    Message      : The following WDS Client has selected Image: 
                   
                   SessionGuid: {1C513F09-46E4-4048-A97E-A318A773CBF2}
                   MAC: XX-XX-XX-XX-XX-XX
                   IP: XX.XX.XX.XX
                   ClientDeviceID: {XXXX}
                   ClientArchitecture: x64
                   ImageGroup: Windows 10
                   ImageName: Windows 10 TEST Image x64 Mai 2017
                   ImageLanguage: de-DE
                   ImageArchitecture: x64
                   FullUserName: <user>
    

    Is is possible to save only the ImageGroup, ImageName, ImageLanguage and ImageArchitecture? 

    Thanks in advanced! You help me, a person who can't code, a lot :-)

    Monday, July 3, 2017 8:32 AM

Answers

  • The "Properties" property of the returned object has all of these as an array.  You can shoose them as needed.

    $filter = @{
    	logname = 'Microsoft-Windows-Deployment-Services-Diagnostics/Operational'
    StartTime = $lastmonth
    ID = 4131 } Get-WinEvent -ComputerName $Machine -FilterHashTable $filter | select -expand Properties


    \_(ツ)_/




    • Marked as answer by A.Vogelsang Monday, July 10, 2017 8:39 AM
    • Edited by jrv Monday, July 10, 2017 8:55 AM
    Monday, July 3, 2017 11:30 AM

All replies

  • The "Properties" property of the returned object has all of these as an array.  You can shoose them as needed.

    $filter = @{
    	logname = 'Microsoft-Windows-Deployment-Services-Diagnostics/Operational'
    StartTime = $lastmonth
    ID = 4131 } Get-WinEvent -ComputerName $Machine -FilterHashTable $filter | select -expand Properties


    \_(ツ)_/




    • Marked as answer by A.Vogelsang Monday, July 10, 2017 8:39 AM
    • Edited by jrv Monday, July 10, 2017 8:55 AM
    Monday, July 3, 2017 11:30 AM
  • Hey JRV,

    thanks for the help. There was an mistype in your code. I get help from a Powershell Expert in our company and he wrote this script:

    <#
     
    .SYNOPSIS
    Gets the selected Images from the WDS Server with using the Event-ID 4131 and save it in a file.
     
    .DESCRIPTION
    Gets the selected Images from the WDS Server with using the Event-ID 4131 and save it in a file.
     
    .EXAMPLE
    
     
    .NOTES
    AUTHOR: Andreas Vogelsang, IVV Naturwissenschaften , Westfaelische Wilhelms-Universitaet Muenster
    DATE  : 10.07.2017
    Version 2.0
    
    Changelog: 	1.0: Only the main command and the variables $date & $lastmonth (29.06.2017)
    			1.1: Add commends and enable remote function (30.06.2017) 
                2.0: Generelle Optimierung (07.07.2017)
     
    .LINK
    
    #>
    
    param
         (
          #set the remote machine
          [string]$Machine = "wds",
          
          #Pfad der Output Datei
          [string]$PathOutfile = "\Management\Reports\WDS\"
         )
    
    
    
    ##Save current date in a variable 
    $date = Get-Date -Format dd.MM.yyyy
    
    ##Take the current date and substract a month (he calculates with 31 days) and save it in $lastmonth
    $lastmonth = Get-Date -Format dd.MM.yyyy $(Get-Date).AddMonths(-1)
    
    ##Save EventID 4131 from Microsoft-Windows-Deployment-Services-Diagnostics/Operational log to variable $eventfilter. 
    ##Use starttime to get only the last month
    $filter = @{ logname = "Microsoft-Windows-Deployment-Services-Diagnostics/Operational"; StartTime = $lastmonth; ID = 4131 } 
    
    ##get and save the events from $machine and filter it with $filter
    $events = Get-WinEvent -ComputerName $Machine -FilterHashTable $filter 
    
    ##Zusammensetze Pfad und Name der Output Datei
    $Outfile = Join-Path -Path $PathOutfile -ChildPath "WDS Usage $(get-date -Format dd-MM-yyyy).csv"
    
    if(Test-Path -Path $PathOutfile)
    {
    
    ##Schreiben der ersten Zeile mit Überschriften
    $Zeile1 = "ImageArchitecture; ImageGroup; ImageName; ImageLanguage"
    $Zeile1 | Tee-Object $Outfile
    
    ##abarbeiten aller Events in einer Schleife
    $events | ForEach-Object {
        
        ##abarbeiten jedes einzelnen Event
        [string]$Zeile =""
        ($_ |Select-Object -ExpandProperty Properties)[4..7].Value | ForEach-Object {        ##auswählen der Eigenschaften 4 bis 7
            [string]$eintrag = $_
            if ($eintrag.Length -eq "1")
            {
                $eintrag = $eintrag.Replace("0","x86").Replace("9","x64")                    ##übersetzen der ImageArchitecture 
                $Zeile += "$eintrag; "
            }
            else
            {
                $Zeile += "$_; " 
            }
        }
        $Zeile = $Zeile.TrimEnd("; ")                                                        ##abschneiden des letzten Semikolon
        $Zeile | Tee-Object $Outfile -Append
        Remove-Variable Zeile
    }
    }
    else
    {
        Write-Host "Could not find a part of the path $PathOutfile" -ForegroundColor Red
    }


    Monday, July 10, 2017 8:39 AM
  • Sorry about the typo.  It was part of your original code and not sure how it got included.  I fixed the original and here is a copy.

    $filter = @{
    	logname = 'Microsoft-Windows-Deployment-Services-Diagnostics/Operational'
    StartTime = $lastmonth
    ID = 4131 } Get-WinEvent -ComputerName $Machine -FilterHashTable $filter | select -expand Properties


    \_(ツ)_/




    • Edited by jrv Monday, July 10, 2017 8:55 AM
    Monday, July 10, 2017 8:52 AM