{"id":1247,"date":"2014-06-05T00:01:00","date_gmt":"2014-06-05T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/06\/05\/using-powershell-to-parse-system-log-for-windows-updates\/"},"modified":"2014-06-05T00:01:00","modified_gmt":"2014-06-05T00:01:00","slug":"using-powershell-to-parse-system-log-for-windows-updates","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/using-powershell-to-parse-system-log-for-windows-updates\/","title":{"rendered":"Using PowerShell to Parse System Log for Windows Updates"},"content":{"rendered":"

Summary<\/b>: Learn how to use XML and Windows PowerShell to parse the Windows system event log for Windows updates.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Sometimes I come up with a solution, and then I go looking for a problem to fix. Not often, but sometimes. This is usually the result of playing around with Windows PowerShell on the weekend, and trying different things until I come up with something I think is cool.<\/p>\n

This is not one of those occasions. In fact, today’s blog post is pretty important for several reasons. The first reason is that I show how to use an XML filter to retrieve Windows event log entries that are written by the Windows Update. Not too big of a deal because I did that yesterday—at least, I used XML to filter the event log. In and of itself, this is a very valuable skill to develop because it generates huge performance increases.<\/p>\n

The second reason this post is important is because I also show you how to use XML to retrieve a specific node from the event data portion of the event log entry. This is huge, because more event log entries are storing more information in the message portion. It is well-formed XML. Most of the stuff you see floating around on the Internet takes a long way around, and it ends up doing all sorts of contorted stuff. My approach is relatively straightforward.<\/p>\n

First the query<\/h2>\n

Obviously the first thing to do is to develop the query. I am using a FilterXML<\/b> query to retrieve Windows Update events from the system event log.<\/p>\n

Note <\/b> For more information about this technique, refer to Data Mine the Windows Event Log by Using PowerShell and XML<\/a>.<\/p>\n

I did not have to do too much to this query. In fact, it was as simple as clicking the boxes in the Event Viewer, and then switching to XML. The results of this operation are shown here:<\/p>\n

\"Image<\/a><\/p>\n

I store the query in a here string. Here is my query:<\/p>\n

$query = @"<\/p>\n

<QueryList><\/p>\n

  <Query Id="0" Path="System"><\/p>\n

    <Select Path="System">*[System[Provider<\/p>\n

        [@Name='Microsoft-Windows-WindowsUpdateClient']<\/p>\n

        and (Level=4 or Level=0) and Task = 1<\/p>\n

        and (band(Keywords,8200))]]<\/Select><\/p>\n

  <\/Query><\/p>\n

<\/QueryList><\/p>\n

"@<\/p>\n

Now, I need to use the –FilterXML<\/b> parameter of the Get-WinEvent<\/b> cmdlet to perform the actual query. I will also store the resulting events in a variable I call $systemEvents<\/b>. This is shown here:<\/p>\n

$systemEvents = Get-WinEvent -FilterXml $query <\/p>\n

Search the matching events<\/h2>\n

I now need to search all of the matching Windows Update events that I stored in the $systemEvents<\/b> variable and look for the name of the updates. To do this, I use a Foreach<\/b> loop to walk through the events. I store the time the event was created, and I convert the event log entry to XML by calling the toxml<\/b> method. This is shown here:<\/p>\n

$systemEvents = Get-WinEvent -FilterXml $query<\/p>\n

Foreach($event in $systemEvents)<\/p>\n

{<\/p>\n

 $tc = $event.TimeCreated<\/p>\n

 $xml = [xml]$event.toxml()<\/p>\n

When I have an XML document, I call the SelectSingleNode<\/b> method, and I retrieve the @Name=’updateTitle’<\/b> node. When trying to find out what I need to use, I refer to the XML view of the event log entry in the Event Viewer as shown here:<\/p>\n

\"Image<\/a><\/p>\n

I then pipe the node to the Select-Object<\/b> cmdlet, and I expand the #text<\/b> property. I found this whilst playing around with Get-Member<\/b> and exploring the returned objects from the various commands. I store the update title (from the #text<\/b> property) in a variable I call $ud<\/b>.<\/p>\n

Note<\/b>  Because the #text <\/b>property begins with a pound sign, I have to put quotation marks around it; otherwise, Windows PowerShell views it as the comment character. I should also say that using the grave accent character ( `<\/b> ) does not work for this.<\/p>\n

Now, I want to return an object, so I use the New-Object<\/b> cmdlet to create an object that contains the time stamp and the name of the update. This section is shown here:<\/p>\n

$ud = $xml.SelectSingleNode("\/\/*[@Name='updateTitle']") |<\/p>\n

   Select -ExpandProperty '#text'<\/p>\n

   New-Object -TypeName psobject -Property @{"Date"=$tc;"Update"=$ud}<\/p>\n

}<\/p>\n

When I run the script, the following output appears:<\/p>\n

\"Image<\/a><\/p>\n

The complete script is shown here:<\/p>\n

$query = @"<\/p>\n

<QueryList><\/p>\n

  <Query Id="0" Path="System"><\/p>\n

    <Select Path="System">*[System[Provider<\/p>\n

        [@Name='Microsoft-Windows-WindowsUpdateClient']<\/p>\n

        and (Level=4 or Level=0) and Task = 1<\/p>\n

        and (band(Keywords,8200))]]<\/Select><\/p>\n

  <\/Query><\/p>\n

<\/QueryList><\/p>\n

"@<\/p>\n

 <\/p>\n

$systemEvents = Get-WinEvent -FilterXml $query<\/p>\n

Foreach($event in $systemEvents)<\/p>\n

{<\/p>\n

 $tc = $event.TimeCreated<\/p>\n

 $xml = [xml]$event.toxml()<\/p>\n

 $ud = $xml.SelectSingleNode("\/\/*[@Name='updateTitle']") |<\/p>\n

   Select -ExpandProperty '#text'<\/p>\n

   New-Object -TypeName psobject -Property @{"Date"=$tc;"Update"=$ud}<\/p>\n

}<\/p>\n

That is all there is to using XML to return event log data from a single node. Event Log Week will continue tomorrow when I will talk about some really cool stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Learn how to use XML and Windows PowerShell to parse the Windows system event log for Windows updates. Microsoft Scripting Guy, Ed Wilson, is here. Sometimes I come up with a solution, and then I go looking for a problem to fix. Not often, but sometimes. This is usually the result of playing around […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,42,3,4,45,165],"class_list":["post-1247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-events-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-xml"],"acf":[],"blog_post_summary":"

Summary: Learn how to use XML and Windows PowerShell to parse the Windows system event log for Windows updates. Microsoft Scripting Guy, Ed Wilson, is here. Sometimes I come up with a solution, and then I go looking for a problem to fix. Not often, but sometimes. This is usually the result of playing around […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/1247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=1247"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/1247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=1247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=1247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=1247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}