#PSTip A Faster way to open specific Event Logs

Note: This tip requires PowerShell 2.0 or above.

One of the annoyances I’m facing when working with Event logs is navigating and finding a log that is buried a few levels down the logs tree. Starting in Windows 7 we now have a ton of logs on our system. One example is the PowerShell Operational log file. Its path in the console tree is:

Event Viewer (Local)
   + Applications and Services Logs
      + Microsoft
         + Windows
            + PowerShell
              - Admin
              - Analytic
              - Debug
              - Operational

You get the picture–too many clicks just to get there! And the list of logs is so long that your eyes are starting to lost their way. I was looking for a better and shorter way to launch Event Viewer with a predefined log path specified and hoped it could open right on the log file but I couldn’t find any command line switch to do that.

Fortunately I could find a solution with PowerShell. With the Get-WinEvent cmdlet we can get a list of all event logs, including classic logs (such as the System and Application logs), and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. We can pass a log name we are interested in and even use wildcards.

PS>  Get-WinEvent -ListLog *PowerShell*
LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            15728640        6422 Windows PowerShell
Circular             1052672           0 Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/...
Retain            1048985600           0 Microsoft-Windows-PowerShell/Admin
Circular            15728640         157 Microsoft-Windows-PowerShell/Operational

We get back several log files but I’m only interested in the Microsoft-Windows-PowerShell/Operational log file so let’s narrow down the list.

PS>  Get-WinEvent -ListLog *PowerShell/op*
LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            15728640         157 Microsoft-Windows-PowerShell/Operational

Now that I have the log I want to view I can grab its path on the local file system and try to invoke it:

PS> $pslog = Get-WinEvent -ListLog *PowerShell/op*
PS> $pslog | Format-List log*

LogName      : Microsoft-Windows-PowerShell/Operational
LogType      : Operational
LogIsolation : Application
LogFilePath  : %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
LogMode      : Circular

There’s one problem though, the path starts with a DOS environment variable notation that the Invoke-Item cmdlet doesn’t understand. We can expand it with the ExpandEnvironmentVariables() method:

PS> [System.Environment]::ExpandEnvironmentVariables($pslog.LogFilePath)

Great, now let’s invoke the path and see what happens.

$pslog = Get-WinEvent -ListLog *PowerShell/op*
$path = [System.Environment]::ExpandEnvironmentVariables($pslog.LogFilePath)
Invoke-Item -Path $path

Excellent, right on the money! The log file is loaded and presented when Event Viewer is opened, no need to embark on a clicking adventure.

The log file was loaded under the Saved Logs folder in the Event Viewer console tree. From now on each time you open the Event Viewer, the PowerShell log file will be listed under that folder. When Event Viewer is launched it knows which files to add to the Saved Logs list by looking for XML files at a specific location on the file system. Saved Logs are saved under the C:\ProgramData system folder (hidden by default) as XML files.

To clear the list, delete the files found under that path. I’ve found that if you remove the logs via the Action menu/pane, you are removing it from the console tree and the only way to reopen the log is via Open Saved log option.

Get-ChildItem "$env:ProgramData\Microsoft\Event Viewer\ExternalLogs" -Filter *.xml |
Remove-Item -Force

Before you remove them make sure to close the Event Viewer otherwise the files will be created again when Event Viewer is closed. Note that you must run this from an elevated session or you will get an access denied error.

Share on:
comments powered by Disqus