Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Dump-SearchAndStopIDNAOnEvent
###################################
#
# Change these paths as needed.
#
$dumpFolder = 'C:\data'
$procdumpBinary = 'C:\ProgramData\chocolatey\lib\sysinternals\tools\procdump.exe'
$tttracerBinary = 'C:\iDNA\tttracer.exe'
#
###################################
$serverName = [Environment]::MachineName
$startTime = (Get-Date).ToString("o")
"Watching for 1012 event. Ctrl-C to exit."
while ($true)
{
$newEvents = Get-WinEvent -ComputerName $serverName -FilterHashTable @{LogName="Application";StartTime=$startTime;Id=1012;ProviderName="MSExchangeIS"} -ErrorAction SilentlyContinue
if ($newEvents -eq $null)
{
Start-Sleep 1
continue
}
$newEvents | fl
"Dumping Microsoft.Exchange.Search.Service.exe..."
& $procdumpBinary -ma Microsoft.Exchange.Search.Service.exe $dumpFolder -accepteula
break
}
$startTime = (Get-Date).ToString("o")
"Watching for probe completion."
$eventFound = $false
while (!($eventFound))
{
$newEvents = Get-WinEvent -ComputerName $serverName -FilterHashTable @{LogName="Microsoft-Exchange-ActiveMonitoring/ProbeResult";StartTime=$startTime;Id=2;ProviderName="ActiveMonitoring"} -ErrorAction SilentlyContinue
if ($newEvents -eq $null)
{
Start-Sleep 1
continue
}
$startTime = (Get-Date).ToString("o")
foreach ($event in $newEvents)
{
$doc = [xml]$event.ToXml()
$tag = $doc.Event.UserData.EventXML.Tag
if ($doc.Event.UserData.EventXML.ResultName.StartsWith("SearchQueryStxProbe"))
{
"SearchQueryStxProbe result event:"
$event | fl
"Stopping iDNA..."
& $tttracerBinary -stop all
$eventFound = $true
break
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.