Last active
December 29, 2017 08:11
-
-
Save megamorf/e66aa783c87341702e4f76d0d86d4cc9 to your computer and use it in GitHub Desktop.
PowerShell - Extract crashes from application log events
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertTo-CrashObject | |
| { | |
| <# | |
| .SYNOPSIS | |
| Returns crash objects from an application log event collection | |
| .DESCRIPTION | |
| Returns crash objects from an application log event collection. | |
| Only records where source equals 'Application Error' are processed. | |
| .PARAMETER EventLogRecord | |
| Collection of event records from the application eventlog. | |
| .EXAMPLE | |
| Get-WinEvent -LogName Application -MaxEvents 300 -ov events | ConvertTo-CrashObject -OutVariable crashes | Format-Table -Autosize | |
| .EXAMPLE | |
| $Errors = Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="Application Error";Starttime=(Get-Date).Date} | |
| $Errors | ConvertTo-CrashObject -OutVariable crashes | Format-Table -Autosize * | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory,ValueFromPipeline)] | |
| [System.Diagnostics.Eventing.Reader.EventRecord[]]$EventLogRecord | |
| ) | |
| BEGIN | |
| { | |
| Function ToHex { "0x" + $args } | |
| } | |
| PROCESS | |
| { | |
| foreach($Record in $EventLogRecord) | |
| { | |
| # that usually means $Record.Id -eq 1000 | |
| if($Record.ProviderName -ne 'Application Error') | |
| { | |
| continue | |
| } | |
| try | |
| { | |
| [pscustomobject]@{ | |
| PSTypeName = 'Eventlog.Application.Crash' | |
| TimeCreated = $Record.TimeCreated | |
| Computername = $Record.MachineName | |
| AppName = $Record.Properties[0].Value | |
| AppVersion = $Record.Properties[1].Value -as [version] | |
| AppTimeStamp = [datetime]::FromFileTime((ToHex $Record.Properties[2].Value)) | |
| AppPath = $Record.Properties[10].Value | |
| ModuleName = $Record.Properties[3].Value | |
| ModuleVersion = $Record.Properties[4].Value -as [version] | |
| ModuleTimeStamp = [datetime]::FromFileTime((ToHex $Record.Properties[5].Value)) | |
| ModulePath = $Record.Properties[11].Value | |
| ExceptionCode = ToHex $Record.Properties[6].Value | |
| AppStartTime = [datetime]::FromFileTime((ToHex $Record.Properties[9].Value)) | |
| ReportId = $Record.Properties[12].Value -as [guid] | |
| Message = $Record.Message.Split([environment]::NewLine ,[System.StringSplitOptions]::RemoveEmptyEntries) | |
| } | Add-Member -MemberType ScriptProperty -Name Runtime -Value {New-TimeSpan -Start $this.AppStartTime -End $this.TimeCreated} -PassThru | |
| } | |
| catch | |
| { | |
| Write-Warning "Failed to parse the following Event Record: $($Record.RecordID)" | |
| } | |
| } # end foreach | |
| } # end process | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment