I'm trying to test a powershell script that finds a specific event viewer task that excludes a certain case. For some reason, it's printing the event created time as empty. I think this is why it's falling into a wrong case. Why is this created time empty? This is an example for this website, so Init variable name doesn't quite make sense below, with chromoting.
#Look for crash within 150 hours of boot, and with Init within 7 minutes before that
$today=[system.datetime](Get-Date)
$startTime=$today.AddHours(-150)
$events = Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='SlotBroker';StartTime=$($startTime);EndTime=$($today);} -ErrorAction SilentlyContinue
if($events -ne $null)
{
foreach ($event in $events)
{
$crashOccurredTime=$event.TimeCreated
$lookForInitStart = $event.TimeCreated.AddMinutes(-7)
$eventInits = {Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='chromoting';StartTime=$lookForInitStart;EndTime=$crashOccurredTime;} -ErrorAction SilentlyContinue
}
if($eventInits -ne $null)
{
foreach ($eventInit in $eventInits)
{
#check that didn't have Terminate in that timeframe because we don't want this case
#look for exclude case of Terminate between Init and crash
$initTime = $eventInit.TimeCreated #chromoting
Write-Host "initTime $($initTime)" ##this is blank time
$eventInitTerminate = {Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='AppMgr';StartTime=$initTime;EndTime=$crashOccurredTime;} -ErrorAction SilentlyContinue | Where-Object {(-PipelineVariable Message -Match 'Terminate function called') -or (-PipelineVariable Message -Match 'Terminate function returned')}
}
if($eventInitTerminate -ne $null)
{ #it always falls in here no matter if it should or not.
Write-Host "Found application.exe after Init with Terminate TimeCreatedCrash $($event.TimeCreated) ProviderName $($event.ProviderName) Message $($event.Message) TerminateTime $($eventInitTerminate.TimeCreated)"
}
else #this will print
{
Write-Host "Found application.exe after Init without Terminate TimeCreated $($event.TimeCreated) ProviderName $($event.ProviderName) Message $($event.Message) InitTime $($eventInit.TimeCreated)"
}
} #foreach
}
}
Looking at the event log, I see this:
Error 8/11/2022 9:43 SlotBroker
Information 8/11/2022 9:37 chromoting
Information 8/11/2022 936 AlarmSoundHelper
This is a test case and should be falling into #this will print, but it prints the above case. I think it's because of the time printing blank, so it finds the Terminate elsewhere in the event log. Why is that time not printing out right? I need the time to see if I need to notify me of the event log or not.
The purpose of this script is to avoid events with Terminate between SlotBroker and chromoting. As you can see, it's not in this case, but falls into that if statement like it found events. We don't have PowerShellISE on this computer with the eventLog, so I can't step through.
When I was working on the script in PowerShellISE on my laptop, it seemed like $eventInit might not know what TimeCreated is, but it's not causing an error. I'm not sure how to get that TimeCreated.
Update: I added this below the $lookForInitStart and it prints ok Write-Host "lookForInitStart $($lookForInitStart)"
prints lookForInitStart 8/11/2022 09:36
I'm unsure why the initTime is printing blank.
I got the $initTime to not be empty with this line and used that for all TimeCreated to make sure they were correct.
$initTime = $eventInit | Select-Object -Expand TimeCreated #chromoting
But it's still falling into the $eventInitTerminate block, even though it doesn't have the Terminate events in there.
That would be helpful if someone else knows why it's falling into the "Found application.exe after Init with Terminate..." printout, and I would accept that answer.
I got the $initTime to not be empty with this line and used that for all TimeCreated to make sure they were correct.
$initTime = $eventInit | Select-Object -Expand TimeCreated #chromoting
For the Terminate block, I changed this to fix it (simplified the match for terminate):
$today=[system.datetime](Get-Date)
$startTime=$today.AddHours(-135)
write-host "startTime $($startTime)"
$events = Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='SlotBroker';StartTime=$($startTime);EndTime=$($today);} -ErrorAction SilentlyContinue
if($events -ne $null)
{
foreach ($event in $events)
{
$crashOccurredTime=$event | Select-Object -Expand TimeCreated
write-host "crashOccurredTime $($crashOccurredTime)"
$lookForInitStart = $event.TimeCreated.AddMinutes(-7)
Write-Host "lookForInitStart $($lookForInitStart)"
$eventInits = Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='chromoting';StartTime=$lookForInitStart;EndTime=$crashOccurredTime;} -ErrorAction SilentlyContinue
if($eventInits -ne $null)
{
foreach ($eventInit in $eventInits)
{
#check that didn't have Terminate in that timeframe because we don't want this case
#look for exclude case of Terminate between Init and crash
$initTime = $eventInit | Select-Object -Expand TimeCreated #chromoting
Write-Host "initTime $($initTime)"
$eventInitTerminate = Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='AppMgr';StartTime=$initTime;EndTime=$crashOccurredTime;} -ErrorAction SilentlyContinue | Where-Object -PipelineVariable Message -Match 'Terminate'
if($eventInitTerminate -ne $null)
{
Write-Host "*****Found application.exe after Init with Terminate TimeCreatedCrash $($event.TimeCreated) ProviderName $($event.ProviderName) Message $($event.Message) TerminateTime $($eventInitTerminate.TimeCreated)*****"
}
else #this will print
{
Write-Host "***Found application.exe after Init without Terminate TimeCreated $($event.TimeCreated) ProviderName $($event.ProviderName) Message $($event.Message) InitTime $($eventInit.TimeCreated)***"
}
} #foreach
}
else
{
Write-Host "No application Crash found after Init in 4 hours preceding shell command"
}
}
}#if
else
{
Write-Host "no events found that meet criteria of crash after init"
}