Event Log Analysis
1. Query System Events
Get the 20 most recent events from the System log.
Get-WinEvent -LogName System -MaxEvents 20
2. Find Error Events
Filter for Error-level events in the System log.
Get-WinEvent -LogName System | Where-Object { $_.LevelDisplayName -eq 'Error' }
3. Query Classic Event Logs
Use the legacy Get-EventLog cmdlet to read Application log entries.
Get-EventLog -LogName Application -Newest 15
4. Search Security Events
Find failed logon attempts in the Security log (Event ID 4625).
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625} -MaxEvents 10
Performance Counters
5. Get CPU Usage
Check current processor utilization percentage.
Get-Counter '\Processor(_Total)\% Processor Time'
6. Check Available Memory
View the available memory in megabytes.
Get-Counter '\Memory\Available MBytes'
7. Monitor Disk Activity
Check the current disk read/write queue length.
Get-Counter '\PhysicalDisk(_Total)\Current Disk Queue Length'
Process & Service Monitoring
8. List Top Processes by CPU
Get the top 10 processes consuming the most CPU time.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
9. Check Stopped Services
List all services that are currently stopped.
Get-Service | Where-Object Status -eq 'Stopped'
10. Test Network Connectivity
Ping a remote server to verify network reachability.
Test-Connection -ComputerName DC02 -Count 4
System Information & WMI
11. Get OS Information via WMI
Query the operating system details using WMI/CIM.
Get-WmiObject Win32_OperatingSystem | Select-Object Caption, Version, FreePhysicalMemory
12. Check Disk Space
Get disk capacity and free space for all logical drives.
Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID, Size, FreeSpace
Logging & Measurement
13. Start a Transcript
Begin recording all PowerShell session output to a log file.
Start-Transcript -Path "C:\Logs\session.txt"
14. Measure Command Execution Time
Use Measure-Command to benchmark how long a script block takes to run.
Measure-Command { Get-Process }
Key Event Logs:
System - OS and driver events
Application - App-level events
Security - Logon/logoff, access auditing
Setup - Windows update/install events
System - OS and driver events
Application - App-level events
Security - Logon/logoff, access auditing
Setup - Windows update/install events
Tip: Use
Get-WinEvent -ListLog * to see all available event logs.
Use -FilterHashtable instead of Where-Object for faster server-side filtering.
Get-WmiObject vs Get-CimInstance:
Get-CimInstance is the modern replacement using WS-Man (WinRM).
Get-WmiObject uses legacy DCOM. Both query the same WMI data.
Microsoft recommends CIM cmdlets for new scripts.
Performance Baselines:
Establish baselines during normal operations so you can spot anomalies.
Use
Get-Counter -Continuous to collect samples over time,
or pipe to Export-Counter to save to a .blg file.
Critical Security Event IDs:
4624 - Successful logon
4625 - Failed logon attempt
4648 - Explicit credential logon
4720 - User account created
4732 - Member added to security group
4740 - Account lockout
4624 - Successful logon
4625 - Failed logon attempt
4648 - Explicit credential logon
4720 - User account created
4732 - Member added to security group
4740 - Account lockout
Performance Thresholds:
CPU - Sustained > 80% indicates contention
Available Memory - Below 200 MB is critical
Disk Queue Length - Sustained > 2 indicates bottleneck
Network Interface - > 70% utilization needs attention
CPU - Sustained > 80% indicates contention
Available Memory - Below 200 MB is critical
Disk Queue Length - Sustained > 2 indicates bottleneck
Network Interface - > 70% utilization needs attention