Digging through the event viewer sometimes still is the best way to get to the bottom of a nasty issue. This sometimes can be a daunting task if done manually. PowerShell to the rescue!
We are all used to opening up our friend the EventLog Viewer GUI. But what do you do when you don’t have the GUI (Server Core or Hyper-V Server for example)? How do you get to those trusted events? Well, PowerShell of course! And there are even two different cmdlets to get there.
Get-EventLog and Get-WinEvent
Get-EventLog focuses on the top level event logs; Application, System, PowerShell, Security.
Get-WinEvent can get you anything, any event log. the hardest part is identifying the Event Logs for Get-WinEvent.
Recently I have been focused on disk conversion, so lets focus on that. VHD conversion events are in the Hyper-V Image Management event log under the Operational log.
The Hyper-V Image Management service manages VHDs (disk images) and this is also an event provider. If you type; get-winevent -ProviderName "Microsoft-Windows-Hyper-V-Image-Management-Service" you will get all events, Admin and Operational. In my case I just want Operational events, so I can do direct to the log. get-winevent -LogName Microsoft-Windows-Hyper-V-Image-Management-Service-Operational. I cheated when I went looking for the logs, you can’t browse them like the tree view in the GUI. I used the GUI on one server to locate the log I needed and I inferred its name from the Properties screen.
The series of EventIds that I even care about are: