Monitoring Event Logs in Windows with PowerShell: A Script for Recent Events

When managing a Windows environment, analyzing event logs is an essential part of troubleshooting. Windows logs a wide range of system, security, and application events, but sometimes specific problems can arise without easily accessible evidence. For example, when tracking down recent events, it can be cumbersome to manually check each log for relevant entries.

In this post, I’ll share a simple PowerShell script that extracts recent log entries across all event logs—not just the default System, Application, and Security logs. This script is particularly useful when you need to quickly review what’s been happening on your machine over the last 5 minutes.

The Challenge

By default, most users only check System, Application, and Security logs. However, Windows maintains many other event logs that can provide critical information about drivers, devices, or even specific services. Accessing these logs manually via Event Viewer can be tedious and time-consuming. The goal here is to automate this process with PowerShell and make it easier to analyze logs from a specific timeframe—such as the last 5 minutes.

The Solution: PowerShell Script

Below is the PowerShell script that retrieves recent events from all event logs and displays them in an easy-to-read format.

# Determine the time from 5 minutes ago
$TimeSpan = (Get-Date).AddMinutes(-5)

# Fetch all event log names
$logNames = Get-WinEvent -ListLog *

# Loop through each log and look for recent events
foreach ($logName in $logNames.LogName) {
# Fetch the last 100 events, suppress errors if no events exist
$events = Get-WinEvent -LogName $logName -MaxEvents 100 -ErrorAction SilentlyContinue

# If there are events, filter by time
if ($events) {
$recentEvents = $events | Where-Object { $_.TimeCreated -gt $TimeSpan }

# If recent events exist, display them
if ($recentEvents) {
Write-Host "Log: $logName" -ForegroundColor Cyan
$recentEvents | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -AutoSize
}
}
}

How It Works

  1. Fetching Log Names: The script starts by retrieving the names of all available event logs on your system using the following command:powershellCopy code$logNames = Get-WinEvent -ListLog * This command lists every log, including ones that are not typically visible in the default Event Viewer console.
  2. Setting a Time Filter: The script calculates the timestamp from 5 minutes ago by using Get-Date combined with the AddMinutes() method:powershellCopy code$TimeSpan = (Get-Date).AddMinutes(-5) This value will be used to filter out any events that occurred before this time.
  3. Looping Through Logs: The script then loops through each log fetched earlier:powershellCopy codeforeach ($logName in $logNames.LogName) { For each log, it pulls the last 100 events using Get-WinEvent. The -ErrorAction SilentlyContinue parameter is important here—it suppresses any errors if no events are found in a particular log, ensuring the script doesn’t stop unexpectedly.
  4. Filtering by Time: Once the events are retrieved, they are filtered by the timestamp:powershellCopy code$recentEvents = $events | Where-Object { $_.TimeCreated -gt $TimeSpan } This ensures that only events created in the last 5 minutes are shown.
  5. Displaying the Results: If any events match the filter, they are displayed in a neat table using Format-Table:powershellCopy code$recentEvents | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -AutoSize The table includes the time the event was created, its event ID, the level (such as Error, Warning, or Information), and the message content.

Why This Matters

By gathering events from all logs, this script ensures that no critical logs are overlooked. Whether you’re troubleshooting a hardware issue, investigating network activity, or monitoring driver problems, reviewing all logs within a specific timeframe can give you a broader perspective on system behavior.

Example Output

Here’s an example of what the output looks like when recent events are found:

Log: Application
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
9/10/2024 11:45 AM 1001 Error Application error occurred...
9/10/2024 11:47 AM 2002 Warning Warning: High CPU usage...

This provides a quick snapshot of recent system activity across various logs.

Happy scripting!

Optimizing RDP Performance on Linux: My Best Settings with xfreerdp

XfreeRDP3

If you’re like me and rely heavily on Remote Desktop Protocol (RDP) to connect to Windows servers from a Linux environment, you know how crucial performance can be. After experimenting with numerous settings, I’ve found a configuration that delivers the best performance using xfreerdp. Here’s a breakdown of the settings that worked wonders for me.

Why xfreerdp?

xfreerdp is an open-source RDP client that offers a plethora of customization options, making it a powerful tool for Linux users needing to connect to Windows servers. Its flexibility allows for fine-tuning, which is essential for optimizing performance.

My Go-To Command

Here is the xfreerdp command that gave me the best results:

xfreerdp3 /u:[email protected] /p:"P@ASSWRRRDDD" /v:10.10.10.10 /dynamic-resolution /compression /network:auto /gfx:AVC420:on +clipboard -themes

Let’s break down what each part of this command does:

  • /u:[email protected]: Specifies the username to use for the connection.
  • /p:”P@ASSWRRRDDD”: Specifies the password. Ensure this is securely stored and managed.
  • /v:10.10.10.10: The IP address of the Windows server.
  • /dynamic-resolution: Adjusts the screen resolution dynamically to match the size of the xfreerdp window.
  • /compression: Enables compression to reduce the amount of data transferred, improving performance over slower connections.
  • /network:auto: Automatically adjusts settings based on network conditions for optimal performance.
  • /gfx:AVC420:on: Uses the AVC420 codec for efficient video compression, providing a good balance between quality and performance.
  • +clipboard: Enables clipboard sharing between the local and remote systems.
  • -themes: Disables desktop themes on the remote server to reduce the amount of graphical processing required.

Additional Tips for Improved Performance

To enhance your Remote Desktop (RDP) experience from Linux, adjusting the performance settings on the Windows server can make a big difference. Here’s a quick guide:

  1. Open System Properties:
  • Right-click on “This PC” or “Computer” and select “Properties”.
  • Click on “Advanced system settings”.
  1. Adjust Performance Options:
  • In the System Properties window, under the “Advanced” tab, click “Settings” in the Performance section.
  • In the Performance Options window, select “Custom” and adjust the settings as shown in the screenshot below.
  1. Recommended Settings:
  • Uncheck unnecessary visual effects like animations, shadows, and Peek.
  • Check only essential items for a smoother experience.

Refer to the screenshot for detailed settings adjustments.

By tweaking these settings, you can significantly improve the responsiveness of your RDP sessions.

Performance Options

Conclusion

Finding the right settings for xfreerdp can be a game-changer for your remote desktop experience on Linux. The command and tips I’ve shared should help you achieve a smoother and more responsive connection to your Windows servers. Don’t hesitate to tweak these settings further based on your specific network conditions and requirements.

Happy remoting!


Install winget without the Microsoft App Store

If you are unable to access the Windows Store app and wish to install winget, you can easily do so by following these steps:

  • First download the latest version of winget: https://aka.ms/getwinget
  • Then use this Powershell command to install winget
Add-AppxPackage -Path Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle

Probably you will get this error:

Windows cannot install package Microsoft.DesktopAppInstaller_1.19.10173.0_x64__8wekyb3d8bbwe because this package depends on a framework that could not be found. Provide the framework “Microsoft.UI.Xaml.2.7” published by “CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”, with neutral or x64 processor architecture and minimum version 7.2109.13004.0, along with this package to install. The frameworks with name “Microsoft.UI.Xaml.2.7” currently installed are: {}

The reason is that you miss the dependency Microsoft.UI.Xaml.2.7

Now you have to go to the nuget website and download the nuget package: https://www.nuget.org/packages/Microsoft.UI.Xaml/2.7.3

Then you have to rename the file extension of the downloaded file to .zip

Open the zip file and go to tools > AppX > X64 > Release and extract the Microsoft.UI.Xaml.2.7.appx file

Install the extracted appx file

Add-AppxPackage -Path .\Microsoft.UI.Xaml.2.7.appx

You may also get this error when you try to install winget

Windows cannot install package Microsoft.DesktopAppInstaller_1.19.10173.0_x64__8wekyb3d8bbwe because this package depen
ds on a framework that could not be found. Provide the framework “Microsoft.VCLibs.140.00.UWPDesktop” published by “CN=
Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US”, with neutral or x64 processor architect
ure and minimum version 14.0.30704.0, along with this package to install. The frameworks with name “Microsoft.VCLibs.14
0.00.UWPDesktop” currently installed

You can download Microsoft.VCLibs.140.00.UWPDesktop here: https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx

Install Microsoft.VCLibs.x64.14.00.Desktop with this command:

Add-AppxPackage -Path .\Microsoft.VCLibs.x64.14.00.Desktop.appx

And now you should install the winget application without errors:

Add-AppxPackage -Path .\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle

Happy installing 🙂

Install and Configure OpenSSH Windows Server 2019 and 2022 and configure key-based authentication

OpenSSH is a free and open-source software that allows secure communication between computers over an unsecured network. It is widely used on Linux and Unix systems, but it is also available for Windows systems. In this article, we will show you how to install and configure OpenSSH on a Windows 2022 server.

Step 1: Install OpenSSH

The first step is to install OpenSSH on your Windows server. To do this, follow these steps:

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Step 2: Configure OpenSSH

Once OpenSSH is installed on your server, you need to configure it to allow secure communication. Follow these steps to configure OpenSSH:

  • Open notepad
  • Open the configuration file C:\ProgramData\ssh\sshd_config
  • Remove the “#” at the beginning of the line #PubkeyAuthentication yes to uncomment it:PubkeyAuthentication yes
  • Locate the line that starts with #PasswordAuthentication yes and remove the “#” at the beginning of the line to uncomment it and change it to NO: PasswordAuthentication no
  • Add the “#” at the beginning of the line AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys to comment it out:#AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys
  • Save the changes and close the configuration file.
  • Restart the service
# Restart the sshd service
Restart-Service sshd

Step 3: Configure the Administrator for key-based authentication

After the configuration is complete, you need to configure the public key.

Optional: If you don’t have a public/private keypair use this command to create the files on your client:

ssh-keygen -t rsa -b 4096
  • Open the Explorer and go to C:\Users\<Username>\
  • Create a folder .ssh
  • Create a text file (without extension!) authorized_keys
  • Open the file in notepad
  • Paste your ssh-rsa public key in this authorized_keys file (this is the content of id_rsa.pub)
  • Save the file
  • Remove the inheritance so that only the user and system has full permission

Step 4: Test OpenSSH

To test if OpenSSH is installed and configured correctly, follow these steps:

  • Open a Command Prompt window.
  • Type “ssh username@<server>” and press Enter.
  • If the connection is successful, you should see a welcome message.

Congratulations! You have successfully installed and configured OpenSSH on your Windows 2022 server and configure it securely with key-based authentication.

Optional: change CMD to Powershell

If you want to connect directly in PowerShell instead of the default command use this PowerShell command

New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

Happy connecting 🙂

NTP Error: the computer did not resync because no time data was available

When it comes to configuring your Primary Domain Controller (PDC) or local Network Time Protocol (NTP), you’ll find a a lot of information online.

But in a nutshell this is what you have to do:

w32tm /config /manualpeerlist:"<IPTIMESERVER>,0x1" /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
w32tm /resync /rediscover

But if the timeserver isn’t reliable you get the error:

The fix is really easy. Remove the /reliable:yes option

w32tm /config /manualpeerlist:"<IPTIMESERVER>,0x1" /syncfromflags:manual /update

And then after the w32tm /resync /rediscover:

Off course you only want to remove the /reliable:yes in a lab environment. Otherwise change the NTP server to a reliable one.

TCPDump alternative Windows

Are you in a situation where you need to capture and analyze network traffic, but don’t have Wireshark or TCPDump at your disposal? Don’t worry, there’s still a solution. Enter pktmon.

While it may not be the most sophisticated tool out there, pktmon is a viable option for monitoring traffic in real-time. With its lightweight and efficient design, you can quickly capture and analyze packets without the need for any additional software installations.

So, how exactly does pktmon work? It uses the Windows Filtering Platform (WFP) to capture network traffic at the packet level. This allows you to examine specific details about each packet, such as its source and destination address, protocol, and payload.

But what makes pktmon really stand out is its ability to filter traffic based on specific criteria. For example, you can use it to only capture traffic from a specific IP address, port, or protocol. This makes it a powerful tool for troubleshooting network issues or identifying potential security threats.

While pktmon may not be the most robust traffic monitoring tool out there, it’s certainly a valuable option to have in your arsenal and its already installed 🙂 So the next time you find yourself in need of capturing and analyzing network traffic, give pktmon a try – you might just be surprised by what it can do.

#start the traffic capture
pktmon start -c
#stop the traffic capture
pktmon stop
#convert the file so you can view it in notepad
pktmon etl2txt <etl file>

More info: https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon-syntax

Happy sniffing 🙂

Update Windows Server with powershell

This is for 2016 server. But it will work for other versions of Windows

[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
Install-Module PSWindowsUpdate -Confirm:$false
Set-PSRepository -Name "PSGallery" -InstallationPolicy Untrusted
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

Happy Patching 🙂

Configure WSUS client with Powershell and Regedit

My use case for a customer was to configure WSUS for a couple of DMZ servers. The DMZ servers are not domain-joined. So I create a PowerShell script to configure the registry so I can easily deploy the settings to the servers.

You can use this script also for non domain-joined servers

# Script for WSUS configuration on non-domain joined servers

# First stop the Windows service
Get-Service -name wuauserv | stop-service

# Variables
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$name1 = "TargetGroup"
$value1 = "Production"
$name2 = "WUServer"
$value2 = "http://wsus.domain.local:8530"
$name3 = "WUStatusServer"
$value3 = "http://wsus.domain.local:8530"
$name4 = "DoNotConnectToWindowsUpdateInternetLocations"
$value4 = "1"
$name5 = "TargetGroupEnabled"
$value5 = "1"
$registryPathAU = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
$nameAU1 = "AUOptions"
$valueAU1 = "3"
$nameAU2 = "UseWUServer"
$valueAU2 = "1"


# Inject registry
IF(!(Test-Path $registryPath))
{
    New-Item -Path $registryPath -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name1 -Value $value1 -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name3 -Value $value3 -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name4 -Value $value4 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name5 -Value $value5 -PropertyType DWORD -Force | Out-Null
}
ELSE
{
    New-ItemProperty -Path $registryPath -Name $name1 -Value $value1 -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name3 -Value $value3 -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name4 -Value $value4 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name5 -Value $value5 -PropertyType DWORD -Force | Out-Null
}
IF(!(Test-Path $registryPathAU))
{
    New-Item -Path $registryPathAU -Force | Out-Null
    New-ItemProperty -Path $registryPathAU -Name $nameAU1 -Value $valueAU1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registryPathAU -Name $nameAU2 -Value $valueAU2 -PropertyType DWORD -Force | Out-Null
    }
ELSE
{
    New-ItemProperty -Path $registryPathAU -Name $nameAU1 -Value $valueAU1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registryPathAU -Name $nameAU2 -Value $valueAU2 -PropertyType DWORD -Force | Out-Null
}

# Start the Windows service
Get-Service -name wuauserv | start-service

# Find updates and report to the WSUS server
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan

I save this file on the WSUS server itself at http://wsus.domain.local:8530/script.txt so I can download and run it from the DMZ environment.

invoke-webrequest -uri http://wsus.domain.local:8530/script.txt -outfile script.ps1
.\script.ps1

Happy updating 🙂

Powershell better tab autocomplete

With Powershell ISE you can use CTRL + SPACE for auto completion.

Powershell ISE Completion

But when you work in a native Powershell window you don’t have this option. And many often you cycle with tab completion trough the powershell and because you press the TAB button too soon you have to remove characters and cycle again trough all the commands.

Unit now 😉

There is an easy fix you can implement so the Powershell have the same auto completion like bash.

  • Type notepad $profile for Windows or gedit $profile for Linux
  • Add the line Set-PSReadlineKeyHandler -Key Tab -Function MenuComplete
Add line in $profile
  • Save the file and restart Powershell
  • And now you have a much better working tab completion
Linux Example
Windows Example

Happy coding 🙂

Repair Debian boot after Windows update

Today I update my dual boot system and unfortunately my Debian OS wasn’t booting anymore. The root cause was that Windows decide to reclaim the EFI boot.

The fix is quite easy.

Type mountvol P: /S

Check the EFI boot partition data

And fix your boot the this command:

bcdedit.exe /set {bootmgr} path \EFI\Debian\grubx64.efi

As you can see in the screenshot, this also work for EndeavourOS and Ubuntu and probably for a lot other Linux EFI boot systems.

Happy booting!