How to Properly Export to CSV Using Powershell - windows

May I know how to properly export this script to CSV?
Try {
Invoke-Command -scriptblock {Get-EventLog System -After "7/8/2017" -Before "07/28/2017" |
Where-Object {$_.EventID -eq "50" -or $_.EventID -eq "51" -or $_.EventID -eq "55" -or $_.EventID -eq "57" -or $_.EventID -eq "6008"} |
FT -Property Machinename, TimeWritten, EntryType, Source, EventID, Message -AutoSize -wrap } -computername $computer -ErrorAction Stop
}
Catch {
Write-Host $Computer "Error/RDC Problem" -ForegroundColor Red
}
Result:
Export-CSV command is not working properly when added at the end. It outputs a different set of data.

Formatting cmdlets like Format-Table don't just change the way the object is displayed, it changes the object itself into something that will display how you want it to. This is part of why it's commonly recommended not to use the formatting cmdlets in scripts or functions.
Instead, you should use the Select-Object cmdlet to limit the number of properties passed to Export-Csv.
Invoke-Command -ComputerName $computer -ErrorAction Stop -ScriptBlock {
Get-EventLog System -After "7/8/2017" -Before "07/28/2017" |
Where-Object { 50, 51, 55, 57, 6008 -contains $_.EventID } |
Select-Object -Property MachineName, TimeWritten, EntryType, Source, EventID, Message
}

try this
Try {
Invoke-Command -scriptblock {Get-EventLog System -After "7/8/2017" -Before "07/28/2017" |
Where EventID -in ("50", "51", "55", "57", "6008") |
select Machinename, TimeWritten, EntryType, Source, EventID, Message } -computername $computer -ErrorAction Stop |export-csv "c:\temp\result.csv"
}
Catch {
Write-Host $Computer "Error/RDC Problem" -ForegroundColor Red
}
or may be simply like this :
Try
{
Get-EventLog System -After "7/8/2017" -Before "07/28/2017" -ComputerName $computer |
Where EventID -in ("50", "51", "55", "57", "6008") |
select Machinename, TimeWritten, EntryType, Source, EventID, Message |export-csv "c:\temp\result.csv" -NoType
}
Catch
{
Write-Host $Computer "Error/RDC Problem" -ForegroundColor Red
}

Related

PowerShell get detailed event information from WmiEvent (System.Management.ManagementEventWatcher)

I want to get event delails like the event type and drive letter from a Windows Powershell event.
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange -Action {
param($event)
$eventType = $event.SourceEventArgs.NewEvent.EventType # don't work
write-host $eventType
}
while (1-eq1) {} # don't exit program
This is what i want to achieve. It works on a Windows computer, but because of performance problems it don't work on a Windows tablet:
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange
do {
$newEvent = Wait-Event -SourceIdentifier volumeChange
$eventType = $newEvent.SourceEventArgs.NewEvent.EventType
$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName
write-host $eventType
Remove-Event -SourceIdentifier volumeChange
} while (1-eq1) # Loop until next event
Unregister-Event -SourceIdentifier volumeChange
I found out that multiple params are submitted:
Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange -Action {
param($event, $sourceEventArgs)
$eventType= $sourceEventArgs.NewEvent.EventType
write-host $eventType
}
while (1-eq1) {} # don't exit program

Downloading certain files using powershell produce corrupt files

So I have a powershell script that I wrote which crawls through a particular website and downloads all of the software hosted on the site to my local machine. The website in question is nirsoft.net, and I will include the full script below. Anyway, so I have this script that downloads all of the application files hosted on the website, when I notice something odd: while most of the file downloads completed successfully, there are several files that were not downloaded successfully, resulting in a corrupt file of 4KB:
For those of you who are familiar with Nirsoft's software, the tools are very powerful, but also constantly misidentified as dangerous because of the password cracking tools, so my guess as to why this is happening is that, since powershell's If I were to guess as to why this was happening, I would guess that, due to the fact that powershell's "Invoke-webrequest cmdlet" uses Internet Explorer's engine for its core functionality, Internet Explorer is flagging the files as dangerous and refusing to download them, thus causing powershell to fail to download the file. I confirmed this by trying to manually download each of the corrupt files using internet explorer, which marked them all as malicious. However, this is where things get strange. In order to bypass this limitation, I attempted a variety of other methods to download the file within my script, like using a pure dotnet object ( (New-object System.Net.WebClient).DownloadFile("url","file") ) and even some third party command line tools (wget for windows, wget in cygwin, etc), but no matter what I tried, not a single alternative method I used was able to download a non-corrupt file. So what I want to know is if there is a way around this, and I want to know why even third party tools are affected by this. Is there some kind of rule that any scripting tool has to use Internet Explorer's engine in order to connect to the internet or something? Thanks in advance. Oh, and one last thing before I post the script. Below is the url to one of the files that I am having difficulty in downloading via powershell, which you can use to run individual tests rather than the whole script:
enter link description here
And without further ado, here is the script. Thank again:
$VerbosePreference = "Continue"
$DebugPreference = "Continue"
$present = $true
$subdomain = $null
$prods = (Invoke-WebRequest "https://www.nirsoft.net/utils/index.html").links
Foreach ($thing in $prods)
{
If ($thing.Innertext -match "([A-Za-z]|\s)+v\d{1,3}\.\d{1,3}(.)*")
{
If ($thing.href.Contains("/"))
{
}
$page = Invoke-WebRequest "https://www.nirsoft.net/utils/$($thing.href)"
If ($thing.href -like "*dot_net_tools*")
{
$prodname = $thing.innerText.Trim().Split(" ")
}
Else
{
$prodname = $thing.href.Trim().Split(".")
}
$newlinks = $page.links | Where-Object {$_.Innertext -like "*Download*" -and ($_.href.endswith("zip") -or $_.href.endswith("exe"))}
# $page.ParsedHtml.title
#$newlinks.href
Foreach ($item in $newlinks)
{
$split = $item.href.Split("/")
If ($item.href -like "*toolsdownload*")
{
Try
{
Write-host "https://www.nirsoft.net$($item.href)"
Invoke-WebRequest "https://www.nirsoft.net$($item.href)" -OutFile "$env:DOWNLOAD\test\$($split[-1])" -ErrorAction Stop
}
Catch
{
Write-Host $thing.href -ForegroundColor Red
}
}
elseif ($item.href.StartsWith("http") -and $item.href.Contains(":"))
{
Try
{
Write-host "$($item.href)"
Invoke-WebRequest $item.href -OutFile "$env:DOWNLOAD\test\$($split[-1])" -ErrorAction Stop
}
Catch
{
Write-Host "$($item.href)" -ForegroundColor Red
}
}
Elseif ($thing.href -like "*/dot_net_tools*")
{
Try
{
Invoke-WebRequest "https://www.nirsoft.net/dot_net_tools/$($item.href)" -OutFile "$env:DOWNLOAD\test\$($split[-1])" -ErrorAction Stop
}
Catch
{
Write-Host $thing.href -ForegroundColor Red
}
}
Else
{
Try
{
Write-Host "https://www.nirsoft.net/utils/$($item.href)"
Invoke-WebRequest "https://www.nirsoft.net/utils/$($item.href)" -OutFile "$env:DOWNLOAD\test\$($item.href)" -ErrorAction Stop
}
Catch
{
Write-Host $thing.href -ForegroundColor Red
}
}
If ($item.href.Contains("/"))
{
If (!(Test-Path "$env:DOWNLOAD\test\$($split[-1])"))
{
$present = $false
}
}
Else
{
If (!(Test-Path "$env:DOWNLOAD\test\$($item.href)"))
{
$present = $false
}
}
}
}
}
If ($present)
{
Write-Host "All of the files were downloaded!!!" -ForegroundColor Green
}
Else
{
Write-Host "Not all of the files downloaded. Something went wrong." -ForegroundColor Red
}
You have two separate issues.
For anything Defender flags, it doesn't matter if you save it to disk with this or that. You could simply add an exclusion for the directory in Defender.
The other issue is pointed out by Guenther, you need to provide a referrer at least on some of the downloads. With the following changes I was able to download them all.
$VerbosePreference = "Continue"
$DebugPreference = "Continue"
$present = $true
$subdomain = $null
$path = c:\temp\downloadtest\
New-Item $path -ItemType Directory -ErrorAction SilentlyContinue | Out-Null
Add-MpPreference -ExclusionPath $path
$prods = (Invoke-WebRequest "https://www.nirsoft.net/utils/index.html").links
Foreach ($thing in $prods)
{
If ($thing.Innertext -match "([A-Za-z]|\s)+v\d{1,3}\.\d{1,3}(.)*")
{
If ($thing.href.Contains("/"))
{
}
$page = Invoke-WebRequest "https://www.nirsoft.net/utils/$($thing.href)"
If ($thing.href -like "*dot_net_tools*")
{
$prodname = $thing.innerText.Trim().Split(" ")
}
Else
{
$prodname = $thing.href.Trim().Split(".")
}
$newlinks = $page.links | Where-Object {$_.Innertext -like "*Download*" -and ($_.href.endswith("zip") -or $_.href.endswith("exe"))}
# $page.ParsedHtml.title
#$newlinks.href
Foreach ($item in $newlinks)
{
$split = $item.href.Split("/")
If ($item.href -like "*toolsdownload*")
{
Try
{
Write-host "https://www.nirsoft.net$($item.href)"
Invoke-WebRequest "https://www.nirsoft.net$($item.href)" -OutFile "$path\$($split[-1])" -ErrorAction Stop -Headers #{Referer="https://www.nirsoft.net$($item.href)"}
}
Catch
{
Write-Host $thing.href -ForegroundColor Red
}
}
elseif ($item.href.StartsWith("http") -and $item.href.Contains(":"))
{
Try
{
Write-host "$($item.href)"
Invoke-WebRequest $item.href -OutFile "$path\$($split[-1])" -ErrorAction Stop -Headers #{Referer="$($item.href)"}
}
Catch
{
Write-Host "$($item.href)" -ForegroundColor Red
}
}
Elseif ($thing.href -like "*/dot_net_tools*")
{
Try
{
Invoke-WebRequest "https://www.nirsoft.net/dot_net_tools/$($item.href)" -OutFile "$path\$($split[-1])" -ErrorAction Stop -Headers #{Referer="https://www.nirsoft.net/dot_net_tools/$($item.href)"}
}
Catch
{
Write-Host $thing.href -ForegroundColor Red
}
}
Else
{
Try
{
Write-Host "https://www.nirsoft.net/utils/$($item.href)"
Invoke-WebRequest "https://www.nirsoft.net/utils/$($item.href)" -OutFile "$path\$($item.href)" -ErrorAction Stop -Headers #{Referer="https://www.nirsoft.net/utils/$($item.href)"}
}
Catch
{
Write-Host $thing.href -ForegroundColor Red
}
}
If ($item.href.Contains("/"))
{
If (!(Test-Path "$path\$($split[-1])"))
{
$present = $false
}
}
Else
{
If (!(Test-Path "$path\$($item.href)"))
{
$present = $false
}
}
}
}
}
If ($present)
{
Write-Host "All of the files were downloaded!!!" -ForegroundColor Green
}
Else
{
Write-Host "Not all of the files downloaded. Something went wrong." -ForegroundColor Red
}
I'd also recommend you turn the download routine into a function that you can pass the relative URL portion so you don't have to repeat code several times.

Powershell - check if file exist and contains string pattern

wrote this small part of code to check if file exist and contains string pattern
try {
$SEL = Select-String -Path \\$serversPing\c$\Scripts\compare_result.txt -Pattern "no differences encountered" -ErrorAction SilentlyCOntinue
}catch{
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
}
Finally {
if ($SEL | Test-Path -ErrorAction SilentlyContinue){
#write-host $serversPing $SEL.Pattern
#write-host $serversPing $SEL
if ($SEL.Pattern -eq "no differences encountered")
{
$SoftCheckResult = "ok"
}
else
{
$SoftCheckResult ="Verify"
}
}
else{
$SoftCheckResult = "NotInScope"
}
}
But, it does not do what it should. First of all it partially recognize that path exist and secondly it does partially recognize pattern in txt file. Can you please help me?
I suspect that PATTER is partially recognizable on multiply server.(whitepaces etc) even so how to skip that?
Strange think is that it does not see that pattern is missing in file, it return
NotinScope instead Verify
Below file without this pattern
And below you can see normal pattern
Since you use plural in $serversPing, I suspect this variable comes from an earlier part of your code and contains a COLLECTION of servers.
I would change the order of checks and start with a test to see if the file exists on that server or not:
# As you mentioned a possible whitespace problem the pattern below uses regex `\s+` so multiple whitespace characters are allowed betwen the words.
$pattern = "no\s+differences\s+encountered"
foreach ($server in $serversPing) {
if (Test-Connection $server -Count 1 -Quiet) {
$filePath = Join-Path -Path "\\$server" -ChildPath 'c$\Scripts\compare_result.txt'
if (Test-Path $filePath -PathType Leaf) {
# -Quiet: Indicates that the cmdlet returns a Boolean value (True or False), instead of a MatchInfo object.
# The value is True if the pattern is found; otherwise, the value is False.
if (Select-String -Path $filePath -Pattern $pattern -Quiet) {
Write-Host "Pattern '$pattern' found in '$filePath'"
$SoftCheckResult = "ok"
}
else {
Write-Host "Pattern '$pattern' not found in '$filePath'"
$SoftCheckResult = "Verify"
}
}
else {
Write-Host "File '$filePath' not found"
$SoftCheckResult ="NotInScope"
}
}
else {
Write-Host "Server '$server' is off-line."
$SoftCheckResult ="OffLine"
}
}
I added a Test-Connection in the foreach loop to first see if the server is online or not. If you have checked that before and the $serversPing variable contains only servers that are online and reachable, you may skip that.
Concerning the -Path of the Select-String cmdlet, you should put the value between "" :
$SEL = Select-String -Path "\\$serversPing\c$\Scripts\compare_result.txt" -Pattern "no differences encountered" -ErrorAction SilentlyCOntinue
EDIT
This should do the trick :
try {
$SEL = Select-String -Path \\$serversPing\c$\Scripts\compare_result.txt -Pattern "no differences encountered" -ErrorAction SilentlyCOntinue
}catch{
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
}
Finally {
if ($SEL){
$SoftCheckResult = "ok"
}
else
{
$SoftCheckResult ="Verify"
}
}
try
{
$SEL = $null
$SEL = Select-String -Path \\$serversPing\c$\Scripts\compare_result.txt -Pattern "no differences encountered" -ErrorAction Stop
if ($SEL)
{
$SoftCheckResult = "ok"
}
else
{
$SoftCheckResult = "Verify"
}
}
catch
{
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
$SoftCheckResult = "NotInScope"
}
return $softCheckResult
Please try like below :
$SEL = "Fiile path location"
if ($SEL | Test-Path -ErrorAction SilentlyContinue){
if ($SEL Get-Content | Select-String -pattern "no differences encountered")
{
}
....
}

powershell watch over folder and log changes to windows application log

As the description, I need to write a powershell script that watches over a folder. And when changes have been made(creation of file, delete, modification) I need to get these changes to get to the windows application log.
This is my code:
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\Users\Administrator\Desktop\delete-file-event"
$watcher.Filter = "*.*"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
$action = {
New-EventLog -LogName Application -source "logs"
Write-EventLog -LogName Application -Source "logs" -EntryType Information -EventId 1 -Message "nothing in here"
$path = $Event.SourceEventArgs.FullPath
$changeType = $Event.SourceEventArgs.ChangeType
$logline = "$(Get-Date), $changeType, $path"
Add-content "C:\Users\Administrator\Desktop\delete-file-event\log.txt" -value $logline
}
Register-ObjectEvent $watcher "Created" -Action $action
Register-ObjectEvent $watcher "Deleted" -Action $action
Register-ObjectEvent $watcher "Renamed" -Action $action
while ($true) {sleep 5}
At this moment it will get to the application logs but that's because of
Code:
New-EventLog -LogName Application -source "logs"
Write-EventLog -LogName Application -Source "logs" -EntryType Information -EventId 1 -Message "nothing in here"
I would really appreciate some help here. Thanks in advance.

Powershell Delete Profile script - error checking not working

I have this delete profile script that prompts for a username and deletes it from each of the computers listed. The delete profile and "user is logged in" parts are both working but the part that says “No profiles found on $Computer with Name $UserName” is not. I ran my script on two computers and it successfully deleted my profile on both. I recreated my profile (logged in) and stayed logged on to one and not the other. I run it again and it gives me the message "user is logged in". For the other computer it just deleted the profile on does not display the "no profile found" message. It just skips over it and displays nothing. I have changed the "if" to an "else" but, when I do that it displays multiple lines of "no profiles found" including the computer it previously deleted the profile on.
Here is the link where most of the script is derived from.
http://techibee.com/powershell/powershell-script-to-delete-windows-user-profiles-on-windows-7windows-2008-r2/1556. Looking through the comments, no one else seemed to have any issues with that part of it.
I do not have much knowledge in PowerShell and this has just been pieced together from other scripts I have found based on our needs. Our environment is Windows 7 and Server 2008 R2. Any assistance is greatly appreciated.
$UserName=Read-host "Please Enter Username: "
$ComputerName= #("computer1","computer2")
foreach($Computer in $ComputerName) {
Write-Verbose "Working on $Computer"
if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
$Profiles = Get-WmiObject -Class Win32_UserProfile -Computer $Computer -ea 0
foreach ($profile in $profiles) {
$objSID = New-Object System.Security.Principal.SecurityIdentifier($profile.sid)
$objuser = $objsid.Translate([System.Security.Principal.NTAccount])
$profilename = $objuser.value.split("\")[1]
if($profilename -eq $UserName) {
$profilefound = $true
try {
$profile.delete()
Write-Host -ForegroundColor Green "$UserName profile deleted successfully on $Computer"
} catch {
Write-Host -ForegroundColor Yellow "Failed to delete the profile, $UserName logged on to $Computer"
}
}
}
if(!$profilefound) {
Write-Host -ForegroundColor Cyan "No profiles found on $Computer with Name $UserName"
}
} else {
write-verbose "$Computer Not reachable"
}
}
PowerShell has a number of automatic variables that you should avoid re-using.
$Profile is one of these, it contains the paths to the Profile scripts applicable to the current session.
Use any other variable name (ie. $userprofile) and you'll be fine:
foreach ($userprofile in $profiles) {
$objSID = New-Object System.Security.Principal.SecurityIdentifier($userprofile.sid)
$objuser = $objsid.Translate([System.Security.Principal.NTAccount])
$profilename = $objuser.value.split("\")[1]
if($profilename -eq $UserName) {
$profilefound = $true
try {
$userprofile.delete()
Write-Host -ForegroundColor Green "$UserName profile deleted successfully on $Computer"
} catch {
Write-Host -ForegroundColor Yellow "Failed to delete the profile, $UserName logged on to $Computer"
}
}
}
I was able to get it working by changing the "$profilefound=$false" and making it a global variable. Also the reason why it was displaying multiple lines of "profile not found when i changed it to an else statement is because of where it was placed. It was checking against every profile on the server. When it touched every profile on the computer it displayed "profile not found".
Here is the working script.
$UserName=Read-host "Please Enter Username: "
$ComputerName= #("computer1","computer2")
$profilefound = "false"
foreach($Computer in $ComputerName) {
Write-Verbose "Working on $Computer"
if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
$Profiles = Get-WmiObject -Class Win32_UserProfile -Computer $Computer -ea 0
foreach($userprofile in $profiles){
$objSID = New-Object System.Security.Principal.SecurityIdentifier($userprofile.sid)
$objuser = $objsid.Translate([System.Security.Principal.NTAccount])
$profilename = $objuser.value.split("\")[1]
if($profilename -eq $UserName) {
$profilefound = "true"
try {
$userprofile.delete()
Write-Host -ForegroundColor Green "$UserName profile deleted successfully on $Computer"
} catch {
Write-Host -ForegroundColor Yellow "Failed to delete the profile, $UserName logged on to $Computer"
}
}
}
}
else {
write-verbose "$Computer Not reachable"
}
if ($profilefound -eq "false") {
Write-Host -ForegroundColor Cyan "No profiles found on $Computer with Name $UserName"
}
}

Resources