Rabu, 22 Agustus 2012

Thrashing memory with queries...(Part I)


These are some event log search queries. They all trash my memory in any Powershell session.
I have written them down for some reason. Probably so I can evolve more elegant solutions to such queries in the future.

foreach ($i in @("a","b","c","d","e")) {if ($i) {rv -ea 0 $i}}
$start=(get-winevent  -log security -max 1).TimeCreated
$a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
$c=(get-winevent -ea 0 -log System -max 10000) | Select TimeCreated,ProcessID,ThreadID,Message
$d=(get-winevent -ea 0 -log Application -max 10000) | Select TimeCreated,ProviderName,Message
$b=$a |  Select TimeCreated,ProcessID,ThreadID, `
@{Name="Port";Expression={($_.Message | findstr /C:"Source Port:").replace("Source Port:"," ")}}, ` 
@{Name="Application";Expression={($_.Message | findstr /C:"Application Name:").replace("Application Name:"," ")}}
$e=@()
$e=($b + $c + $d) | sort -desc -property TimeCreated
$a.count;$b.count;$c.count;$d.count;$e.count
$e | ft -auto -wrap TimeCreated,Application,ProcessID,ThreadID,Port,Message


# $start=(get-winevent  -log security -max 1).RecordID
# $a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
# $b | where Application -match 'dropbox.exe' | ft -auto
# ($a | ? {$_.RecordID -gt $Start} | % {$_.Message | findstr /C:"Source Port"} ).count
# $b=$a |  % {write "$($_.TimeCreated) : PID=$($_.ProcessID) : $($_.Message | findstr /C:"Source Port") : $($_.Message | findstr /C:"Application Name:")"}
# $b=$a |  Select TimeCreated,ProcessID, @{Name="Port";Expression={($_.Message | findstr /C:"Source Port")}}, @{Name="Application";Expression={$_.Message | findstr /C:"Application Name:"}}


$s = New-PSWorkflowSession 
Invoke-Command $s {
 workflow Invoke-ParallelForEach
 {
     foreach -parallel ($i in 0)
     {
         InlineScript
         {
             "foo: $using:i"
         }
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv
   }
 }
 }
 Invoke-Command $s { Invoke-ParallelForEach -PSComputerName localhost }


 workflow getwinevent
 {
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv
 }
getwinevent

[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var |  export-csv -path C:\ps1\security.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)


$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var  | export-csv -path C:\ps1\application.csv

0 komentar:

Posting Komentar