Using Get-WinEvent with Hashtable instead of Get-Eventlog increases performance

[Marc4056]

CSS-Exchange/Security/Test-Hafnium.ps1

Line 45 in 2fce810

$eventLogs = Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error -ErrorAction SilentlyContinue | Where-Object { $_.Message -like "*System.InvalidCastException*" }

I replaced line 45 where the eventlog is searched using CMDlet "Get-Eventlog" with CMDlet "Get-WinEvent" using FilterableHashtable as follows:

$eventLogs = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='MSExchange Unified Messaging'; Level='2'} | Where-Object { $_.Message -like "*System.InvalidCastException*"}

This speeds up the query approx by factor 10 on my systems. Eventlog search now only takes about 3 minutes per system instead of 30 minutes

[bill-long]

Looks like it throws an error when the event log is clean, so we will need to handle that gracefully.

PS C:\>  Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='MSExchange Unified Messaging'; Level='2'} | Where-Object { $_.Message -like "*System.InvalidCastException*"}
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:2
+  Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName= ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

[Marc4056]

That is true, but I experience the same when the eventlog is clean using the Get-Eventlog CMDlet

[bill-long]

Ah you're right, we just need to tack on the SilentlyContinue like the other command had.

[bill-long]

Thank you!

[Marc4056]

Right, forgot to take parameter "-ErrorAction SilentlyContinue" into my command