Correlationid on Anything About IThttps://www.verboon.info/tags/correlationid/Recent content in Correlationid on Anything About ITHugoen-usThu, 17 Jul 2014 15:00:44 +0000PowerShell Script - Get Group Policy events by CorrelationIDhttps://www.verboon.info/2014/07/powershell-script-get-group-policy-events-by-correlationid/Thu, 17 Jul 2014 15:00:44 +0000https://www.verboon.info/2014/07/powershell-script-get-group-policy-events-by-correlationid/<p><strong>Update: 22. August 2014</strong>: I have posted an updated version of the script <a href="http://gallery.technet.microsoft.com/Get-GPEventByCorrelationID-97944972">here</a>.</p> <p>During his <a href="http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B328#fbid=">Group Policy: Notes from the Field - Tips, Tricks, and Troubleshooting</a> session at TechEd Group Policy MVP Jeremy Moskowitz demonstrates how to filter the event log using the correlation ID. Now because I love using PowerShell I thought I create a function for that using Jeremy’s XMLquery.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">function</span> <span style="color:#8be9fd;font-style:italic">Get-GPEventByCorrelationID</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span><span style="color:#6272a4">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#6272a4">.</span><span style="color:#f1fa8c">Synopsis</span><span style="color:#6272a4"> </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> Get Group Policy Eventlog entries by Correlation ID </span></span></span><span style="display:flex;"><span><span style="color:#6272a4">.</span><span style="color:#f1fa8c">DESCRIPTION</span><span style="color:#6272a4"> </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> This function retrieves Group Policy event log entries filtered by Correlation ID </span></span></span><span style="display:flex;"><span><span style="color:#6272a4">.</span><span style="color:#f1fa8c">EXAMPLE</span><span style="color:#6272a4"> </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> Get-GPEventByCorrelationID -CorrelationID A2A621EC-44B4-4C56-9BA3-169B88032EFD </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> TimeCreated Id LevelDisplayName Message </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> ----------- -- ---------------- ------- </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> 7/17/2014 3:00:27 PM 5117 Information Group policy session completed successfully. </span></span></span><span style="display:flex;"><span><span style="color:#6272a4"> </span></span></span><span style="display:flex;"><span><span style="color:#6272a4">#&gt;</span> </span></span><span style="display:flex;"><span> [<span style="color:#8be9fd;font-style:italic">CmdletBinding</span>()] </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">Param</span> </span></span><span style="display:flex;"><span> ( </span></span><span style="display:flex;"><span> <span style="color:#6272a4"># CorrelationID</span> </span></span><span style="display:flex;"><span> [<span style="color:#8be9fd;font-style:italic">Parameter</span>(<span style="color:#50fa7b">Mandatory</span>=<span style="color:#8be9fd;font-style:italic">$true</span>, </span></span><span style="display:flex;"><span> <span style="color:#50fa7b">ValueFromPipelineByPropertyName</span>=<span style="color:#8be9fd;font-style:italic">$true</span>, </span></span><span style="display:flex;"><span> <span style="color:#50fa7b">Position</span>=<span style="color:#bd93f9">0</span>)] </span></span><span style="display:flex;"><span> [string]<span style="color:#8be9fd;font-style:italic">$CorrelationID</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">Begin</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#8be9fd;font-style:italic">$Query</span> = <span style="color:#f1fa8c">&#39;*[System/Correlation/@ActivityID=&#34;{CorrelationID}&#34;]&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#8be9fd;font-style:italic">$FilterXML</span> = <span style="color:#8be9fd;font-style:italic">$Query</span>.Replace(<span style="color:#f1fa8c">&#34;CorrelationID&#34;</span>,<span style="color:#8be9fd;font-style:italic">$CorrelationID</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">Process</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#8be9fd;font-style:italic">Get-WinEvent</span> -FilterXml <span style="color:#8be9fd;font-style:italic">$FilterXML</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">End</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p> </p>