# PCS Toolkit - Event Log Analyzer # Extracts and summarizes critical system events $timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $outputFile = "$env:USERPROFILE\Desktop\EventLogAnalysis_$timestamp.txt" $csvFile = "$env:USERPROFILE\Desktop\EventLogAnalysis_$timestamp.csv" function Log($msg) { Write-Host $msg Add-Content $outputFile $msg } Log "========================================" Log " PCS Toolkit - Event Log Analyzer" Log "========================================" Log "Generated: $(Get-Date)" Log "Computer: $env:COMPUTERNAME" Log "Period: Last 7 days" Log "" $startDate = (Get-Date).AddDays(-7) $allEvents = @() # System Log - Critical and Error Log "=== SYSTEM LOG - Critical & Errors ===" Log "Collecting events..." $sysEvents = Get-WinEvent -FilterHashtable @{ LogName='System' Level=1,2 # Critical, Error StartTime=$startDate } -MaxEvents 100 -EA SilentlyContinue if ($sysEvents) { Log "Found $($sysEvents.Count) events" Log "" # Group by source $grouped = $sysEvents | Group-Object ProviderName | Sort-Object Count -Descending foreach ($g in $grouped) { Log "[$($g.Count)] $($g.Name)" $g.Group | Select-Object -First 3 | ForEach-Object { Log " $(Get-Date $_.TimeCreated -Format 'MM/dd HH:mm') - $($_.Message.Split("\x60n")[0].Substring(0, [Math]::Min(80, $_.Message.Split("\x60n")[0].Length)))..." } } $allEvents += $sysEvents } else { Log "No critical/error events found" } Log "" Log "=== APPLICATION LOG - Critical & Errors ===" Log "Collecting events..." $appEvents = Get-WinEvent -FilterHashtable @{ LogName='Application' Level=1,2 StartTime=$startDate } -MaxEvents 100 -EA SilentlyContinue if ($appEvents) { Log "Found $($appEvents.Count) events" Log "" $grouped = $appEvents | Group-Object ProviderName | Sort-Object Count -Descending | Select-Object -First 10 foreach ($g in $grouped) { Log "[$($g.Count)] $($g.Name)" } $allEvents += $appEvents } else { Log "No critical/error events found" } Log "" Log "=== SECURITY LOG - Audit Failures ===" Log "Collecting events..." $secEvents = Get-WinEvent -FilterHashtable @{ LogName='Security' Keywords=0x10000000000000 # Audit Failure StartTime=$startDate } -MaxEvents 50 -EA SilentlyContinue if ($secEvents) { Log "Found $($secEvents.Count) audit failure events" # Look for logon failures $logonFailures = $secEvents | Where-Object { $_.Id -eq 4625 } if ($logonFailures) { Log "" Log "Logon Failures (Event 4625): $($logonFailures.Count)" $logonFailures | Select-Object -First 5 | ForEach-Object { $xml = [xml]$_.ToXml() $user = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text' $ip = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text' Log " $(Get-Date $_.TimeCreated -Format 'MM/dd HH:mm') - User: $user, IP: $ip" } } $allEvents += $secEvents } else { Log "No audit failures found" } Log "" Log "=== UNEXPECTED SHUTDOWNS ===" $shutdownEvents = Get-WinEvent -FilterHashtable @{ LogName='System' Id=6008 # Unexpected shutdown StartTime=$startDate } -MaxEvents 10 -EA SilentlyContinue if ($shutdownEvents) { Log "Found $($shutdownEvents.Count) unexpected shutdowns:" $shutdownEvents | ForEach-Object { Log " $(Get-Date $_.TimeCreated -Format 'yyyy-MM-dd HH:mm:ss')" } } else { Log "No unexpected shutdowns in the last 7 days" } Log "" Log "=== BSOD / BUGCHECK EVENTS ===" $bsodEvents = Get-WinEvent -FilterHashtable @{ LogName='System' ProviderName='Microsoft-Windows-WER-SystemErrorReporting' StartTime=$startDate } -MaxEvents 10 -EA SilentlyContinue if ($bsodEvents) { Log "Found $($bsodEvents.Count) BSOD reports" $bsodEvents | ForEach-Object { Log " $(Get-Date $_.TimeCreated -Format 'yyyy-MM-dd HH:mm') - $($_.Message.Split("\x60n")[0])" } } else { Log "No BSOD events found" } # Export all events to CSV if ($allEvents.Count -gt 0) { $allEvents | Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, Message | Export-Csv $csvFile -NoTypeInformation Log "" Log "Exported $($allEvents.Count) events to CSV" } Log "" Log "========================================" Log "ANALYSIS COMPLETE" Log "========================================" Log "Output: $outputFile" Log "CSV: $csvFile" explorer.exe "/select,$outputFile" Read-Host "Press Enter to exit"