megamorf · December 29, 2017 08:11
diff --git a/ConvertTo-CrashObject.ps1 b/ConvertTo-CrashObject.ps1
 function ConvertTo-CrashObject
 {
    <#
    .SYNOPSIS
    Returns crash objects from an application log event collection
    
    .DESCRIPTION
    Returns crash objects from an application log event collection.
    Only records where source equals 'Application Error' are processed.
    
    .PARAMETER EventLogRecord
    Collection of event records from the application eventlog.
    
    .EXAMPLE
    Get-WinEvent -LogName Application -MaxEvents 300 -ov events | ConvertTo-CrashObject -OutVariable crashes | Format-Table -Autosize

    .EXAMPLE
    $Errors = Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="Application Error";Starttime=(Get-Date).Date}
    $Errors | ConvertTo-CrashObject -OutVariable crashes | Format-Table -Autosize *
    #>
    
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,ValueFromPipeline)]
        [System.Diagnostics.Eventing.Reader.EventRecord[]]$EventLogRecord
    )

    BEGIN
    {
        Function ToHex { "0x" + $args }
    }

    PROCESS 
    {
        foreach($Record in $EventLogRecord)
        {
            # that usually means $Record.Id -eq 1000
            if($Record.ProviderName -ne 'Application Error')
            {
                continue
            }

            try
            {
                [pscustomobject]@{
                    PSTypeName = 'Eventlog.Application.Crash'
                    TimeCreated = $Record.TimeCreated
                    Computername = $Record.MachineName
                    AppName = $Record.Properties[0].Value
                    AppVersion = $Record.Properties[1].Value -as [version]
                    AppTimeStamp = [datetime]::FromFileTime((ToHex $Record.Properties[2].Value))
                    AppPath = $Record.Properties[10].Value
                    ModuleName = $Record.Properties[3].Value
                    ModuleVersion = $Record.Properties[4].Value -as [version]
                    ModuleTimeStamp = [datetime]::FromFileTime((ToHex $Record.Properties[5].Value))
                    ModulePath = $Record.Properties[11].Value
                    ExceptionCode = ToHex $Record.Properties[6].Value
                    AppStartTime = [datetime]::FromFileTime((ToHex $Record.Properties[9].Value))
                    ReportId = $Record.Properties[12].Value -as [guid]
                    Message = $Record.Message.Split([environment]::NewLine ,[System.StringSplitOptions]::RemoveEmptyEntries)
                } | Add-Member -MemberType ScriptProperty -Name Runtime -Value {New-TimeSpan -Start $this.AppStartTime -End $this.TimeCreated} -PassThru
            }

            catch
            {
                Write-Warning "Failed to parse the following Event Record: $($Record.RecordID)"
            }
        } # end foreach
    } # end process
 }
	function ConvertTo-CrashObject
	{
	<#
	.SYNOPSIS
	Returns crash objects from an application log event collection

	.DESCRIPTION
	Returns crash objects from an application log event collection.
	Only records where source equals 'Application Error' are processed.

	.PARAMETER EventLogRecord
	Collection of event records from the application eventlog.

	.EXAMPLE
	Get-WinEvent -LogName Application -MaxEvents 300 -ov events \| ConvertTo-CrashObject -OutVariable crashes \| Format-Table -Autosize

	.EXAMPLE
	$Errors = Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="Application Error";Starttime=(Get-Date).Date}
	$Errors \| ConvertTo-CrashObject -OutVariable crashes \| Format-Table -Autosize *
	#>

	[CmdletBinding()]
	param(
	[Parameter(Mandatory,ValueFromPipeline)]
	[System.Diagnostics.Eventing.Reader.EventRecord[]]$EventLogRecord
	)

	BEGIN
	{
	Function ToHex { "0x" + $args }
	}

	PROCESS
	{
	foreach($Record in $EventLogRecord)
	{
	# that usually means $Record.Id -eq 1000
	if($Record.ProviderName -ne 'Application Error')
	{
	continue
	}

	try
	{
	[pscustomobject]@{
	PSTypeName = 'Eventlog.Application.Crash'
	TimeCreated = $Record.TimeCreated
	Computername = $Record.MachineName
	AppName = $Record.Properties[0].Value
	AppVersion = $Record.Properties[1].Value -as [version]
	AppTimeStamp = [datetime]::FromFileTime((ToHex $Record.Properties[2].Value))
	AppPath = $Record.Properties[10].Value
	ModuleName = $Record.Properties[3].Value
	ModuleVersion = $Record.Properties[4].Value -as [version]
	ModuleTimeStamp = [datetime]::FromFileTime((ToHex $Record.Properties[5].Value))
	ModulePath = $Record.Properties[11].Value
	ExceptionCode = ToHex $Record.Properties[6].Value
	AppStartTime = [datetime]::FromFileTime((ToHex $Record.Properties[9].Value))
	ReportId = $Record.Properties[12].Value -as [guid]
	Message = $Record.Message.Split([environment]::NewLine ,[System.StringSplitOptions]::RemoveEmptyEntries)
	} \| Add-Member -MemberType ScriptProperty -Name Runtime -Value {New-TimeSpan -Start $this.AppStartTime -End $this.TimeCreated} -PassThru
	}

	catch
	{
	Write-Warning "Failed to parse the following Event Record: $($Record.RecordID)"
	}
	} # end foreach
	} # end process
	}