Forensic Event Log Analysis (Part 1)

by Jul 12, 2021

Event logs log almost any aspect of Windows so if something goes wrong or stops working as expected, it is a good idea to include event log forensic strategies into your troubleshooting.

For example, some users reported that their Windows “Instant Search” stopped finding newer Email items. Why would the indexing service no longer update with Outlook?

That’s when reading event logs can become very important (and helpful). The next line quickly finds out whether you have a systematic indexing problem. It searches the “Application” log for any errors related to “search”:

 
PS> Get-EventLog -LogName Application -Source *search* -EntryType error -Newest 10 | 
       Select-Object TimeGenerated, Message

TimeGenerated       Message                                                                  
-------------       -------                                                                  
21.05.2021 09:55:48 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
21.05.2021 09:48:03 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
21.05.2021 08:55:14 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
21.05.2021 08:47:53 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
21.05.2021 08:32:15 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
21.05.2021 08:28:41 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
21.05.2021 08:26:18 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
20.05.2021 18:14:48 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
20.05.2021 12:55:06 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...
20.05.2021 11:41:06 The protocol handler Mapi16 cannot be loaded. Error description: (HRES...   
 

Most apparently, in this example there seems to be a repeated systematic issue with the Mapi16 protocol handler that prevents the indexing service from reading Outlook Email.

To find out when the issue struck and whether it is still of concern, you can group event log entries and show their frequency:

 
PS> Get-EventLog -LogName Application -Source *search* -EntryType error | 
  Group-Object { Get-Date $_.timegenerated -format yyyy-MM-dd } -NoElement   
 

Group-Object in this example uses a script block to calculate the grouping criteria: Any error event occurring on the *same day* is placed into the same group which returns a chronologic protocol. Here is sample output:

 
Count Name                     
----- ----                     
    7 2021-05-21               
    6 2021-05-20               
   29 2021-05-19               
   29 2021-05-18               
   16 2021-05-17               
    5 2021-05-16               
    2 2021-05-15               
    8 2021-05-14               
    2 2021-05-13               
    3 2021-05-12               
    9 2021-05-11               
   13 2021-05-10               
    1 2021-05-09               
    3 2021-05-08               
    7 2021-05-07               
   10 2021-05-06               
   15 2021-05-05               
    8 2021-05-04               
   24 2021-05-03               
   22 2021-05-02               
   10 2021-05-01               
    2 2021-04-30   
 

The output clearly indicates that the issue started in April 30 and lasted until May 21 when it apparently was fixed.

Obviously, these examples won’t produce the same results on your machine (unless you experienced the same problem). They do show though how valuable event log information is and how easily PowerShell can help to forensically examine the data.


Twitter This Tip! ReTweet this Tip!