A PowerShell script to report on all BlueScreen events and stop codes from the Windows Event Log on a specific server can be a useful tool for system administrators to troubleshoot and prevent future system crashes. This script will query the System Event log for events related to bug checks (BlueScreens) on a local server or a remote server.
Note: I wrote this to check for one server at a time. If requested, or if I have a future need, I may adapt it to query a list of servers and have the output written to a log file.
Prerequisites:
- PowerShell 5.1 or higher on both the local and remote machines.
- Ensure both the local and remote machines are configured to allow PowerShell remoting. Run
Enable-PSRemoting
on both machines in an elevated (Administrator) PowerShell prompt. - The user executing the script needs to have administrative privileges on both the local and remote machines.
- The Windows Firewall and any other network firewalls between the local and remote machines must be configured to allow traffic for PowerShell remoting (default ports are TCP 5985 for HTTP and TCP 5986 for HTTPS).
- Copy the script below to your favourite text editor and save it as a .ps1 file
- Open PowerShell as Administrator on your local computer.
- Navigate to the directory where you’ve saved the script
- Execute the Script:
- For Local Computer: Simply run the script without any parameters. This will query the local computer’s event logs for BlueScreen events.
- For a Remote Computer: Run the script with the
-ServerName
parameter followed by the name of the remote server. You will be prompted to enter credentials for the remote server.powershell.\YourScriptName.ps1 -ServerName
server1
ReplaceYourScriptName.ps1
with the actual name of your script file and replace server1 with the name of the server you want to query
- Enter Credentials (for remote execution only): If querying a remote server, you will be prompted to enter credentials. Provide a username and password for an account with administrative privileges on the remote server.
- Review the Output: The script will output details of any BlueScreen events found, including the event ID, time created, and the event message. If no BlueScreen events are found, it will indicate this.
param(
[string]$ServerName = $env:COMPUTERNAME
)
function Get-BlueScreenEvents {
param(
[string]$TargetServer
)
$scriptBlock = {
$filterHashtable = @{
LogName = 'System'
ProviderName = 'Microsoft-Windows-WER-SystemErrorReporting'
}
$blueScreenEvents = Get-WinEvent -FilterHashtable $filterHashtable | Where-Object {
$_.Message -match "The computer has rebooted from a bugcheck."
}
if ($blueScreenEvents.Count -gt 0) {
foreach ($event in $blueScreenEvents) {
Write-Output "Event ID: $($event.Id)"
Write-Output "Time Created: $($event.TimeCreated)"
Write-Output "Message: $($event.Message)"
Write-Output "--------------------------------------------------"
}
} else {
Write-Output "No BlueScreen events found."
}
}
# Execute the script block directly on the specified server
try {
if ($TargetServer -eq $env:COMPUTERNAME) {
& $scriptBlock
} else {
$credential = Get-Credential -Message "Enter credentials for $TargetServer"
Invoke-Command -ComputerName $TargetServer -ScriptBlock $scriptBlock -Credential $credential
}
} catch {
Write-Error "An error occurred querying ${TargetServer}: $_"
}
}
# Call the function with the specified or default server
Get-BlueScreenEvents -TargetServer $ServerName
Troubleshooting:
- If you encounter “The RPC server is unavailable” after confirming successful PowerShell remoting, this could be due to restrictions accessing the event log remotely. Verify that the account used has necessary permissions and that there are no additional firewall or network policies blocking access to the event log service.
- Ensure that both the local and remote systems have the Event Log service running.
- If PowerShell remoting was confirmed successful but event log querying fails, double-check the event log permissions and consider testing with another account with known administrative rights over the event log.