As an administration tool, MSH offers a range of cmdlets that give script authors and administrators access to most of the major stores of data within the operating system. In this chapter, we’ll take a look at the data sources that are readily available in MSH, from event logs to WMI, and the cmdlets that are available for making changes to operating system components.
The operating system provides the event log service as a mechanism for allowing the system and applications running on it to record their activity in a nonintrusive fashion. If each operating system component and application decided to pop up a message whenever anything happened, an interactive user would never have a chance to get anything done. While the Event Viewer tool (eventvwr.exe) continues to allow an administrator to review, sort, and filter events from a graphical interface, MSH also provides a cmdlet for querying the event logs from within the shell.
Windows operating systems primarily store event records in three logs, separating events based on their relevance to different aspects of the system.
The application log is the place in which applications running on the system can record events of note. It’s up to the application developer to determine which events are recorded in this log.
The security log records activity related to user and system authorization and authentication: failed login attempts, ...