My VM got paused-critical

As you can see my VM got paused-critical

I also examined the administrative events custom view that confirmed that my C: drive was full.

Get-VM -Name MyVM
Get-Volume -DriveLetter C | ft -AutoSize

Note that fixing the issue will restore the VM from a the paused-critical to a paused state. I had to manually resume it:

Get-VM -Name MyVM | Resume-VM

After fixing the issue, I thought it could be nice to generate this custom XML filter on the fly to mimic what the ‘Administrative Events’ view does in the Event viewer.

Storing a fixed XML here strings of lognames isn’t good idea as it may vary based on the roles and features you have.

To create the shortest list of eventlogs to query, I defined a filter to find only enabled logs, that have records…

$events = Get-WinEvent -ListLog * -Force | Where { 
    $_.LogMode -eq 'Circular' -and 
    $_.isEnabled -and 
    $_.RecordCount -and
    $_.LogName  -match "(^\w+$)|(^\w+\s\w+$)|(^(Microsoft-)?(Windows|\w+)(-|\s)((\w+(-|\s)){0,5}\w+)?(/Admin|-Admin))"
} | 
ForEach-Object -Begin {
    $xml = ([xml]@"
      <Query Id="0" Path="Application">
} -Process { 
    $e = $xml.CreateElement("Select")
    $e.set_InnerText("*[System[(Level=1  or Level=2 or Level=3)]]")
    $xml.QueryList.Query.AppendChild($e) | Out-Null
} -End {
    Get-WinEvent -FilterXml $xml
} | Sort -Property timecreated 

# Show the results
$events | Select -Last 20  | ft -AutoSize

Enjoy 😀

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s