17 February 2017

Event 51 Drive Failure Reporting Tool

Last year, we had a high level executive that started having slowness and extended drive usage. When the help desk evaluated his system, they found it had been writing an event 51 to the event viewer logs. They were able to backup all of his data and build a new system for him before the drive completely failed. You can read more about event 51 here. While writing this script, I used SAPIEN's PowerShell Studio 2017 and it made writing the script a breeze, while also helping to streamline the code and documentation. I cannot say enough good things about this product!

I decided to write a reporting tool for this event so that IT professionals will be aware of this error before a complete failure occurs and there is data loss along with losses in production time.

While writing this script, I decided to make it applicable to admins who may not have SCCM. There are three parameters to call from command line: -SCCM if you want it to report to SCCM, -NetworkShare if you don't have SCCM and want it to report to a network share, and -NetworkSharePath which defines to network share to write to.

If you select -SCCM, the script creates a WMI class named DriveReporting and writes a count of error 51 logs to this WMI class instance. Each time the script is executed, it will delete the WMI class and create a new one so no old information may be left over. In order to get this to report to SCCM, you will need to import the WMI class into the hardware inventory. I have included a parameter called -SCCMImport that will create the WMI class and create an instance of five errors. This can then be imported into the hardware inventory of SCCM. The next time the script is executed, this WMI class will be deleted if no errors are detected. I suggest setting up the script as a package in SCCM to run daily during business hours, as it will likely get the most machines that are online if the environment has a lot of laptops.

For those admins with no SCCM server, you can select -NetworkShare while also defining -NetworkSharePath to write to a log file named <Computer Name>.log with the count of errors inside the log file. If no errors are detected and a log file exists, the script deletes it.

I made this video as a tutorial on using this script:



This is a screenshot I took with all parameters selected, except for the -SCCMImport, which is documented in the video.



You can download the script from here.


 <#  
      .SYNOPSIS  
           SMART Reporting  
        
      .DESCRIPTION  
           This script will query the event viewer logs for event ID 51. Event 51 is generated when a drive is in the beginning stages of failing. This script will is to be deployed to machines to generate a WMI entry if event 51 is read. If no event 51 exists, no WMI entry is generated to be read by SCCM.  
        
      .PARAMETER SCCM  
           Select this switch to write the results to WMI for reporting to SCCM.  
        
      .PARAMETER NetworkShare  
           Select this switch to write the results to a text file located on the specified network share inside a file named after the machine this script was executed on.  
        
      .PARAMETER NetworkSharePath  
           UNC path to write output reporting to  
        
      .PARAMETER SCCMImport  
           This is used to create a fake WMI entry so that it can be imported into SCCM.  
        
      .EXAMPLE  
           Setting up the initial import of the WMI Class to SCCM  
                powershell.exe -file SMARTReporting.ps1 -SCCMImport  
   
           Reporting to SCCM  
                powershell.exe -file SMARTReporting.ps1 -SCCM  
   
           Reporting to a Network Share  
                powershell.exe -file SMARTReporting.ps1 -NetworkShare -NetworkSharePath "\\server\path\Reporting"  
   
      .NOTES  
           ===========================================================================  
           Created with:   SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.2.127  
           Created on:     8/12/2016 11:02 AM  
           Created by:     Mick Pletcher  
           Organization:  
           Filename:       SMARTReporting.ps1  
           ===========================================================================  
 #>  
 param  
 (  
      [switch]$SCCM,  
      [switch]$NetworkShare,  
      [string]$NetworkSharePath,  
      [switch]$SCCMImport  
 )  
 function Initialize-HardwareInventory {  
 <#  
      .SYNOPSIS  
           Perform Hardware Inventory  
        
      .DESCRIPTION  
           Perform a hardware inventory via the SCCM client to report the WMI entry.  
        
 #>  
        
      [CmdletBinding()]  
      param ()  
        
      $Output = "Initiate SCCM Hardware Inventory....."  
      $SMSCli = [wmiclass] "\\localhost\root\ccm:SMS_Client"  
      $ErrCode = ($SMSCli.TriggerSchedule("{00000000-0000-0000-0000-000000000001}")).ReturnValue  
      If ($ErrCode -eq $null) {  
           $Output += "Success"  
      } else {  
           $Output += "Failed"  
      }  
      Write-Output $Output  
 }  
   
 function New-WMIClass {  
 <#  
      .SYNOPSIS  
           Create New WMI Class  
        
      .DESCRIPTION  
           This will delete the specified WMI class if it already exists and create/recreate the class.  
        
      .PARAMETER Class  
           A description of the Class parameter.  
        
 #>  
        
      [CmdletBinding()]  
      param  
      (  
           [ValidateNotNullOrEmpty()][string]$Class  
      )  
        
      $WMITest = Get-WmiObject $Class -ErrorAction SilentlyContinue  
      If (($WMITest -ne "") -and ($WMITest -ne $null)) {  
           $Output = "Deleting " + $Class + " WMI class....."  
           Remove-WmiObject $Class  
           $WMITest = Get-WmiObject $Class -ErrorAction SilentlyContinue  
           If ($WMITest -eq $null) {  
                $Output += "Success"  
           } else {  
                $Output += "Failed"  
                Exit 1  
           }  
           Write-Output $Output  
      }  
      $Output = "Creating " + $Class + " WMI class....."  
      $newClass = New-Object System.Management.ManagementClass("root\cimv2", [string]::Empty, $null);  
      $newClass["__CLASS"] = $Class;  
      $newClass.Qualifiers.Add("Static", $true)  
      $newClass.Properties.Add("Error51", [System.Management.CimType]::string, $false)  
      $newClass.Properties["Error51"].Qualifiers.Add("key", $true)  
      $newClass.Properties["Error51"].Qualifiers.Add("read", $true)  
      $newClass.Put() | Out-Null  
      $WMITest = Get-WmiObject $Class -ErrorAction SilentlyContinue  
      If ($WMITest -eq $null) {  
           $Output += "Success"  
      } else {  
           $Output += "Failed"  
           Exit 1  
      }  
      Write-Output $Output  
 }  
   
 function New-WMIInstance {  
 <#  
      .SYNOPSIS  
           Write new instance  
        
      .DESCRIPTION  
           Write a new instance reporting the last time the system was rebooted  
        
      .PARAMETER LastRebootTime  
           Date/time the system was last rebooted  
        
      .PARAMETER Class  
           WMI Class  
        
      .NOTES  
           Additional information about the function.  
 #>  
        
      [CmdletBinding()]  
      param  
      (  
           [ValidateNotNullOrEmpty()][string]$Error51,  
           [ValidateNotNullOrEmpty()][string]$Class  
      )  
        
      $Output = "Writing Error 51 information instance to" + [char]32 + $Class + [char]32 + "class....."  
      $Return = Set-WmiInstance -Class $Class -Arguments @{ Error51 = $Error51 }  
      If ($Return -like "*" + $Error51 + "*") {  
           $Output += "Success"  
      } else {  
           $Output += "Failed"  
      }  
      Write-Output $Output  
 }  
   
 function Remove-WMIClass {  
 <#  
      .SYNOPSIS  
           Delete WMIClass  
        
      .DESCRIPTION  
           Delete the WMI class from system  
        
      .PARAMETER Class  
           Name of WMI class to delete  
        
      .EXAMPLE  
                     PS C:\> Remove-WMIClass  
        
      .NOTES  
           Additional information about the function.  
 #>  
        
      [CmdletBinding()]  
      param  
      (  
           [ValidateNotNullOrEmpty()][string]$Class  
      )  
        
      $WMITest = Get-WmiObject $Class -ErrorAction SilentlyContinue  
      If (($WMITest -ne "") -and ($WMITest -ne $null)) {  
           $Output = "Deleting " + $Class + " WMI class....."  
           Remove-WmiObject $Class  
           $WMITest = Get-WmiObject $Class -ErrorAction SilentlyContinue  
           If ($WMITest -eq $null) {  
                $Output += "Success"  
           } else {  
                $Output += "Failed"  
                Exit 1  
           }  
           Write-Output $Output  
      }  
 }  
   
 Clear-Host  
 #Retrieve number of times error 51 has been logged in the event viewer logs  
 [int]$Count = (Get-WinEvent -FilterHashtable @{ logname = 'system'; ID = 51 } -ErrorAction SilentlyContinue).Count  
 If ($SCCMImport.IsPresent) {  
      #Create WMI Class  
      New-WMIClass -Class DriveReporting  
      #Write a new WMI instance to the WMI class with a report of how many error 51 events were detected  
      New-WMIInstance -Class DriveReporting -Error51 5  
 } else {  
      If ($Count -gt 0) {  
           $Output = "Event 51 disk error has occurred $Count times."  
           Write-Output $Output  
           #Write error reporting to SCCM  
           If ($SCCM.IsPresent) {  
                #Delete the specified WMI class and recreate it for clean reporting  
                New-WMIClass -Class DriveReporting  
                #Write a new WMI instance to the WMI class with a report of how many error 51 events were detected  
                New-WMIInstance -Class DriveReporting -Error51 $Count  
                #Trigger an SCCM hardware inventory to report the errors to SCCM  
                Initialize-HardwareInventory  
           }  
           #Write error reporting to a network share  
           If ($NetworkShare.IsPresent) {  
                #Add a backslash to the end of the defined network share path if it does not exist  
                If ($NetworkSharePath[$NetworkSharePath.Length - 1] -ne "\") {  
                     $NetworkSharePath += "\"  
                }  
                #Define the log file to write the output to  
                $File = $NetworkSharePath + $env:COMPUTERNAME + ".log"  
                #Delete the log file if it already exists so a clean one will be written to  
                If ((Test-Path $File) -eq $true) {  
                     $Output = "Deleting " + $env:COMPUTERNAME + ".log....."  
                     Remove-Item -Path $File -Force | Out-Null  
                     If ((Test-Path $File) -eq $false) {  
                          $Output += "Success"  
                     } else {  
                          $Output += "Failed"  
                     }  
                     Write-Output $Output  
                }  
                #Create a new log file and write number of event 51 logs to it  
                $Output = "Creating " + $env:COMPUTERNAME + ".log....."  
                New-Item -Path $File -ItemType File -Force | Out-Null  
                Add-Content -Path $File -Value "Event 51 Count: $Count" -Force  
                If ((Test-Path $File) -eq $true) {  
                     $Output += "Success"  
                } else {  
                     $Output += "Failed"  
                }  
                Write-Output $Output  
           }  
      } else {  
           $Output = "No event 51 disk errors detected."  
           Write-Output $Output  
           #Delete the WMI class if it exists on the system since no errors were detected  
           If ($SCCM.IsPresent) {  
                Remove-WMIClass -Class DriveReporting  
           }  
           #Delete log file if it exists since no errors were detected  
           If ($NetworkShare.IsPresent) {  
                If ($NetworkSharePath[$NetworkSharePath.Length - 1] -ne "\") {  
                     $NetworkSharePath += "\"  
                }  
                $File = $NetworkSharePath + $env:COMPUTERNAME + ".log"  
                If ((Test-Path $File) -eq $true) {  
                     $Output = "Deleting " + $env:COMPUTERNAME + ".log....."  
                     Remove-Item -Path $File -Force | Out-Null  
                     If ((Test-Path $File) -eq $false) {  
                          $Output += "Success"  
                     } else {  
                          $Output += "Failed"  
                     }  
                     Write-Output $Output  
                }  
           }  
      }  
 }  
   

0 comments:

Post a Comment