1
\$\begingroup\$

I use PowerShell to retrieve the last two application logs with event ID 654 and calculate the time difference between them. If the time difference between the two logs is more than 30 minutes, I will generate a log.

I wrote something like the following. I tested it, and it works. But, what advice would you experts give me? How can I write it better?

PS C:\Windows\system32> $timediff


Days              : 0
Hours             : 0
Minutes           : 30
Seconds           : 28
Milliseconds      : 0
Ticks             : 18280000000
TotalDays         : 0.0211574074074074
TotalHours        : 0.507777777777778
TotalMinutes      : 30.4666666666667
TotalSeconds      : 1828
TotalMilliseconds : 1828000


PS C:\Windows\system32> $time1

Friday, August 8, 2025 8:41:53 AM



PS C:\Windows\system32> $time2

Friday, August 8, 2025 8:11:25 AM

Script:

$search = "CMP.DOMAIN"
#$Events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654  -Newest 2

$Events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 2 |
Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) }

$time1 = $Events[0].TimeGenerated
$time2  =$Events[1].TimeGenerated

$timediff = $time1 - $time2

if ($timediff.TotalMinutes -gt 30) {
Write-host "There is a delay in password synchronization." -BackgroundColor Cyan

}
else {
Write-host "There is no delay in password synchronization."
}
\$\endgroup\$

3 Answers 3

Reset to default
1
\$\begingroup\$

Here are some general coding style suggestions.

Comments

Remove commented-out code to reduce clutter:

#$Events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654  -Newest 2

Add comments to the top of the code to summarize its purpose. I'll post an example below.

Layout

Use consistent whitespace around operators. For example:

$time2  =$Events[1].TimeGenerated

is easier to understand as:

$time2 = $Events[1].TimeGenerated

Also make consistent use of blank lines. There is no need for the blank line after the statement in the if clause.

Indentation

Indent the if/else statement and the long statement split across 2 lines. See below.

Simpler

These 3 lines can be combined into one:

$time1 = $Events[0].TimeGenerated
$time2  =$Events[1].TimeGenerated

$timediff = $time1 - $time2

This eliminates 2 intermediate variables ($time1 and $time2).

Here is the code with the suggested improvements:

# Retrieve last 2 application logs with event ID 654 and calculate time difference between them.

$search = "CMP.DOMAIN"

$Events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 2 |
          Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) }

$timediff = $Events[0].TimeGenerated - $Events[1].TimeGenerated

if ($timediff.TotalMinutes -gt 30) {
    Write-host "There is a delay in password synchronization." -BackgroundColor Cyan
}
else {
    Write-host "There is no delay in password synchronization."
}
\$\endgroup\$
1
\$\begingroup\$

We can simplify this:

$Events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 2 |
Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) }

To:

$events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 2 |
    Where-Object Message -match $search

(Note however that $search is a regular expression. I would change it to "\bCMP\.DOMAIN\b").

There is a logic error here, by the way. You are getting the newest two events, and then filtering those two. You could end up with zero, one or two events.

You could change it to something like this, maybe:

$events = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 100 |
    Where-Object Message -match $search |
    Select-Object -First 2

In any case, you should check the length of your $events list before you use it:

if ($events.Length -eq 2) {
    # Do stuff with $events.
}

Get-EventLog is obsolete. Microsoft says to use Get-WinEvent.

Consider using PowerShell 7 instead of Windows PowerShell, unless if you have a specific reason for using Windows PowerShell.

As a rule, it's better to use Write-Output rather than Write-Host. If you ever wanted to capture the output of your script, you could do that with Write-Output but not Write-Host. You can't get colors with Write-Output, however. But you could use Write-Warning for that.

\$\endgroup\$
1
\$\begingroup\$

Nice idea and it works, but two changes will make it more robust and faster.

  1. Use Get-WinEvent with server‑side filtering Get-EventLog is legacy and built on a deprecated Win32 API. Microsoft recommends Get-WinEvent, which lets you filter by log, provider and id before data hits the pipeline. That cuts noise and improves performance. Sources: Microsoft docs on Get-EventLog deprecation and Get‑WinEvent with -FilterHashtable.
$search  = 'CMP.DOMAIN'

$events = Get-WinEvent -FilterHashtable @{
    LogName      = 'Application'
    ProviderName = 'Directory Synchronization'
    Id           = 654
} -MaxEvents 200 |
    Where-Object { $_.Message -match [regex]::Escape($search) } |  # case-insensitive by default
    Sort-Object TimeCreated -Descending |
    Select-Object -First 2

if (!$events -or $events.Count -lt 2) {
    Write-Output 'Not enough matching events to compare.'
    return
}
  1. Compare TimeSpan to TimeSpan, not numbers Instead of checking TotalMinutes -gt 30, compare two TimeSpan values. Reads better and avoids unit bugs.
$delta = $events[0].TimeCreated - $events[1].TimeCreated

if ($delta -gt [TimeSpan]::FromMinutes(30)) {
    Write-Output 'There is a delay in password synchronization.'
}
else {
    Write-Output 'There is no delay in password synchronization.'
}
\$\endgroup\$

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.