Monitoring with PowerShell: Monitoring BSODs without event viewer

I’ve written about monitoring BSODs some years ago. Back then I simply used a event log lookup as an example how to monitor BSODs. I never really liked that method because it did not give me all the verbosity I would’ve liked. Moments after I published that blog I’ve actually made a better monitoring set that I did not share; so I figured others might benefit from it now.

I don’t like event log based monitoring as it can get rather resource intensive and you don’t really have a way of getting all the required information out of the events; a good example is which driver actually caused the BSOD. This always meant that after a device experiences a BSOD you’d have to go to the device to check the exact reason. Boo for manual labour! 😉

So to solve this I’ve implemented NirSoft Bluescreenview.exe as a solution. Nir Sofer’s tools are freeware and fantastic for administration at MSPs. Bluescreenview.exe allows us to export all BSODs that occured in the past and displays which specific reason the blue screen had without having to go to the device.

The Script

We’re downloading Bluescreenview from Nir directly in this case, for security reason I would highly recommend hosting the zip file somewhere yourself, of course.

try {
    Invoke-WebRequest -Uri "https://www.nirsoft.net/utils/bluescreenview.zip" -OutFile "$($ENV:Temp)\bluescreeview.zip"
    Expand-Archive "$($ENV:Temp)\bluescreeview.zip" -DestinationPath "$($ENV:Temp)" -Force
    Start-Process -FilePath "$($ENV:Temp)\Bluescreenview.exe" -ArgumentList "/scomma `"$($ENV:Temp)\Export.csv`"" -Wait

}
catch {
    Write-Host "BSODView Command has Failed: $($_.Exception.Message)"
    exit 1
}

$BSODs = get-content "$($ENV:Temp)\Export.csv" | ConvertFrom-Csv -Delimiter ',' -Header Dumpfile, Timestamp, Reason, Errorcode, Parameter1, Parameter2, Parameter3, Parameter4, CausedByDriver | foreach-object { $_.Timestamp = [datetime]::Parse($_.timestamp, [System.Globalization.CultureInfo]::CurrentCulture); $_ }
Remove-item "$($ENV:Temp)\Export.csv" -Force

$BSODFilter = $BSODs | where-object { $_.Timestamp -gt ((get-date).addhours(-24)) }

if (!$BSODFilter) {
    write-host "Healthy - No BSODs found in the last 24 hours"
}
else {
    write-host "Unhealthy - BSOD found. Check Diagnostics"
    $BSODFilter 
    exit 1
}

And that’s it! this should give you a bit clearer BSODs monitoring where you can see which driver or application caused it, with just a glance. As always, Happy PowerShelling.

1 Comment

  1. Prejay April 10, 2021 at 9:54 am

    Many AV and EDR products may FP flag bluescreenview.exe or the zip, so make sure you have whitelisted it first or make sure your SOC is aware of it before implementation.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.