Chapter 12: Managing Log Files – Microsoft Exam MD-100 Windows 10 Certification Guide

Chapter 12: Managing Log Files

Once Windows 10 computers are installed, they need to be monitored and managed. Windows 10 provides various tools for controlling your computer, including Event Viewer and a range of performance management features, such as Resource Monitor and Performance Monitor.

As well as knowing how to control your computers, you must also be familiar with how to handle vital Operating System(OS) elements, such as printing, indexing, and the various Windows services.

The following topics will be covered in this chapter:

  • Configuring and analyzing event logs
  • Managing performance
  • Managing the Windows 10 environment

This chapter provides you with the skills you need to analyze event log errors on the current version of Windows 10. This will help you maintain the performance and environment of Windows 10. This chapter will also help you to prepare for the MD-100 (Windows 10) exam, which is part of the Microsoft 365 Certified: Modern Desktop Administrator Associate certification.

Technical requirements

In this chapter, you will see us use PowerShell code. This code is available at

In this chapter, you will need to follow the steps to configure some settings. The steps that you will follow have also been recorded. You can find these videos at

Configuring and analyzing event logs

Event logs are a key built-in security resource in all Windows Operating Systems and can be accessed from Windows Event Viewer. They provide information about occurring system events. Event logs are created by the Event Log service as a background operation and can contain information, alerts, and error messages about Windows components, installed applications, and system behavior.

We will learn how to configure and analyze event logs in this section. In addition to log groups for individually installed applications and different Windows component categories, Event Viewer offers classified lists of important Windows log events, including applications, security, setup, and system events. Individual accidents provide comprehensive details about the type of incident that occurred, the cause of the incident, and specific technical information to assist with troubleshooting the accident.

Event Viewer also helps you merge logs from several machines into a single computer while using subscriptions. Event Viewer can, eventually, be programmed to perform an action when particular events occur. This may involve sending you an email message, launching an app, running a script, taking individual maintenance acts to alert you of an event, or trying to fix a possible problem.

Windows 10's Event Viewer has the following features:

  • The option of viewing several logs: You can search through several logs for different incidents, making it easier to investigate issues and troubleshoot problems that may occur in numerous logs.
  • The inclusion of customized views: You can use filtering to limit searches to only the things you are interested in and you can then save these views.
  • The ability to set up tasks that are scheduled to run in response to events: Reactions to incidents can be automated. Event Viewer combines with Task Scheduler to execute these reactions.
  • The capacity to build and maintain subscriptions to activities: You can capture and store events from remote computers.

    Important Note

    You need to create an inbound rule on Windows Firewall to allow Windows Event Log Management to capture events from remote computers.

By now, you will know what Event Viewer is. In the next section, we will move on to understanding event logs.

Understanding event logs

In the previous section, you learned what the Event Viewer is, and what it is used for. To get better insight of the Event Viewer and the event logs, we will go a little deeper in the Event Viewer. So first, we are going to open Event Viewer, take the following steps:

  1. Click Start icon.
  2. Type in event viewer.
  3. Click on Event Viewer.
  4. The Event Viewer app will open, as shown:

Figure 12.1 - Event Viewer app

As you can see in the preceding screenshot, upon opening the window, the console retrieves and displays the events that have occurred on your computer. You can configure Event Viewer from remote computers to work with the event log; so, you can allow remote management in your firewall.

There are two different types of log files:

  • Windows Logs: These logs include Application, Security, Setup, System, and Forwarded Events. The following screenshot shows you these logs:

Figure 12.2 - An expanded tree of the Windows Logs node

  • Applications and Services Logs: These logs include other logs from applications and services to record application-specific or service-specific events. You can also see these logs in the previous screenshot.

Since logs are created as part of the OS, they can provide forensic information to help you understand issues that are difficult to diagnose using real-time system analysis.

More details about the Windows Logs files are as follows:

  • Application: This log contains events logged by installed applications.
  • Security: This log contains auditable events, such as logon, logoff, privilege use, and shutdown.
  • Setup: This log records events logged by Windows during setup and installation.
  • System: This log contains the events logged by Windows 10. This is the primary system log.
  • Forwarded Events: These are used when event forwarding is operational. This log records forwarded events from other computers.

Select each of the Windows logs in Event Viewer and look at the types of events created. On the right side, the Actions pane contains tools and wizards to help you deal with logs, including saving logs, clearing/deleting log entries, opening a previously saved log, and adding a task to an event.

The maximum file size of a Windows 10 event log is 20 Megabytes (MB) by design. When the program exceeds the maximum scale, it replaces old events with new events.

Open Event Viewer and take some time to get familiar with it by reviewing some of the logs, as in the following screenshot:

Figure 12.3 - Some examples of event log types

In the previous screenshot, you can see that there are multiple types of occurrences, which have the following meanings:

  • Information: These logs provide information on changes to a part or system operation that are typically a positive outcome.
  • Warning: These incidents are not detailed, but they may be more significant and should be investigated.
  • Error: These events warn you that there has been a problem.
  • Critical: These incidents are the most severe and may result in failure or loss of function. These events are highly important and suggest whether there is or has been a problem.
  • Audit Success/Failure: If auditing is enabled, those log entries will appear in the security log.

Instead of using the default layout of Event Viewer, you can create custom views for the specific logs you want to investigate. In the next section, you will learn how you can create these custom views.

Creating Custom Views

Event logs contain large quantities of data, which can make it challenging to limit your task of understanding those events that concern you. To accommodate this, the view in Windows 10 can be configured to allow you to query and sort only the events you wish to examine. You can also save, export, import, and share Custom Views.

Event Viewer allows you to search through several logs for individual incidents and show all the occurrences that may be relevant to an incident that you are investigating. You'll need to build a custom view to define a filter that spans several logs.

In Event Viewer, go to Create Custom View under the Actions window. These Custom Views can be filtered according to various parameters, as shown:

Figure 12.4 - The Create Custom View dialog box

In the previous screenshot, you can see the various fields used. They are described as follows:

  • Logged: This states the time that the event was logged.
  • Event level: This is used to display the type of level, such as Error or Warning.
  • By log: This is used to select the logs to include events for.
  • By source: This is used to select specific event IDs to include or exclude.
  • User: This shows the user context of the event.
  • Computer(s): This shows the computer that the incident occurred on.

Use the following steps to build a custom view in Event Viewer that only shows the Critical events in the System log:

  1. Go to Event Viewer | Actions | Create Custom View option.
  2. From the Filter tab, select the Critical checkbox under Event level.
  3. Use the By log drop-down option to expand Windows Logs.
  4. Select the System checkbox from the dropdown and then click OK:

    Figure 12.5 - The filter created by following the previous steps

  5. After that, in the Save Filter to Custom View window, choose a name, such as System-Critical, for the log and click OK:

Figure 12.6 - Giving the custom view a name and a description

The Custom View immediately refreshes and displays the log entries that match the set criteria. Your Custom View filter is located in the left pane under the Custom Views node. The output of the previous steps is shown in the following screenshot:

Figure 12.7 - The Custom View result that we created

In the previous screenshot, you can see all the events listed. Double-click the Event log entry. This will display its Property dialog box. The Event Properties dialog box, along with a Copy button, can be seen under the Actions menu. It provides you with additional details so that you can transfer the event data to the clipboard and either work with the data or request assistance. Descriptions of incidents are now easier to understand than in previous Windows versions. Even the experience of reading event log entries can help develop your understanding to find out what the problem is.

You know how you can create a custom view for a Windows 10 computer. With Event Subscriptions, you can collect event logs from other computers, instead of manually connecting to them. You will learn more about this in the next section.

Configuring Event Subscriptions

Event Viewer helps you view events on a single screen. However, troubleshooting a problem may require you to look at a series of events that are stored on multiple computers in multiple logs. Event Viewer allows you to gather copies of events from various remote computers for this purpose and then store them locally. Create an event subscription to determine which events to receive. After a subscription is active and the events are recorded, these forwarded events can be interpreted and manipulated as you would with any other locally stored events.

You need to configure the forwarding and collecting computers to use the event-collecting function. The functionality for event collection is based on the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services. All of these services operate on computers that are active in the process of forwarding and collecting.

We can perform the following steps to allow subscriptions:

  1. Type the following command in an elevated Command Prompt to enable Windows Remote Management on a source computer and then press Enter:

    winrm quickconfig

    The winrm quickconfig command starts the WinRM service and configures a port listener to send and receive messages. The output of this command is shown in the following screenshot:

    Figure 12.8 - The output of the winrm quickconfig command

  2. On the collector machine, which is the machine that receives the messages, type the following command in an elevated Command Prompt to activate the Windows Event Collector service, then press Enter:

    wecutil qc

    The wecutil qc command helps you build and manage subscriptions to events sent from remote computers. The output of this command is shown in the following screenshot:

    Figure 12.9 - Output of the wecutil qc command

  3. Add the collector's computer account to the local group of event log readers on each of the source computers.

You have now learned to configure Event Subscriptions to gather remote event logs from other computers. In the next section, you will learn how to create a subscription to see the logs from other computers.

Creating a Subscription

After you have configured Event Subscriptions on a source computer and the remote computers, you can create a subscription to receive event logs from remote computers. There are two kinds of subscriptions—collector-initiated and source computer-initiated.

In a collector-initiated subscription, the subscription must provide a list of all the origins of the events. The source computer-initiated subscriptions allow you to identify an event collector's subscription without specifying the event source computers.

To create a collector-initiated subscription, follow these steps:

  1. Go to Event Viewer | Subscription menu.
  2. If the option to start Windows Event Collection service appears, click Yes.
  3. Then, in the Action pane, click Create Subscription...:

    Figure 12.10 - The Create Subscription option

  4. After that, type in a name and description for the subscription, as shown:

    Figure 12.11 - The Subscription name field

  5. Then, under Subscription type and source computers, click Collector initiated, then the Select Computers... option:

    Figure 12.12 - Subscription type and source computers section

  6. After that, in the Computers dialog box, click Add Domain Computers..., then select the computer to be polled for subscriptions and click OK:

    Figure 12.13 - Computers dialog box

  7. Under Events to collect, click Select Events…, then define the event criteria to be used to match and collect events and click OK:

    Figure 12.14 - Events to collect option

  8. Click OK to save the changes made to the options and make the Subscription active.

The previous steps will create a subscription that is listed in the Main pane of the Subscriptions node, as shown:

Figure 12.15 - The Subscriptions window that is created

In this section, you learned how to create an event subscription to gather remote logs for troubleshooting. In the next section, you will learn how to manage the performance of Windows 10 with different tools, such as Resource Monitor and Performance Monitor.

Managing performance

Within Windows 10, there are a variety of tools you can use to monitor and manage results. These programs give you a graphical layout of historical data. Other programs also provide a method for gathering and evaluating data on results over time.

To monitor the output in Windows 10, you can use the following tools:

  • Task Manager
  • Resource Monitor
  • Performance Monitor
  • Reliability Monitor

We will look at each of these tools in the following sections. Let's start with the Task Manager tool.

Monitoring performance with Task Manager

The Task Manager tool is one of the most frequently used software by end users and administrators to monitor system output and the use of resources on a computer. Task Manager is mainly a tool that is used to track performance, not to track reliability.

Task Manager can be managed in a variety of ways. The numerous ways of opening Task Manager are listed as follows:

  • Right-click on the taskbar and select Task Manager.
  • Press the Ctrl+Alt+Del keys, then select Task Manager.
  • Use the Ctrl+Shift+Esc key combination.
  • Type taskmgr.exe in Command Prompt to open Task Manager.
  • Click Start icon, type in taskmgr, then press Enter.

The following screenshot shows you what the Task Manager app typically looks like:

Figure 12.16 - The Task Manager app

From the previous screenshot, you can see that the Task Manager app that is built into Windows 10 shows you which processes (tasks) are running on your system and, most importantly, the use of performance-related system resources. If a particular task or process is not reacting or continues to run after an application has been terminated, you can use Task Manager to monitor this activity and force the unwanted task to stop.

When you first run Task Manager, it only displays the programs and processes that are running. If you click the More details button, the Task Manager window will expand and you will be able to view more information about the program's operation. The Task Manager window contains the following tabs:

  • Processes: This tab shows a list of the running programs, subdivided into applications and Windows internal processes. This tab shows a description of the processor and memory use for each running operation.
  • Performance: This tab shows a list of what the CPU, memory, and data on the network is using.
  • App history: This tab shows the device statistics and resource usage. It is useful when trying to find a specific device that consumes additional resources.
  • Startup: This tab shows applications that are running at startup time. You can disable any of these programs to stop them from starting up.
  • Users: This tab shows per-user resource usage. You can also extend the user view to see more specific details about the particular processes that a user is running.
  • Details: This tab lists all the processes operating on a server and offers information on the CPU, memory, and other resource usages. This tab can be used to control the running processes. For example, you can either stop a process, stop a process and all the related processes, or change a process's priority values. If you change a process's priority values, you decide the degree at which CPU resources can be used by the process. If the priority is increased, you allow the process to request more CPU resources.
  • Services: This tab offers a list of relevant information on operating Windows services, including whether a service is operating and the running service's Process Identifier (PID) meaning. You can use the list in the Services tab to start and stop services.

When you first notice a problem with reliability, you can use Task Manager to see whether you can solve the problem. For example, you might review the start-up items to decide whether a specific program causes problems after it begins and search the processes for non-responsive applications.

Important Note

Task Manager displays the latest usage of the tools on the local computer. Task Manager cannot be used to track the activity on a remote device or to store operation and resource usage in a log file.

Now, you know what you can do with Task Manager. Let's take a look at what you can do with Resource Monitor.

Examining performance with Resource Monitor

Resource Monitor offers a device's output analysis with a description and four tabs with specific information for the main components of the device. These four tabs are as follows:

  • CPU (processor)
  • Memory
  • Disk
  • Network

When a Windows 10 device runs slowly, you can use Resource Monitor to monitor current activity in each of the four component areas and decide what has caused a bottleneck output. Resource Monitor, however, can only display resource use for the local machine, not remote or virtual computers.

The following screenshot shows the Resource Monitor app:

Figure 12.17 - The Resource Monitor app

Review each tab of the Resource Monitor app in the preceding screenshot. Each subcomponent offers additional components.

You can access Resource Monitor from Task Manager. You can also execute the following command on a Command Prompt window to access Resource Monitor:

perfmon /res

Compared to Task Manager, Resource Monitor's primary objective is to monitor system performance and the usage of the CPU, Disk, Network, and Memory resources. However, you can also use it to help recognize reliability issues, such as the inappropriate use of device resources or unresponsive applications.

So, you have now learned how to use Resource Monitor to troubleshoot problems in Windows 10. The next tool we will look at is Performance Monitor.

Monitoring performance with Performance Monitor

Performance Monitor is a snap-in of Microsoft Management Console (MMC) that you can use to see details about system results. You can use this tool to evaluate the performance impact of apps and services that you might have on your computer and to get an overview of the system performance or to collect comprehensive troubleshooting details. Performance Monitor has the following functionalities:

  • Monitoring Tools: This section contains the performance monitor, which offers a visual view of integrated Windows output counters, either in real-time or as historical data.
  • Data Collector Sets: A data collector set is a custom set of output counters, records of incidents, and data about system configuration. Once you create a combination of data collectors that explains valuable information about the system, you can then save it as a collection of data collectors, then run and display the results.
  • Reports: You can use the Reports feature to view and generate reports from a selection of counters that you use to build data collector sets. Performance Monitor automatically generates a new report each time a collection of data collectors runs.

The following screenshot shows you a view of the Performance Monitor app:

Figure 12.18 - The Performance Monitor app

Performance Monitor uses counters to calculate the state of operation of the device. The OS contains some performance counters, which can have additional performance counters for individual applications. Performance Monitor, by default, demands the current value of output counters every second at specified time intervals.

You can add Performance Monitor counters by dragging and dropping the counters or by building a collection of custom data collectors. Performance Monitor features several graph views that allow you to visually check the performance log data. In Performance Monitor, you can build Custom Views, which you can then export as data collector sets for use with performance and logging features.

A group of data collectors organizes multiple points of data collection into a single, portable portion. You can use your collection of data collectors, combine it with other sets of data collectors, and integrate it in to logs, or you can display it in Performance Monitor. You can configure a collection of data collectors to generate alerts when they exceed thresholds.

You can also configure a series of data collectors to operate at a specified time for a specific time or until a predefined size is reached. For example, to build a performance benchmark, you can run the data collector collection for 10 minutes every hour during work hours. If the collection exceeds a fixed limit, you can also fix the data collector to restart, so the output monitor generates a new file for each cycle. Regardless of whether Performance Monitor is initiated, scheduled data collection sets collect data.

You have now learned that you can use Performance Monitor to view performance data either in real-time or from a log file. You have also learned how to create custom collector sets to configure and schedule performance counters and event tracking so that you can analyze the results and view reports. Next, we will move on to Reliability Monitor.

Surveilling performance with Reliability Monitor

The Reliability Monitor app measures the functionality of a computer and its history of problems. It can be used to generate reports and charts in many forms that can help you determine the source of reliability issues.

You can open Reliability Monitor by following these steps:

  1. Click on the Start icon.
  2. Type in reliability.
  3. Click on View reliability history. The following screenshot shows you what the app looks like:

Figure 12.19 - The Reliability Monitor app

In the previous screenshot, you can see a timeline with historical data of when, for example, an update was installed. You can also see that two errors have occurred in a program.

In the following sections, you will learn and understand the techniques and tools that are used in Reliability Monitor—namely, a system stability chart, events in the timeline, and the Problem Reports and Solutions tool.

Understanding the system stability chart

The system stability chart in Reliability Monitor lists the annual performance of the system in regular increments. This chart shows some details, error messages, and alerts. Additionally, it simplifies the process of defining issues and states the date that they occurred on.

The system stability report includes details on each case in the chart, including software installations, software uninstallations, application failures, hardware failures, Windows failures, and other miscellaneous failures.

Recording key events in a timeline

Reliability Monitor monitors the main device configuration events, such as downloading new applications, OS updates, and drivers. It also helps you recognize the causes of reliability problems by monitoring events such as memory problems, hard disk problems, driver problems, application problems, and OS failures.

Reliability Monitor includes a timeline for device improvements and also reports on the reliability of a device. This timeline is used to determine whether a specific system shift is associated with the system instability initialization. The reliability database stores up to a year's history of these incidents.

Understanding the Problem Reports and Solutions tool

Reliability Monitor's Problem Reports and Solutions tool lets you monitor problem reports and any solution details that other resources have received. This tool is only used to help store knowledge. Windows Error Reporting handles all contact on the internet related to errors and solutions to those problems. The Problem Reports and Solutions tool lists the attempts made to fix issues with a computer.

To open the Problem Reports and Solutions tool, click on the View all problem reports option located at the bottom of the Reliability Monitor window. The following screenshot shows you the Problem Reports window:

Figure 12.20 - The Problem Reports and Solutions tool

If an error occurs when an app is running, Windows Error Reporting prompts the user to choose whether they want to submit to Microsoft the error information over the internet. If there is information available that can help a user fix a problem, Windows will show a message to the user with a link to information about how to solve the problem.

The Problem Reports and Solutions tool can be used to monitor information about resolution information and to recheck and find new suggestions. You can start the Problem Reports and Solutions tool from the Reliability Monitor window. This tool includes options such as saving the reliability history, viewing all the problem reports, checking for solutions to all problems, and clearing the solutions and problem history.

So, you have now learned that you can review specific hardware and software problems with Reliability Monitor that have impacted your system with the help of different reports. This tool can advise you on how to solve a problem that has occurred.

The next section of this chapter will cover how you can manage a Windows 10 environment, including managing printers, configuring indexing, and managing services.

Managing Windows 10 environment

In your daily job, you may have to resolve problems with regard to the slow performance of Windows 10 as well as managing print servers. Many end-users complain that their Windows 10 is slow in performance and you will have to solve this. For this reason, in this section we will focus on how you manage printers, monitor and customize indexing, assess device reliability, and customize and manage services.

Monitoring and managing printers

Windows 10 provides you with some extra tools to handle your printing, as opposed to previous Windows versions. The new Print Management desktop app and the new Printers & Scanners option in the Settings app that have been introduced provide you with important print management options, such as adding, removing, and setting printers as default.

You can still access the previous printer tools in the Control Panel's Device and Printers section or from the link in the Settings app at the bottom of the Printers & Scanners options. The Devices and Printers item in Control Panel has the same GUI as in the earlier Windows 7 versions.

Important Note

This section focuses on the latest printing features in Windows 10, but you should also study the older printing tools for the exam.

You can manage printers with the Print Management console or with PowerShell. You will learn about how to do this in the following sections.

Managing printers with Print Management

Windows 10 can operate as a print server or you can connect and control printers remotely on Windows-based print servers via the Print Management console.

The Print Management console can be found in the Administrative Tools section of the Control Panel, so you can open it from there or type printmanagement.msc into the Start menu. The Print Management console will then open, as shown:

Figure 12.21 - Print Management console

The Print Management console offers a unified interface that helps you control several printers and print servers and perform several management tasks, which are as follows:

  • Adding and removing print servers
  • Adding and deleting printers
  • Adding and managing drivers
  • Managing print queues
  • Viewing and modifying printers' statuses
  • Creating a custom filter to view printers that match specific criteria

Let's look at these management tasks in more detail in the following sections.

Adding and removing print servers

When you first open the Print Management console, it is only linked to a local print server based on Windows 10. If you have sufficient permission and want to access other Windows-based print servers, you first need to add them to the Print Management console by right-clicking on the Print Server node and then selecting Add / Remove Print Servers.

Adding and deleting printers

On any print server that is connected to the Print Management console, you can connect or remove printers locally or remotely. You can connect printers using the Network Printer Installation Wizard page, which is similar to the Add Printer Wizard page in Devices and Printers. The Network Printer Installation Wizard page lets you perform the following tasks:

  • Search the network for printers.
  • Add a Transmission Control Protocol/Internet protocol (TCP/IP) or web service printer by IP address or hostname.
  • Add a new printer by using an existing port.
  • Create a new port and add a new printer.

Next, we will move on to adding to and managing the driver section.

Adding and managing drivers

Windows can also download a driver for the appropriate printing device while you are connecting a printer. For example, if you connect a PostScript printing device to Windows 10's 32-bit edition, a PostScript 32-bit Windows 10 driver will be enabled. However, other users can also link to it while sharing the printer and are able to use the printer. You will also have drivers for the OS that they are using. For example, if someone is running a 64-bit Windows 7 version driver, you may want to add a 64-bit driver to your Windows 10 print server.

By running Add Printer Driver Wizard, the Print Management console lets you add printer drivers, as shown:

Figure 12.22 - The Add Printer Driver Wizard

You should be aware that users no longer need multiple drivers for various printers with Type 4 printer drivers.

Important Note

A Type 4 driver is typically bundled with the OS or downloaded from Windows Update, while Type 3 drivers are mostly downloaded from the website of the printer's manufacturer.

Printer drivers can't be downloaded from the print server, but instead, have to be downloaded from Windows Update or Windows Update for Business.

Let's move on to the next section on managing print queues.

Managing print queues

By clicking on the Printers node under the print server, you can view the printers that are installed on a specific print server. By selecting the All Printers node, you can also view all the installed printers on all the print servers that are connected to the Print Management console.

By right-clicking on the printer, you can view the printer queue. Then, select Open Printer Queue. The resultant window is shown in the following screenshot:

Figure 12.23 - Managing print jobs in the print queue

In the previous screenshot, you can see the Pause, Restart, Resume, and Cancel options, and you can reorder print jobs.

Let's move on to look at viewing and modifying printers' statuses in the next section.

Viewing and modifying printers' statuses

The Printers node shows information about each printer linked to any print server you attached to the Print Management console, as shown:

Figure 12.24 - All the listed printers under the Printers node

In the previous screenshot, you can see each printer's print queue status, the number of jobs in the queue, the driver name and version, and the type of driver.

Next, we will see how we can create a custom filter to view printers that match certain criteria.

Creating a custom filter to view printers that match specific criteria

By design, four custom filters are included in the Print Management console. They are as follows:

  • All Printers
  • All Drivers
  • Printers Not Ready
  • Printers With Jobs

You can add new custom printer or driver filters by specifying one or more conditions that a printer or driver needs to have when you are selecting a filter to appear on the screen. For example, you could build a custom filter to display printers at a specific location, irrespective of the print server they are linked to, or display printers in a print queue that have more than five print jobs.

Important Note

The Devices and Printers tool can only be used to handle printers on local Windows 10-based computers. In addition to printers that are connected to other Windows-based printer servers, you can control printers on local Windows 10-based computers by using the Print Management console.

In this section, you learned what you can do in the Print Management console. However, most of these actions can also be carried out with PowerShell.

Managing printers with PowerShell

Windows has more than 20 PowerShell cmdlets that can be used for printer management. The following are some of the most popular cmdlets:

  • Add-Printer: Adds a printer
  • Add-PrinterDriver: Installs a printer driver
  • Get-PrintConfiguration: Used to get the printer configuration
  • Get-Printer: Retrieves the installed printers
  • Get-PrinterDriver: Retrieves the installed drivers
  • Get-PrinterProperty: Retrieves the printer properties
  • Remove-Printer: Removes a printer
  • Remove-PrintJob: Removes a print job
  • Rename-Printer: Renames a printer
  • Restart-PrintJob: Restarts a print job
  • Resume-PrintJob: Resumes a print job
  • Set-PrintConfiguration: Sets the printer's configuration information
  • Set-Printer: Updates the printer's configuration

To get a list of all the available cmdlets, type the following command into a PowerShell console:

Get-Command -Module PrintManagement

The output of the previous command is shown in the following screenshot:

Figure 12.25 - The output of the PrintManagement PowerShell cmdlet

A few examples that will help you understand the previously listed cmdlets are as follows:

Add-PrinterDriver -Name "HP0AF4E0 (HP OfficeJet Pro 6970)"

The previous command installs the driver for the HP OfficeJet Pro 6970 printer. The next example is as follows:

Add-PrinterPort -Name "IP_10.168.14.29" -PrinterHostAddress ""

The previous command adds a local printer port with an IP address of We will see the next example:

Rename-Printer -Name "HP0AF4E0 (HP OfficeJet Pro 6970)" -NewName "HPOJ6970_ITSupport"

The previous command renames the printer from HP0AF4E0 (HP OfficeJet Pro 6970) to HPOJ6970_ITSupport. We move on to the following example:

Get-Printer -Name "HP0AF4E0 (HP OfficeJet Pro 6970)"

The previous command gives the details of the HP0AF4E0 (HP OfficeJet Pro 6970) printer . Now, have a look at the next example:

Remove-Printer -Name "HP0AF4E0 (HP OfficeJet Pro 6970)"

The previous command removes the HP0AF4E0 (HP OfficeJet Pro 6970) printer . We will look at the last example:

Remove-PrinterDriver -Name "HP0AF4E0 (HP OfficeJet Pro 6970)"

The previous command removes the printer driver from the HP0AF4E0 (HP OfficeJet Pro 6970) printer.

In this section, you have learned how to manage a print server with PowerShell and Printer Management. The next section shows you how to configure the indexing options in Windows 10.

Configuring the indexing options

The system automatically indexes data to your computer in the background to improve the output of the Windows 10 search. This data includes the files, directories, and documents created by the user. Most users will never change the default indexing settings, but you can add new indexing areas and delete others. Popular areas include parts of your user profile and device data that you regularly access, such as the Microsoft Office apps.

When you store a lot of data in a storage space or removable drive, you can add this location to the Indexing Options to accelerate the output of potential searches to this location significantly.

To view your existing indexing locations, follow these steps:

  1. Click on the Start icon.
  2. Type in indexing and click on Indexing Options.
  3. Then, the Indexing Options dialog box will open up, as shown:

Figure 12.26 - Indexing Options dialog box

From the previous screenshot, you can see that you can add or delete locations using the Modify button. There is also an Advanced button.

When you click on the Modify button, you will see the localization overview in the Indexed Locations window. Clicking on the Show all locations button will reveal all the hidden locations in Windows 10, as shown:

Figure 12.27 - Indexed Locations dialog box

The indexing process doesn't start directly after you make changes to indexing; rather, it acts as a background function while your system runs but is not being used. Although the indexing cycle is incomplete, the message in the dialog box shows that indexing is in progress, as shown:

Figure 12.28 - Indexing is in progress

Now, the Advanced button in the Indexing Options dialog box allows you to customize Index Settings and indicate excluded file types. You can include or remove encrypted data, view similar words as different words, delete and re-create the index, and adjust the index location from the default C:\ProgramData\Microsoft location. In the following screenshot, you can see what the Index Settings tab looks like:

Figure 12.29 - Index Settings tab in the Advanced Options dialog box

You can remove file types from the index under the File Types tab and customize whether the index searches a file's contents or just the file properties. You can also manually add new types of files that are not automatically included in the index. In the following screenshot, you can see what the File Types tab looks like:

Figure 12.30 - File Types tab in the Advanced Options dialog box

In this section, you have learned how to configure Indexing Options to perform some speed enhancements in Windows 10. In the final section of this chapter, we will finetune Windows services.

Configuring and managing services

A service can best be defined as a component of the software that communicates with system drivers on one level and with app-level components on another. In a sense, services are located between apps and hardware devices and are considered a core part of the OS.

Windows 10 OS services have separate features that do not require user interaction. By using PowerShell and the management console, you can control resources in a variety of ways, including from the Command Prompt.

The best way to handle services is by using the Services management console snap-in, as in the following screenshot:

Figure 12.31 - Services management console snap-in

From the previous screenshot, you can see that you can use this console to view and manage services in the system. You can also manage the settings of a service by double-clicking on the desired service. In the Properties dialog box for the named service, you can then configure its properties, as shown:

Figure 12.32 - The Properties dialog box of a service

Instead of using a Graphical User Interface(GUI) to configure services, you also can use the command-line tool to investigate and troubleshoot services. To use the commands, you have to open an elevated Command Prompt. The commands to do this are as follows:

  • NET start: Used to start a service
  • NET stop: Used to stop a service
  • Sc query: Displays information for a service
  • Sc stop: Stops a service
  • Sc start: Starts a service

For example, if you want to stop the Dynamic Host Configuration Protocol (DHCP) service, as in the previous screenshot, the command will be as follows:

NET stop dhcp

Services can also be controlled with PowerShell. This is particularly useful because you can use PowerShell to control other computers and their services remotely. You can also script PowerShell cmdlets so that you can create administrative tasks for future use. To use the cmdlets, you must open an elevated PowerShell window.

In this section, you learned how to configure and manage services with the snap-in, PowerShell, and the Command Prompt.


In this last chapter, you learned how to understand event logs and their two different log types. You also familiarized yourself with working in the Event Viewer, how to read event logs, and how to use four different built-in apps to monitor the performance of Windows 10. You then familiarized yourself with how to track down potentially corrupted app installations or updates that could make a computer unstable, as well as how to manage and monitor printers. Finally, you learned how to carry out some speed enhancements in Windows as well as learning what a service is and how to configure it.

With the skills that you have learned in this chapter, you are able to configure and analyze event logs. You can now manage the performance of Windows 10 efficiently with configuring the indexing and the Windows services.

You are now ready to take the Microsoft MD-100 exam. Next, we will test the knowledge and lessons that you have learned from this book.


  1. In Event Viewer, you will see a node called Forwarded Events. Is this node used to send logs to other computers?
  2. To enable Windows Event Collector, can you use the winrm quickconfig command?
  3. Can you use the perfmon command to open Resource Monitor?
  4. Does Reliability Monitor measure the history of problems?
  5. Can you use Network Printer Installation Wizard to install printers?
  6. Are Type 3 printer drivers downloaded from Windows Update during installation?
  7. Can you change the index location of the indexing services?

Further reading