Powershell – Mining through Files with Obscure Dates!

Powershell

Had a call today from a user that had to pull up a file.  The file wasn’t LOST but it was a IMPORTANT and of course they had no clue what the file was called.  Just that it was a Word document.

Well normally, as an Administrator or an ITPro you’d put your hands in the air and go “BLAH!” because pulling out an obscure file WITHIN a file system only know what day of the week it may have been opened with an obscure Window of information to search with was a TRUE impossibility. 

Two options, tell the user to go fly a kite or find some custom software.

 

I lied.  There’s a third VERY viable option.  Powershell.

Here’s a PERFECT example of how you can use Powershell to mine through the file system without heavy effort.

Ok first off let’s pretend we have the following information to work with.

  • The File is a Word document.
  • It was created about a Month Ago
  • It was created on a Thursday or a Friday (User is not sure)
  • And they’re PRETTY certain it was created between 10:00pm and 2:00pm

And you wonder why ITPros bang their head on a desk.  Normally THIS is a “Nope.  Not doin’ it, go find a dev, go explain to your boss, not my problem, fergettaboutit!”

But in Powershell this is all a NON issue

First off let also pretend I at least know what folder structure it’s in.  There’s only a million files inside \CONTOSOBIGfileShare so this shouldn’t take long.

 

Filtering by file type?  That part is easy.  That’s an option in GET-CHILDITEM

GET-CHILDITEM –recurse –include *.DOC \CONTOSOBIGfileShare

 

Now to make things easier, we don’t want to keep querying against the file system over and over and over.  So let’s store those objects away

$FILELIST=GET-CHILDITEM –recurse –include *.DOC \CONTOSOBIGfileShare

Now we can examine the data more quickly.  So let’s isolate that list of files Modified between 30 to 45 days ago.  We can do that easily by comparing the date files

$TODAY=GET-DATE

$FILELIST | where { ($-.LastWriteTime –gt $Today.AddDays(-45)) –and ($-.LastWriteTime –lt $Today.AddDays(-30)) }

 

And now to show only files modified between 10:00am and 2:00pm over that time Frame.  We can access the HOUR or MINUTES in any [DATETIME] field by accessing that specific property and comparing with it numerically.

$FILELIST | where { ($-.LastWriteTime –gt $Today.AddDays(-45)) –and ($-.LastWriteTime –lt $Today.AddDays(-30)) –and ($-.LastWriteTime.Hour –gt 10) –and ($-.LastWriteTime.Hour –lt 14) }

 

But still —- “I did this on a Thursday or Friday” that most maddening piece.

Everywhere else?  Headache.  Powershell?  PIECE OF CAKE

 

We can actually pull out the DAY of the WEEK in ANY date in Powershell.  And yes even in a File creation date or time.  It actually shows up as the REAL name of the day!

$FILELIST | where { ($-.LastWriteTime –gt $Today.AddDays(-45)) –and ($-.LastWriteTime –lt $Today.AddDays(-30)) –and ($-.LastWriteTime.Hour –gt 10) –and ($-.LastWriteTime.Hour –lt 14) –and ( ($-.LastWriteTime.DayofWeek –eq ‘Thursday’) –or ($-.LastWriteTime.DayofWeek –eq ‘Friday’)) }

 

All in all when you look at that line you may just say “WHAAAATTT??!!” and walk away.  But let’s break it down

$FILELIST | where {

($-.LastWriteTime –gt $Today.AddDays(-45)) 
–and
($-.LastWriteTime –lt $Today.AddDays(-30)) 
–and 
($-.LastWriteTime.Hour –gt 10) 
–and
($-.LastWriteTime.Hour –lt 14) 
–and
( ($-.LastWriteTime.DayofWeek –eq ‘Thursday’) –or ($-.LastWriteTime.DayofWeek –eq ‘Friday’))

}

 

When you take a look all we are doing is examining ONE field, the “LastWriteTime”.   There are multiple properties in that field we can examine and we can get VERY granular.    Even down to Minutes and the very MONTH something occurred on.

 

Who would have EVER thought you’d have that much Power to mine the file system!  And in checking?  You can just as EASILY Distributed File Systems with this command as well.

Powershell.  It’s not just for Breakfast anymore

Sean
The Energized Tech

Leave a Reply