When reading event log data with Get-WinEvent, in the previous tip we explained how you can use the “Properties” property to extract the event details and use them in your own custom reporting.
The same can be achieved with a fairly unknown trick. To illustrate, let’s again look at recently installed software. This gets you the data set for the latest installed MSI software on your Windows machine:
$item = Get-WinEvent -FilterHashtable @{ ProviderName="MSIInstaller"; ID=1033 } -MaxEvents 1 $item
The event data we are after – like software name and version – is still embedded as a string in “Message”. In our previous tip we would now look into the “Properties” property to find the event information there.
However, if you are more comfortable using XML, you can always turn the event objects into pure XML (as XML is the native event format anyway):
$item.ToXml()
Or, you can use the raw XML and construct your own object model by casting it to the type [xml]:
$xml = [xml]$item.ToXml()
Now it is easy to tap into the associated event data and find the event information you need. In our example, we now see installed software name, version, and more:
PS> $xml.Event.EventData.Data Elgato Stream Deck 4.9.3.13222 1033 0 Elgato Systems GmbH (NULL)
Let’s rewrite the previous tip to use the XML approach instead:
$name = @{ Name = 'Name' Expression = { ($_.ToXml() -as [xml]).Event.EventData.Data[0] } } $version = @{ Name = 'Version' Expression = { ($_.ToXml() -as [xml]).Event.EventData.Data[1] -as [Version] } } $vendor = @{ Name = 'Vendor' Expression = { ($_.ToXml() -as [xml]).Event.EventData.Data[4] } } $result = @{ Name = 'Result' Expression = { ($_.ToXml() -as [xml]).Event.EventData.Data[3] -as [int] } } Get-WinEvent -FilterHashtable @{ ProviderName="MSIInstaller"; ID=1033 } | Select-Object -Property TimeCreated, $name, $version, $vendor
Again, the result is a detailed report about the MSI software recently installed on your machine.
