Reading Event Logs Smart (Part 2)

by Jun 14, 2018

In the previous tip we illustrated how you can access detailed event log information that you retrieved via Get-EventLog by using ReplacementStrings. That worked beautifully, however Get-EventLog can only read the “classic” Windows logs. There are hundreds of additional logs in modern Windows versions.

These logs can be read via Get-WinEvent, and there is a wealth of information to discover. For example, to get a list of installed updates, try this:

$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; Id=19 } Get-WinEvent -FilterHashtable $filter | Select-Object -ExpandProperty Message -First 4

Note that this is just an example. With the code above, you can query any log for any event ID you are after. The line above, for example, gets you the latest 4 updates that were installed:

 PS> . 'C:\Users\tobwe\Documents\PowerShell\Untitled5.ps1' <# script is not saved yet #> Installation Successful: Windows successfully installed the following update: Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.269.69.0) Installation Successful: Windows successfully installed the following update: 9WZDNCRFJ1XX-FITBIT.F ITBIT Installation Successful: Windows successfully installed the following update: Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.269.28.0) Installation Successful: Windows successfully installed the following update: 9WZDNCRFHVQM-MICROSOF T.WINDOWSCOMMUNICATIONSAPPS

However, this is just text, and it’s not easy to turn this into a nice report of installed updates. With Get-EventLog, like shown in our previous tip, you could use ReplacementStrings to easily access the pure information. Get-WinEvent has no ReplacementStrings, though.

However, there is a property called “Properties”. Here is how you can turn this property into an array that behaves just like ReplacementStrings:

$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; Id=19 } Get-WinEvent -FilterHashtable $filter | ForEach-Object { # create a ReplacementStrings array  # this array holds the information that is inserted  # into the event message template text  $ReplacementStrings = $_.Properties | ForEach-Object { $_.Value } # return a new object with the required information  [PSCustomObject]@{ Time = $_.TimeCreated # index 0 contains the name of the update  Name = $ReplacementStrings[0] User = $_.UserId.Value } }

This code returns a nice list of installed updates:

 Time Name ---- ---- 25.05.2018 09:00:20 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.... 25.05.2018 07:59:44 9WZDNCRFJ1XX-FITBIT.FITBIT 24.05.2018 11:04:15 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.... 24.05.2018 08:36:26 9WZDNCRFHVQM-MICROSOFT.WINDOWSCOMMUNICATIONSAPPS 24.05.2018 08:34:30 9N4WGH0Z6VHQ-Microsoft.HEVCVideoExtension 24.05.2018 08:34:24 9WZDNCRFJ2QK-ZDFGemeinntzigeAnstaltdes.ZDFmediathek 23.05.2018 11:57:42 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.... 23.05.2018 07:37:11 9WZDNCRFHVQM-MICROSOFT.WINDOWSCOMMUNICATIONSAPPS 23.05.2018 07:36:57 9WZDNCRFJ3PT-MICROSOFT.ZUNEMUSIC 23.05.2018 04:01:11 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.... 22.05.2018 12:26:55 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1.... 22.05.2018 08:34:28 9NBLGGH5FV99-Microsoft.MSPaint 22.05.2018 08:33:25 9WZDNCRFJ364-MICROSOFT.SKYPEAPP

Twitter This Tip! ReTweet this Tip!