Get-WindowsEventLogMessage.ps1

<#PSScriptInfo
 
.VERSION 1.1.1
 
.GUID fb06bec9-3e1b-472d-948b-3517f71d876c
 
.AUTHOR saw-friendship
 
.COMPANYNAME
 
.COPYRIGHT
 
.TAGS
 saw-friendship Windows EventLog Message XML
 
.LICENSEURI
 
.PROJECTURI
 https://sawfriendship.wordpress.com
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
 
#>


<#
 
.DESCRIPTION
 Expand WinEventLog Message and generating objects
 
.EXAMPLE
 Get-WindowsEventLogMessage -Id 4624 -LogName Security -MaxEvents 10
 
#>
 

param(
[string]$ProviderName,
[int[]]$Id,
[string]$LogName = 'Security',
[string]$Path,
[int]$MaxEvents,
[string]$ComputerName,
[switch]$Force,
[PSCredential]$Credential,
[switch]$Oldest,
[switch]$All,
[string]$PropertyPrefix = '',
[datetime]$After = $(Get-Date).AddDays(-1).Date,
[datetime]$Before = $(Get-Date),
[string]$TimeCreatedFormat,
[string[]]$Property = @('*')
)

    $FilterHashtable = [Hashtable]@{}
    $Param = [Hashtable]@{}
    $SelectParam = [Hashtable]@{'Property' = $Property}
    
    if($ProviderName){$FilterHashtable.ProviderName = $ProviderName}
    if($Id){$FilterHashtable.Id = $Id}
    if($LogName){$FilterHashtable.LogName = $LogName}
    
    if($MaxEvents){$Param.MaxEvents = $MaxEvents}
    if($Path){$Param.Path = $Path}
    if($ComputerName){$Param.ComputerName = $ComputerName}
    if($Credential){$Param.Credential = $Credential}
    if($Force){$Param.Force = $Force}
    if($Oldest){$Param.Oldest = $Oldest}
    if($FilterHashtable){$Param.FilterHashtable = $FilterHashtable}
    
    Get-WinEvent @Param | ? {(($_.TimeCreated -gt $After) -and ($_.TimeCreated -lt $Before))} | % {
        ([xml]($_.ToXml())).Event.EventData.Data | % -Begin {
                $Hash = [ordered]@{
                    'Id' = $_.Id
                    'ProviderName' = $_.ProviderName
                    'TimeCreated' = $(@{$true = $_.TimeCreated; $false = $_.TimeCreated.ToString($TimeCreatedFormat)}[[string]::IsNullOrEmpty($TimeCreatedFormat)])
                    'LevelDisplayName' = $_.LevelDisplayName
                    'TaskDisplayName' = $_.TaskDisplayName
                    'MachineName' = $_.MachineName

                    
                }
                
                
                if($All){
                        $Hash.UserId = $_.UserId
                        $Hash.KeywordsDisplayNames = $_.KeywordsDisplayNames
                        $Hash.Version = $_.Version
                        $Hash.Qualifiers = $_.Qualifiers
                        $Hash.Level = $_.Level
                        $Hash.Task = $_.Task
                        $Hash.Opcode = $_.Opcode
                        $Hash.Keywords = $_.Keywords
                        $Hash.RecordId = $_.RecordId
                        $Hash.ProviderId = $_.ProviderId
                        $Hash.ProcessId = $_.ProcessId
                        $Hash.ThreadId = $_.ThreadId
                        $Hash.ActivityId = $_.ActivityId
                        $Hash.RelatedActivityId = $_.RelatedActivityId
                        $Hash.ContainerLog = $_.ContainerLog
                        $Hash.MatchedQueryIds = $_.MatchedQueryIds
                        $Hash.Bookmark = $_.Bookmark
                        $Hash.OpcodeDisplayName = $_.OpcodeDisplayName
                        $Hash.Properties = $_.Properties
                        $Hash.Message = $_.Message
                }
                

                
        } -Process {
            $Hash.Add($($PropertyPrefix + $_.Name),$_.'#text')
        } -End {
            [pscustomobject]$Hash | Select-Object @SelectParam
        }
    }