Get-WindowsEventLogMessage.ps1
<#PSScriptInfo
.VERSION 1.1.1 .GUID fb06bec9-3e1b-472d-948b-3517f71d876c .AUTHOR saw-friendship .COMPANYNAME .COPYRIGHT .TAGS saw-friendship Windows EventLog Message XML .LICENSEURI .PROJECTURI https://sawfriendship.wordpress.com .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .DESCRIPTION Expand WinEventLog Message and generating objects .EXAMPLE Get-WindowsEventLogMessage -Id 4624 -LogName Security -MaxEvents 10 #> param( [string]$ProviderName, [int[]]$Id, [string]$LogName = 'Security', [string]$Path, [int]$MaxEvents, [string]$ComputerName, [switch]$Force, [PSCredential]$Credential, [switch]$Oldest, [switch]$All, [string]$PropertyPrefix = '', [datetime]$After = $(Get-Date).AddDays(-1).Date, [datetime]$Before = $(Get-Date), [string]$TimeCreatedFormat, [string[]]$Property = @('*') ) $FilterHashtable = [Hashtable]@{} $Param = [Hashtable]@{} $SelectParam = [Hashtable]@{'Property' = $Property} if($ProviderName){$FilterHashtable.ProviderName = $ProviderName} if($Id){$FilterHashtable.Id = $Id} if($LogName){$FilterHashtable.LogName = $LogName} if($MaxEvents){$Param.MaxEvents = $MaxEvents} if($Path){$Param.Path = $Path} if($ComputerName){$Param.ComputerName = $ComputerName} if($Credential){$Param.Credential = $Credential} if($Force){$Param.Force = $Force} if($Oldest){$Param.Oldest = $Oldest} if($FilterHashtable){$Param.FilterHashtable = $FilterHashtable} Get-WinEvent @Param | ? {(($_.TimeCreated -gt $After) -and ($_.TimeCreated -lt $Before))} | % { ([xml]($_.ToXml())).Event.EventData.Data | % -Begin { $Hash = [ordered]@{ 'Id' = $_.Id 'ProviderName' = $_.ProviderName 'TimeCreated' = $(@{$true = $_.TimeCreated; $false = $_.TimeCreated.ToString($TimeCreatedFormat)}[[string]::IsNullOrEmpty($TimeCreatedFormat)]) 'LevelDisplayName' = $_.LevelDisplayName 'TaskDisplayName' = $_.TaskDisplayName 'MachineName' = $_.MachineName } if($All){ $Hash.UserId = $_.UserId $Hash.KeywordsDisplayNames = $_.KeywordsDisplayNames $Hash.Version = $_.Version $Hash.Qualifiers = $_.Qualifiers $Hash.Level = $_.Level $Hash.Task = $_.Task $Hash.Opcode = $_.Opcode $Hash.Keywords = $_.Keywords $Hash.RecordId = $_.RecordId $Hash.ProviderId = $_.ProviderId $Hash.ProcessId = $_.ProcessId $Hash.ThreadId = $_.ThreadId $Hash.ActivityId = $_.ActivityId $Hash.RelatedActivityId = $_.RelatedActivityId $Hash.ContainerLog = $_.ContainerLog $Hash.MatchedQueryIds = $_.MatchedQueryIds $Hash.Bookmark = $_.Bookmark $Hash.OpcodeDisplayName = $_.OpcodeDisplayName $Hash.Properties = $_.Properties $Hash.Message = $_.Message } } -Process { $Hash.Add($($PropertyPrefix + $_.Name),$_.'#text') } -End { [pscustomobject]$Hash | Select-Object @SelectParam } } |