EventLog/Get-EventPsEngineState.ps1

function Get-EventPsEngineState {
    <#
    .Synopsis
    Get serialized Windows PowerShell engine state events.
    .DESCRIPTION
    Get serialized Windows PowerShell engine state events. Query engine start, stop or all engine state events.
    .EXAMPLE
    Get-EventPsEngineState -Status Start | where {$_.hostVersion -like "*2.*"}
 
    Find all engine start events where the engine is for PowerShell 2.0.
    .NOTES
    This function needs to be executed with administrator priviages on the host.
    #>

    [CmdletBinding()]
    [Alias()]
    [OutputType([PSObject])]
    Param (
        # Engine state.
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [ValidateSet('Start','Stop', 'Any')]
        [string]
        $Status,

        # Log name of where to look for the PowerShell events.
        [Parameter(Mandatory=$false,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [string]
        $LogName = 'Windows PowerShell',

        # Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.
        [Parameter(Mandatory=$false,
                  ValueFromPipelineByPropertyName=$true,
                  Position=2)]
        [int]
        $MaxEvents,

        # Start Date to get all event going forward.
        [Parameter(Mandatory=$false)]
        [datetime]
        $StartTime,

        # End data for searching events.
        [Parameter(Mandatory=$false)]
        [datetime]
        $EndTime,

        <#
        Specifies the name of the computer that this cmdlet gets events from the event logs. Type the NetBIOS name, an Internet Protocol (IP)
        address, or the fully qualified domain name of the computer. The default value is the local computer.
 
        This parameter accepts only one computer name at a time. To find event logs or events on multiple computers, use a ForEach-Object
        statement. For more information about this parameter, see the examples.
 
        To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.
 
        This cmdlet does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured
        to run remote commands.
        #>

        [Parameter(Mandatory=$false)]
        [string]
        $ComputerName,

        <#
        Specifies a user account that has permission to perform this action. The default value is the current user.
 
        Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet.
        If you type a user name, you will be prompted for a password. If you type only the parameter name, you will be prompted for both a user
        name and a password.
        #>

        [Parameter(Mandatory=$false)]
        [pscredential]
        [Management.Automation.CredentialAttribute()]
        $Credential = [Management.Automation.PSCredential]::Empty
    )

    Begin {}
    Process {
      switch ($Status)
      {
        'Start' {
          $EventIds = 400
        }
        'Stop' {
          $EventIds = 403
        }

        'Any' {
          $EventIds = @(400,403)
        }
        default {$EventIds = 400}

      }
       # Hash for filtering
        $HashFilter = @{LogName=$LogName; Id=$EventIds; ProviderName='PowerShell'}

        # Hash for command paramteters
        $ParamHash = @{}

        if ($MaxEvents -gt 0)
        {
            $ParamHash.Add('MaxEvents', $MaxEvents)
        }

        if ($StartTime) {
            $HashFilter.Add('StartTime', $StartTime)
        }

        if ($EndTime) {
            $HashFilter.Add('EndTime', $EndTime)
        }

        if ($ComputerName){
            $HashFilter.Add('ComputerName', $ComputerName)
        }

        if ($Credential.UserName -ne $null){
            $HashFilter.Add('Credential', $Credential)
        }

        $ParamHash.Add('FilterHashTable',$HashFilter)
        Get-WinEvent @ParamHash | ForEach-Object -Process {
            [xml]$evtXml = $_.toxml()
            $evtInfo = [ordered]@{}
            $evtInfo['EventId'] = $evtXml.Event.System.EventID.'#text'
            $evtInfo['EventRecordID'] = $evtXml.Event.System.EventRecordID
            $evtInfo['TimeCreated'] = [datetime]$evtXml.Event.System.TimeCreated.SystemTime
            $evtInfo['Computer'] = $evtXml.Event.System.Computer
            $evtInfo['Provider'] = $evtXml.Event.System.Provider.Name
            $evtData = $evtxml.Event.EventData.Data[2] -split "`n"
            foreach($line in $evtData) {
                if ($line.trim() -ne '') {
                    $evtDataFields = $line.trim() -split '=',2
                    $evtInfo[$evtDataFields[0]] = $evtDataFields[1]
                }
            }
          New-Object psobject -Property $evtInfo
        }
    }
    End {}
}