Author Posts

April 27, 2017 at 8:18 am

Hi all,
i wanna ask about filtering event log in windows 7 using powershell.

i have allready searching about it, but usually people filtering just using general information such as logname, keywords, event id and etc.

the thing is i wanna filtering using access list, and combine it with event id
for example about access list like picture below :
example access list

i really appreciate all suggestion and help,
thank in advance

April 28, 2017 at 7:26 am

You'll need to use Get-WinEvent. I can't see the log or full provider name, so I'll use another example.

You can use a variety of filters in the hash, including id=, logname=, etc. to get the events you're after. I'm using a date.

Get-WinEvent -FilterHashTable @{ProviderName='Service Control Manager'; StartTime=""} |
   % {([xml]$_.ToXml()).Event.EventData.Data}

April 28, 2017 at 1:38 pm

Ashely McGlone (GoateePFE) has posted some really excellent content on Event Log filtering:

TechNet Blogs

Microsoft Virtual Academy
Skip to the Forensic Investigations and Lockouts section, then Event Logs