Author Posts

April 6, 2018 at 3:01 pm

Hello,

I want to retrieve all hardware events within Server 2k12 r2 or 2k8r2. I see the saved HardwareEvents evtx in my system32 path but I would like to retrieve all hardware events using POSH. Can anyone share some information on this – much appreciated!

I can see all of the listed event providers, but I am curious which provider represents the HardwareEvents.evtx file.

Jason

April 6, 2018 at 11:55 pm

I am slightly confused (but I'm old and it happens to us old folks, well, to me, 8^}) by your statement..

I can see all of the listed event providers, but I am curious which provider represents the HardwareEvents.evtx file

These are the default PSproviders...

 Get-PSProvider | Format-Table -AutoSize

Name        Capabilities                       Drives      
----        ------------                       ------      
Registry    ShouldProcess, Transactions        {HKLM, HKCU}
Alias       ShouldProcess                      {Alias}     
Environment ShouldProcess                      {Env}       
FileSystem  Filter, ShouldProcess, Credentials {C, D, E, F}
Function    ShouldProcess                      {Function}  
Variable    ShouldProcess                      {Variable}  
Certificate ShouldProcess                      {Cert}      
WSMan       Credentials                        {WSMan}

... and none of those are specific to event logs.

If you meant the Event log cmdlets, then sure.

 Get-Command -CommandType Cmdlet -Name '*eventlog*' | Format-Table -AutoSize

CommandType Name                   Version Source                         
----------- ----                   ------- ------                         
Cmdlet      Clear-EventLog         3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Get-EventLog           3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Limit-EventLog         3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      New-EventLog           3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      New-PefEventLogTrigger 1.1.0.0 PEF                            
Cmdlet      Remove-EventLog        3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Show-EventLog          3.1.0.0 Microsoft.PowerShell.Management
Cmdlet      Write-EventLog         3.1.0.0 Microsoft.PowerShell.Management

Just call directly into the Hardware Event log using the eventlog cmdlets. Specifically Get-EventLog, for the ID's you are interested in.