Event Log Providers

This topic contains 1 reply, has 2 voices, and was last updated by  postanote 1 week, 5 days ago.

  • Author
    Posts
  • #98115

    Jason Colotario
    Participant

    Hello,

    I want to retrieve all hardware events within Server 2k12 r2 or 2k8r2. I see the saved HardwareEvents evtx in my system32 path but I would like to retrieve all hardware events using POSH. Can anyone share some information on this – much appreciated!

    I can see all of the listed event providers, but I am curious which provider represents the HardwareEvents.evtx file.

    Jason

  • #98178

    postanote
    Participant

    I am slightly confused (but I'm old and it happens to us old folks, well, to me, 8^}) by your statement..

    I can see all of the listed event providers, but I am curious which provider represents the HardwareEvents.evtx file

    These are the default PSproviders...

     Get-PSProvider | Format-Table -AutoSize
    
    Name        Capabilities                       Drives      
    ----        ------------                       ------      
    Registry    ShouldProcess, Transactions        {HKLM, HKCU}
    Alias       ShouldProcess                      {Alias}     
    Environment ShouldProcess                      {Env}       
    FileSystem  Filter, ShouldProcess, Credentials {C, D, E, F}
    Function    ShouldProcess                      {Function}  
    Variable    ShouldProcess                      {Variable}  
    Certificate ShouldProcess                      {Cert}      
    WSMan       Credentials                        {WSMan}
    

    ... and none of those are specific to event logs.

    If you meant the Event log cmdlets, then sure.

     Get-Command -CommandType Cmdlet -Name '*eventlog*' | Format-Table -AutoSize
    
    CommandType Name                   Version Source                         
    ----------- ----                   ------- ------                         
    Cmdlet      Clear-EventLog         3.1.0.0 Microsoft.PowerShell.Management
    Cmdlet      Get-EventLog           3.1.0.0 Microsoft.PowerShell.Management
    Cmdlet      Limit-EventLog         3.1.0.0 Microsoft.PowerShell.Management
    Cmdlet      New-EventLog           3.1.0.0 Microsoft.PowerShell.Management
    Cmdlet      New-PefEventLogTrigger 1.1.0.0 PEF                            
    Cmdlet      Remove-EventLog        3.1.0.0 Microsoft.PowerShell.Management
    Cmdlet      Show-EventLog          3.1.0.0 Microsoft.PowerShell.Management
    Cmdlet      Write-EventLog         3.1.0.0 Microsoft.PowerShell.Management
    

    Just call directly into the Hardware Event log using the eventlog cmdlets. Specifically Get-EventLog, for the ID's you are interested in.

You must be logged in to reply to this topic.