events logs: TimeCreated can be greater than LastWriteTime

Welcome Forums General PowerShell Q&A events logs: TimeCreated can be greater than LastWriteTime

This topic contains 3 replies, has 3 voices, and was last updated by

js
 
Participant
1 month, 2 weeks ago.

  • Author
    Posts
  • #118066
    js

    Participant
    Points: 315
    Helping Hand
    Rank: Contributor

    This is based on a Scripting Guy blog about finding the latest event logs (https://blogs.technet.microsoft.com/heyscriptingguy/2011/03/07/use-powershell-to-query-all-event-logs-for-recent-events/). But how can the time of the log entry creation be 5 days more recent than the modification time of the log??

    $starttime = (get-date).Addhours(-4)
    
    Get-WinEvent -ListLog * -EA silentlycontinue -pv log |
    foreach { get-winevent -filterhashtable @{logname=$_.logname;starttime=$starttime} -ea 0 } |
    Format-Table TimeCreated, ID, ProviderName, @{n='LastWriteTime';e={$log.lastwritetime}} -AutoSize -Wrap
    
    TimeCreated               Id ProviderName                                                       LastWriteTime
    -----------               -- ------------                                                       -------------
    10/23/2018 9:52:31 AM    916 ESENT                                                              10/18/2018 1:28:15 PM
    10/23/2018 9:47:20 AM    916 ESENT                                                              10/18/2018 1:28:15 PM
    10/23/2018 9:45:45 AM    916 ESENT                                                              10/18/2018 1:28:15 PM
    

    Another weird thing is you can put a wildcard like 'a*' in the logname property of the filterhashtable, but not plain '*'.

  • #118095

    Participant
    Points: 814
    Helping Hand
    Rank: Major Contributor

    The calculated property LastWriteTime is having the value from pipeline variable $log.LastWriteTime which is from the output of Get-WinEvent cmdlet.
    hence it can be like this and will be same for each LogName

  • #118107

    Participant
    Points: 266
    Helping Hand
    Rank: Contributor

    Indeed... I would presume that the error comes from having the 'nested' pipeline there, and you probably need to have the calculated property reference $_.LastWriteTime instead in order to get the correct value.

  • #118125
    js

    Participant
    Points: 315
    Helping Hand
    Rank: Contributor

    The lognames from both commands seem to match... It's true that the 2nd get-winevent spins out multiple log entries per logname. There's no lastwritetime property in the 2nd version of the command. The two time properties just don't seem related.

    $starttime = (get-date).Addhours(-4)
    
    Get-WinEvent -ListLog * -EA silentlycontinue -pv log |
    foreach { get-winevent -filterhashtable @{logname=$_.logname;starttime=$starttime} -ea 0 } |
    Format-Table TimeCreated, ID, ProviderName, @{n='LastWriteTime';e={$log.lastwritetime}},Logname, 
      @{n='Logname2';e={$log.logname}} -AutoSize -Wrap
    
    
    TimeCreated               Id ProviderName                   LastWriteTime          LogName     Logname2
    -----------               -- ------------                   -------------          -------     --------
    10/23/2018 12:07:54 PM 16384 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM  Application Application
    10/23/2018 12:07:23 PM  1003 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM  Application Application
    10/23/2018 12:07:22 PM  1003 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM  Application Application
    10/23/2018 11:57:32 AM  8224 VSS                            10/18/2018 1:28:15 PM  Application Application
    10/23/2018 11:54:31 AM   916 ESENT                          10/18/2018 1:28:15 PM  Application Application
    10/23/2018 11:54:06 AM  1001 Windows Error Reporting        10/18/2018 1:28:15 PM  Application Application
    10/23/2018 11:45:00 AM   916 ESENT                          10/18/2018 1:28:15 PM  Application Application
    10/23/2018 11:20:21 AM   916 ESENT                          10/18/2018 1:28:15 PM  Application Application
    
    

You must be logged in to reply to this topic.