FilterhashTable

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Rob Simmers Rob Simmers 9 months, 3 weeks ago.

  • Author
    Posts
  • #55022
    Profile photo of Andrew
    Andrew
    Participant

    The bottom powershell steps work to get the computer boot processing steps. Can anyone advise if there is a method to achieve the same result using the Get-winevent -FilterhashTable? The activityID and correlation are buried inside the XML of the respective events, I am having a little difficulty figuring out if this is even accessible using the -filterhashtable

    Thanks
    ———————————————————————————————————————————
    $Query = ' *[System[(EventID="4000")]] '

    $ugevent=Get-WinEvent -FilterXml $Query -ComputerName $cmp| select -First 1

    $Query = ' *[System/Correlation/@ActivityID="{CorrelationID}"] '

    $FilterXML = $Query.Replace("CorrelationID",$ugevent.ActivityID)

    Get-WinEvent -FilterXML $FilterXML -ComputerName $cmp | Out-GridView

  • #55071
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

You must be logged in to reply to this topic.