Author Posts

October 7, 2016 at 4:46 am

The bottom powershell steps work to get the computer boot processing steps. Can anyone advise if there is a method to achieve the same result using the Get-winevent -FilterhashTable? The activityID and correlation are buried inside the XML of the respective events, I am having a little difficulty figuring out if this is even accessible using the -filterhashtable

$Query = ' *[System[(EventID="4000")]] '

$ugevent=Get-WinEvent -FilterXml $Query -ComputerName $cmp| select -First 1

$Query = ' *[System/Correlation/@ActivityID="{CorrelationID}"] '

$FilterXML = $Query.Replace("CorrelationID",$ugevent.ActivityID)

Get-WinEvent -FilterXML $FilterXML -ComputerName $cmp | Out-GridView