Get-WindowsEventLogMessage.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<#PSScriptInfo
 
.VERSION 1.2.0
 
.GUID fb06bec9-3e1b-472d-948b-3517f71d876c
 
.AUTHOR saw-friendship
 
.COMPANYNAME
 
.COPYRIGHT
 
.TAGS
 saw-friendship Windows EventLog Message XML
 
.LICENSEURI
 
.PROJECTURI
 https://sawfriendship.wordpress.com
 
.ICONURI
 
.EXTERNALMODULEDEPENDENCIES
 
.REQUIREDSCRIPTS
 
.EXTERNALSCRIPTDEPENDENCIES
 
.RELEASENOTES
 
#>


<#
 
.DESCRIPTION
 Expand WinEventLog Message and generating objects
 
.EXAMPLE
 Get-WindowsEventLogMessage -Id 4624 -LogName Security -MaxEvents 10
  
.EXAMPLE
 Get-WindowsEventLogMessage Security -StartTime (Get-Date).AddHours(-1) -Property Id,TimeCreated,TargetUserName
 
#>
 
[CmdletBinding()]
param(
[string]$LogName,
[string]$ProviderName,
[int[]]$Id,
[string]$Path,
[int]$MaxEvents,
[string]$ComputerName,
[switch]$Force,
[PSCredential]$Credential,
[switch]$Oldest,
[switch]$All,
[string]$PropertyPrefix = '',
[alias('After')][datetime]$StartTime,
[alias('Before')][datetime]$EndTime,
[string]$TimeCreatedFormat,
[string[]]$Property = @('*')
)

    $FilterHashtable = [Hashtable]@{}
    $Param = [Hashtable]@{}
    $SelectParam = [Hashtable]@{'Property' = $Property}
    
    if($ProviderName){$FilterHashtable.ProviderName = $ProviderName}
    if($Id){$FilterHashtable.Id = $Id}
    if($LogName){$FilterHashtable.LogName = $LogName}
    
    if($StartTime){$FilterHashtable.StartTime = $StartTime}
    if($EndTime){$FilterHashtable.EndTime = $EndTime}
    
    if($MaxEvents){$Param.MaxEvents = $MaxEvents}
    if($Path){$Param.Path = $Path}
    if($ComputerName){$Param.ComputerName = $ComputerName}
    if($Credential){$Param.Credential = $Credential}
    if($Force){$Param.Force = $Force}
    if($Oldest){$Param.Oldest = $Oldest}
    if($FilterHashtable){$Param.FilterHashtable = $FilterHashtable}
    
    Get-WinEvent @Param | % {
        ([xml]($_.ToXml())).Event.EventData.Data | % -Begin {
                $Hash = [ordered]@{
                    'Id' = $_.Id
                    'ProviderName' = $_.ProviderName
                    'TimeCreated' = $(@{$true = $_.TimeCreated; $false = $_.TimeCreated.ToString($TimeCreatedFormat)}[[string]::IsNullOrEmpty($TimeCreatedFormat)])
                    'LevelDisplayName' = $_.LevelDisplayName
                    'TaskDisplayName' = $_.TaskDisplayName
                    'MachineName' = $_.MachineName

                    
                }
                
                
                if($All){
                        $Hash.UserId = $_.UserId
                        $Hash.KeywordsDisplayNames = $_.KeywordsDisplayNames
                        $Hash.Version = $_.Version
                        $Hash.Qualifiers = $_.Qualifiers
                        $Hash.Level = $_.Level
                        $Hash.Task = $_.Task
                        $Hash.Opcode = $_.Opcode
                        $Hash.Keywords = $_.Keywords
                        $Hash.RecordId = $_.RecordId
                        $Hash.ProviderId = $_.ProviderId
                        $Hash.ProcessId = $_.ProcessId
                        $Hash.ThreadId = $_.ThreadId
                        $Hash.ActivityId = $_.ActivityId
                        $Hash.RelatedActivityId = $_.RelatedActivityId
                        $Hash.ContainerLog = $_.ContainerLog
                        $Hash.MatchedQueryIds = $_.MatchedQueryIds
                        $Hash.Bookmark = $_.Bookmark
                        $Hash.OpcodeDisplayName = $_.OpcodeDisplayName
                        $Hash.Properties = $_.Properties
                        $Hash.Message = $_.Message
                }
                

                
        } -Process {
            $Hash.Add($($PropertyPrefix + $_.Name),$_.'#text')
        } -End {
            [pscustomobject]$Hash | Select-Object @SelectParam
        }
    }