Get-WindowsEventLogMessage

1.2.0

Get-WindowsEventLogMessage.ps1

                                <#PSScriptInfo 

.VERSION 1.2.0

.GUID fb06bec9-3e1b-472d-948b-3517f71d876c

.AUTHOR saw-friendship 

.COMPANYNAME 

.COPYRIGHT 

.TAGS 

 saw-friendship Windows EventLog Message XML

.LICENSEURI 

.PROJECTURI

 https://sawfriendship.wordpress.com

.ICONURI 

.EXTERNALMODULEDEPENDENCIES 

.REQUIREDSCRIPTS 

.EXTERNALSCRIPTDEPENDENCIES 

.RELEASENOTES 

#>

<# 

.DESCRIPTION 

 Expand WinEventLog Message and generating objects

.EXAMPLE 

 Get-WindowsEventLogMessage -Id 4624 -LogName Security -MaxEvents 10

.EXAMPLE 

 Get-WindowsEventLogMessage Security -StartTime (Get-Date).AddHours(-1) -Property Id,TimeCreated,TargetUserName

#> 

[CmdletBinding()]

param(

[string]$LogName,

[string]$ProviderName,

[int[]]$Id,

[string]$Path,

[int]$MaxEvents,

[string]$ComputerName,

[switch]$Force,

[PSCredential]$Credential,

[switch]$Oldest,

[switch]$All,

[string]$PropertyPrefix = '',

[alias('After')][datetime]$StartTime,

[alias('Before')][datetime]$EndTime,

[string]$TimeCreatedFormat,

[string[]]$Property = @('*')

)

    $FilterHashtable = [Hashtable]@{}

    $Param = [Hashtable]@{}

    $SelectParam = [Hashtable]@{'Property' = $Property}

    if($ProviderName){$FilterHashtable.ProviderName = $ProviderName}

    if($Id){$FilterHashtable.Id = $Id}

    if($LogName){$FilterHashtable.LogName = $LogName}

    if($StartTime){$FilterHashtable.StartTime = $StartTime}

    if($EndTime){$FilterHashtable.EndTime = $EndTime}

    if($MaxEvents){$Param.MaxEvents = $MaxEvents}

    if($Path){$Param.Path = $Path}

    if($ComputerName){$Param.ComputerName = $ComputerName}

    if($Credential){$Param.Credential = $Credential}

    if($Force){$Param.Force = $Force}

    if($Oldest){$Param.Oldest = $Oldest}

    if($FilterHashtable){$Param.FilterHashtable = $FilterHashtable}

    Get-WinEvent @Param | % {

        ([xml]($_.ToXml())).Event.EventData.Data | % -Begin {

                $Hash = [ordered]@{

                    'Id' = $_.Id

                    'ProviderName' = $_.ProviderName

                    'TimeCreated' = $(@{$true = $_.TimeCreated; $false = $_.TimeCreated.ToString($TimeCreatedFormat)}[[string]::IsNullOrEmpty($TimeCreatedFormat)])

                    'LevelDisplayName' = $_.LevelDisplayName

                    'TaskDisplayName' = $_.TaskDisplayName

                    'MachineName' = $_.MachineName

                }

                if($All){

                        $Hash.UserId = $_.UserId

                        $Hash.KeywordsDisplayNames = $_.KeywordsDisplayNames

                        $Hash.Version = $_.Version

                        $Hash.Qualifiers = $_.Qualifiers

                        $Hash.Level = $_.Level

                        $Hash.Task = $_.Task

                        $Hash.Opcode = $_.Opcode

                        $Hash.Keywords = $_.Keywords

                        $Hash.RecordId = $_.RecordId

                        $Hash.ProviderId = $_.ProviderId

                        $Hash.ProcessId = $_.ProcessId

                        $Hash.ThreadId = $_.ThreadId

                        $Hash.ActivityId = $_.ActivityId

                        $Hash.RelatedActivityId = $_.RelatedActivityId

                        $Hash.ContainerLog = $_.ContainerLog

                        $Hash.MatchedQueryIds = $_.MatchedQueryIds

                        $Hash.Bookmark = $_.Bookmark

                        $Hash.OpcodeDisplayName = $_.OpcodeDisplayName

                        $Hash.Properties = $_.Properties

                        $Hash.Message = $_.Message

                }

        } -Process {

            $Hash.Add($($PropertyPrefix + $_.Name),$_.'#text')

        } -End {

            [pscustomobject]$Hash | Select-Object @SelectParam

        }

    }