Public/Get-OSDWinEvent.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
function Get-OSDWinEvent {
    [CmdletBinding()]
    param (
        [ValidateSet('Autopilot','BlueScreen','Time')]
        [Alias('Quick')]
        [string]$Area,

        [int32]$DayCount = 1,
        [string[]]$LogName = @('System','Application')
    )

    $Events = @()

    $StartTime = (Get-Date).AddDays(-$DayCount)

    if ($Area -eq 'Autopilot') {
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-AAD/Operational'} -ErrorAction Ignore
        #$Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-AppXDeployment-Server/Operational'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-AssignedAccess/Admin'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-AssignedAccess/Operational'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-AssignedAccessBroker/Admin'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-AssignedAccessBroker/Operational'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-Shell-Core/Operational'} -ErrorAction Ignore
        $Events += Get-WinEvent -FilterHashtable @{StartTime = $StartTime; LogName = 'Microsoft-Windows-User Device Registration/Admin'} -ErrorAction Ignore
    }
    elseif ($Area -eq 'BlueScreen') {
        $Events = Get-WinEvent -FilterHashtable @{
            Id = 1001
            ProviderName = 'Microsoft-Windows-WER-SystemErrorReporting'
            #StartTime = $StartTime
        }
    }
    elseif ($Area -eq 'Time') {
        $Events = Get-WinEvent -FilterHashtable @{
            LogName = 'Microsoft-Windows-Time-Service/Operational'
            StartTime = $StartTime
        }
    }
    else {
        $Events = Get-WinEvent -FilterHashtable @{
            LogName = $LogName
            StartTime = $StartTime
        } -ErrorAction Ignore
    }

    $Events | Sort-Object TimeCreated | Select-Object TimeCreated,LevelDisplayName,LogName,Id,Message,ProviderName
}