Logs

Commands

eventvwr

Opens the Event Viewer (GUI).

wevtutil qe <LogName>

Retrieves events from a specific event log.

Get-EventLog -LogName <LogName>

View specified event logs.

Get-WinEvent -LogName <LogName>

View specified event logs.

Get-WmiObject -Class Win32_NTLogEvent

View specified event logs using WMI.

logman query

Lists the configured performance counter and event trace logs.

tracerpt <LogFileName>

Converts event trace logs or performance counter logs into a readable format.

type <LogFileName>

Displays the contents of a text-based log file.

View specified event logs using WMI and a custom query:

Get-WmiObject -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '<LogName>'"

View specified event logs using CIM:

Get-CimInstance -ClassName Win32_NTLogEvent

View specified event logs using CIM and a custom query:

Get-CimInstance -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '<LogName>'"

List of available event logs and the number of records in each log:

wmic nteventlog get LogFileName,NumberOfRecords

View specified event logs:

wmic nteventlog where (LogFileName='<LogName>') get /format:list

Viewing Application logs:

psloglist -s -t "\t" Application | findstr /n /i

Search for SID and username:

psloglist -s -t "\t" -n 20 Security | findstr /n /i "SID"

EventID

psloglist -s -t "\t" -r Security | findstr /n /i "4625"

EventID

psloglist -s -t "\t" -r Security -i 4625

Format to text removes UTC:

wevtutil qe Application "/q:*[System [(EventID=11707)]]" /rd:true /f:text

wevtutil qe Application "/q:*[System [(EventID=11707)]]" /f:text

pstools show most recent logged in users: Type 10 Logons"

psloglist "Security" -i 528 -s | find /i "Logon Type: 10"

10 newest System logs?:

wevtutil qe System /c:10 /f:text

10 newest System logs?:

psloglist -n 10 System

Collect informationn related to all Windows Event log instances containing successful logons, security log clearing and unexpected shutdowns -> desktop text file:

$UserDirectory = (gi env:\userprofile).value Get-WinEvent -FilterHashtable @{Logname='security';ID=4624,517,6008} | select TimeCreated,ID,Message | ft -auto -wrap | out-file $UserDirectory\desktop\LogAnalysis.txt

Retrieve a list of USB devices that have been attached with the associated friendly device description:

Get-ItemProperty -ea 0 hklm:\system\currentcontrolset\enum\usbstor\*\* | select FriendlyName,PSChildName

Check for PS Logging (PS3+)

Verify logging:

Get-Module Microsoft.* | Select Name, LogPipelineExecutionDetails

Enables Logging:

Get-Module Microsoft.* | ForEach {$_.LogPipelineExecutionDetails = $True}

Disables Logging:

Get-Module Microsoft.* | ForEach {$_.LogPipelineExecutionDetails = $False}

Registry Location:

reg query "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging"

Log location:

C:\Windows\system32\winevt\logs\Microsoft-Windows-powershell%4operational.evtx

EventID

View logs by Event ID. This command is case-sensitive and has to be like this:

wevtutil qe Security "/q:*[System[(EventID=4624)]]" /f:text

Find all events with EventID 4624 (Logon events) in the Security log

Get-EventLog -LogName Security -InstanceId 4624

Find all events with EventID 1001 (Windows Error Reporting) in the Application log

Get-EventLog -LogName Application -InstanceId 1001

Find all events with EventID 4624 (Logon events) in the Security log

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 }

Find all events with EventID 1001 (Windows Error Reporting) in the Application log

Get-WinEvent -LogName Application | Where-Object { $_.Id -eq 1001 }

This gives the most recent entry of the PowerShell EventLog with an Event ID of 800:

Get-WinEvent -FilterHashtable @{LogName='Windows PowerShell';Id ='800'} -MaxEvents 1 | Select -Expand Message

Find all events with EventID 4624 (Logon events) in the Security log

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='Security' AND EventCode=4624"

Find all events with EventID 1001 (Windows Error Reporting) in the Application log

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='Application' AND EventCode=1001"

Find all events with EventID 4624 (Logon events) in the Security log

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='Security' AND EventCode=4624"

Retrieve events with EventID 4624 (Logon events) from the Security log

Get-WmiObject -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' AND EventCode=4624"

Content/Keywords

Find all events in the Security log that contain the username "JohnDoe"

Get-EventLog -LogName Security | Where-Object { $_.Message -like "*JohnDoe*" }

Find all events in the Application log that have the keyword "Critical"

Get-EventLog -LogName Application -EntryType "Error", "Warning", "Information" | Where-Object { $_.Message -like "*Critical*" }

Find all events in the System log that contain the word "error"

Get-WinEvent -LogName System | Where-Object { $_.Message -like "*error*" }

Find all events in the System log that have the keyword "disk"

Get-WinEvent -LogName System | Where-Object { $_.Keywords -band 0x4 }

Date Range

Retrieve events in the Security log that occurred between two specific dates

$StartDate = Get-Date "2023-01-01"

$EndDate = Get-Date "2023-12-31"

Get-EventLog -LogName Security -After $StartDate -Before $EndDate

Retrieve events in the Application log within the specified date range

$StartTime = (Get-Date) - (New-TimeSpan -Days 7)

$EndTime = Get-Date

Get-EventLog -LogName Application -After $StartTime -Before $EndTime

Retrieve events from all logs that occurred between two specific dates

$StartDate = Get-Date "2023-01-01"

$EndDate = Get-Date "2023-12-31"

Get-EventLog -LogName * -After $StartDate -Before $EndDate

Find events within a specific date-time range in the System log

$StartTime = Get-Date "2023-01-01T00:00:00"

$EndTime = Get-Date "2023-12-31T23:59:59"

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='System' AND TimeGenerated >= '$StartTime' AND TimeGenerated <= '$EndTime'"

Retrieve events in the Application log within the specified date range

$StartTime = (Get-Date "2023-01-01 00:00:00")
$EndTime = (Get-Date "2023-01-02 23:59:59")

Get-WinEvent -LogName Application -FilterHashtable @{
    LogName='Application';
    StartTime=$StartTime;
    EndTime=$EndTime
}

Retrieve events within the specified date and time range from the Application log

$StartTime = "2023-01-01T00:00:00Z"
$EndTime = "2023-01-02T23:59:59Z"

Get-WmiObject -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Application' AND TimeGenerated >= '$StartTime' AND TimeGenerated <= '$EndTime'"

PreviousHistory NextPowerShell Config

Last updated 1 year ago

Was this helpful?

Logs

Commands

eventvwr

Opens the Event Viewer (GUI).

wevtutil qe <LogName>

Retrieves events from a specific event log.

Get-EventLog -LogName <LogName>

View specified event logs.

Get-WinEvent -LogName <LogName>

View specified event logs.

Get-WmiObject -Class Win32_NTLogEvent

View specified event logs using WMI.

logman query

Lists the configured performance counter and event trace logs.

tracerpt <LogFileName>

Converts event trace logs or performance counter logs into a readable format.

type <LogFileName>

Displays the contents of a text-based log file.

View specified event logs using WMI and a custom query:

Get-WmiObject -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '<LogName>'"

View specified event logs using CIM:

Get-CimInstance -ClassName Win32_NTLogEvent

View specified event logs using CIM and a custom query:

Get-CimInstance -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '<LogName>'"

List of available event logs and the number of records in each log:

wmic nteventlog get LogFileName,NumberOfRecords

View specified event logs:

wmic nteventlog where (LogFileName='<LogName>') get /format:list

Viewing Application logs:

psloglist -s -t "\t" Application | findstr /n /i

Search for SID and username:

psloglist -s -t "\t" -n 20 Security | findstr /n /i "SID"

EventID

psloglist -s -t "\t" -r Security | findstr /n /i "4625"

EventID

psloglist -s -t "\t" -r Security -i 4625

Format to text removes UTC:

wevtutil qe Application "/q:*[System [(EventID=11707)]]" /rd:true /f:text

wevtutil qe Application "/q:*[System [(EventID=11707)]]" /f:text

pstools show most recent logged in users: Type 10 Logons"

psloglist "Security" -i 528 -s | find /i "Logon Type: 10"

10 newest System logs?:

wevtutil qe System /c:10 /f:text

10 newest System logs?:

psloglist -n 10 System

Collect informationn related to all Windows Event log instances containing successful logons, security log clearing and unexpected shutdowns -> desktop text file:

$UserDirectory = (gi env:\userprofile).value Get-WinEvent -FilterHashtable @{Logname='security';ID=4624,517,6008} | select TimeCreated,ID,Message | ft -auto -wrap | out-file $UserDirectory\desktop\LogAnalysis.txt

Retrieve a list of USB devices that have been attached with the associated friendly device description:

Get-ItemProperty -ea 0 hklm:\system\currentcontrolset\enum\usbstor\*\* | select FriendlyName,PSChildName

Check for PS Logging (PS3+)

Verify logging:

Get-Module Microsoft.* | Select Name, LogPipelineExecutionDetails

Enables Logging:

Get-Module Microsoft.* | ForEach {$_.LogPipelineExecutionDetails = $True}

Disables Logging:

Get-Module Microsoft.* | ForEach {$_.LogPipelineExecutionDetails = $False}

Registry Location:

reg query "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging"

Log location:

C:\Windows\system32\winevt\logs\Microsoft-Windows-powershell%4operational.evtx

EventID

View logs by Event ID. This command is case-sensitive and has to be like this:

wevtutil qe Security "/q:*[System[(EventID=4624)]]" /f:text

Find all events with EventID 4624 (Logon events) in the Security log

Get-EventLog -LogName Security -InstanceId 4624

Find all events with EventID 1001 (Windows Error Reporting) in the Application log

Get-EventLog -LogName Application -InstanceId 1001

Find all events with EventID 4624 (Logon events) in the Security log

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 }

Find all events with EventID 1001 (Windows Error Reporting) in the Application log

Get-WinEvent -LogName Application | Where-Object { $_.Id -eq 1001 }

This gives the most recent entry of the PowerShell EventLog with an Event ID of 800:

Get-WinEvent -FilterHashtable @{LogName='Windows PowerShell';Id ='800'} -MaxEvents 1 | Select -Expand Message

Find all events with EventID 4624 (Logon events) in the Security log

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='Security' AND EventCode=4624"

Find all events with EventID 1001 (Windows Error Reporting) in the Application log

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='Application' AND EventCode=1001"

Find all events with EventID 4624 (Logon events) in the Security log

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='Security' AND EventCode=4624"

Retrieve events with EventID 4624 (Logon events) from the Security log

Get-WmiObject -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Security' AND EventCode=4624"

Content/Keywords

Find all events in the Security log that contain the username "JohnDoe"

Get-EventLog -LogName Security | Where-Object { $_.Message -like "*JohnDoe*" }

Find all events in the Application log that have the keyword "Critical"

Get-EventLog -LogName Application -EntryType "Error", "Warning", "Information" | Where-Object { $_.Message -like "*Critical*" }

Find all events in the System log that contain the word "error"

Get-WinEvent -LogName System | Where-Object { $_.Message -like "*error*" }

Find all events in the System log that have the keyword "disk"

Get-WinEvent -LogName System | Where-Object { $_.Keywords -band 0x4 }

Date Range

Retrieve events in the Security log that occurred between two specific dates

$StartDate = Get-Date "2023-01-01"

$EndDate = Get-Date "2023-12-31"

Get-EventLog -LogName Security -After $StartDate -Before $EndDate

Retrieve events in the Application log within the specified date range

$StartTime = (Get-Date) - (New-TimeSpan -Days 7)

$EndTime = Get-Date

Get-EventLog -LogName Application -After $StartTime -Before $EndTime

Retrieve events from all logs that occurred between two specific dates

$StartDate = Get-Date "2023-01-01"

$EndDate = Get-Date "2023-12-31"

Get-EventLog -LogName * -After $StartDate -Before $EndDate

Find events within a specific date-time range in the System log

$StartTime = Get-Date "2023-01-01T00:00:00"

$EndTime = Get-Date "2023-12-31T23:59:59"

Get-CimInstance -ClassName Win32_NTLogEvent -Filter "LogFile='System' AND TimeGenerated >= '$StartTime' AND TimeGenerated <= '$EndTime'"

Retrieve events in the Application log within the specified date range

$StartTime = (Get-Date "2023-01-01 00:00:00")
$EndTime = (Get-Date "2023-01-02 23:59:59")

Get-WinEvent -LogName Application -FilterHashtable @{
    LogName='Application';
    StartTime=$StartTime;
    EndTime=$EndTime
}

Retrieve events within the specified date and time range from the Application log

$StartTime = "2023-01-01T00:00:00Z"
$EndTime = "2023-01-02T23:59:59Z"

Get-WmiObject -Query "SELECT * FROM Win32_NTLogEvent WHERE Logfile='Application' AND TimeGenerated >= '$StartTime' AND TimeGenerated <= '$EndTime'"

PreviousHistory NextPowerShell Config

Last updated 1 year ago

Was this helpful?