-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathRead-WinEvent.ps1
39 lines (39 loc) · 1.42 KB
/
Read-WinEvent.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
filter Read-WinEvent {
<#
.EXAMPLE
Get-WinEvent -FilterHashTable @{LogName="Security";Id=4625} | Read-WinEvent | Select-Object -Property TimeCreated,Hostname,TargetUserName,LogonType | Format-Table -AutoSize
TimeCreated TargetUserName LogonType
----------- -------------- ---------
9/12/2021 8:23:27 AM Victor 2
9/12/2021 8:23:27 AM Victor 2
9/12/2021 7:49:37 AM Victor 2
9/12/2021 7:49:37 AM Victor 2
#>
$WinEvent = [ordered]@{}
$XmlData = [xml]$_.ToXml()
$SystemData = $XmlData.Event.System
$SystemData |
Get-Member -MemberType Properties |
Select-Object -ExpandProperty Name |
ForEach-Object {
$Field = $_
if ($Field -eq 'TimeCreated') {
$WinEvent.$Field = Get-Date -Format 'yyyy-MM-dd HH:mm:ss K' $SystemData[$Field].SystemTime
} elseif ($SystemData[$Field].'#text') {
$WinEvent.$Field = $SystemData[$Field].'#text'
} else {
$SystemData[$Field] |
Get-Member -MemberType Properties |
Select-Object -ExpandProperty Name |
ForEach-Object {
$WinEvent.$Field = @{}
$WinEvent.$Field.$_ = $SystemData[$Field].$_
}
}
}
$XmlData.Event.EventData.Data |
ForEach-Object {
$WinEvent.$($_.Name) = $_.'#text'
}
return New-Object -TypeName PSObject -Property $WinEvent
}