locked
Get PowerShell Operational Logs from Event Viewer RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    How can I get PowerShell Operational Logs from Event View? I tried 

    Get-EventLog -LogName "Windows PowerShell"
    command, but output's records aren't same with in the Event Viewer. I need get logs about Event ID = 4104 and 4100


    Wednesday, February 21, 2018 12:25 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    HI,

    Get-EventLog -LogName "Windows PowerShell" | where {$_.InstanceID -eq "4104" -or "4100"}

    or

    Get-WinEvent -LogName "Windows PowerShell" | where {$_.InstanceID -eq "4104" -or "4100"}



    • Edited by VBosh Wednesday, February 21, 2018 1:09 PM
    Wednesday, February 21, 2018 1:08 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for your reply I tried that but records aren't same. These records from PowerShell

     Index Time          EntryType   Source                 InstanceID Message
 ----- ----          ---------   ------                 ---------- -------
   476 Şub 21 15:09  Information PowerShell                    403 Engine state is changed from Available to Stopped. ...
   475 Şub 21 15:09  Information PowerShell                    400 Engine state is changed from None to Available. ...
   474 Şub 21 15:09  Information PowerShell                    600 Provider "Variable" is Started. ...
   473 Şub 21 15:09  Information PowerShell                    600 Provider "Function" is Started. ...
   472 Şub 21 15:09  Information PowerShell                    600 Provider "FileSystem" is Started. ...
   471 Şub 21 15:09  Information PowerShell                    600 Provider "Environment" is Started. ...
   470 Şub 21 15:09  Information PowerShell                    600 Provider "Alias" is Started. ...
   469 Şub 21 15:09  Information PowerShell                    600 Provider "Registry" is Started. ...
   468 Şub 21 14:49  Information PowerShell                    403 Engine state is changed from Available to Stopped. ...
   467 Şub 21 14:49  Information PowerShell                    400 Engine state is changed from None to Available. ...
   466 Şub 21 14:49  Information PowerShell                    600 Provider "Variable" is Started. ...
   465 Şub 21 14:49  Information PowerShell                    600 Provider "Function" is Started. ...
   464 Şub 21 14:49  Information PowerShell                    600 Provider "FileSystem" is Started. ...
   463 Şub 21 14:49  Information PowerShell                    600 Provider "Environment" is Started. ...
   462 Şub 21 14:49  Information PowerShell                    600 Provider "Alias" is Started. ...
   461 Şub 21 14:49  Information PowerShell                    600 Provider "Registry" is Started. ...
   460 Şub 21 14:29  Information PowerShell                    403 Engine state is changed from Available to Stopped. ...
   459 Şub 21 14:29  Information PowerShell                    400 Engine state is changed from None to Available. ...
   458 Şub 21 14:29  Information PowerShell                    600 Provider "Variable" is Started. ...

    And these are from Event Viewer

    Bilgi	21.02.2018 14:29:39	PowerShell (Microsoft-Windows-PowerShell)	40962	PowerShell Console Startup
Bilgi	21.02.2018 14:29:39	PowerShell (Microsoft-Windows-PowerShell)	53504	PowerShell Named Pipe IPC
Bilgi	21.02.2018 14:29:39	PowerShell (Microsoft-Windows-PowerShell)	40961	PowerShell Console Startup
Uyarı	21.02.2018 14:14:57	PowerShell (Microsoft-Windows-PowerShell)	4100	Executing Pipeline
Uyarı	21.02.2018 14:14:48	PowerShell (Microsoft-Windows-PowerShell)	4100	Executing Pipeline
Bilgi	21.02.2018 14:09:38	PowerShell (Microsoft-Windows-PowerShell)	40962	PowerShell Console Startup
Bilgi	21.02.2018 14:09:38	PowerShell (Microsoft-Windows-PowerShell)	53504	PowerShell Named Pipe IPC
Bilgi	21.02.2018 14:09:38	PowerShell (Microsoft-Windows-PowerShell)	40961	PowerShell Console Startup
Uyarı	21.02.2018 13:59:35	PowerShell (Microsoft-Windows-PowerShell)	4100	Executing Pipeline
Bilgi	21.02.2018 13:59:23	PowerShell (Microsoft-Windows-PowerShell)	40962	PowerShell Console Startup
Bilgi	21.02.2018 13:59:23	PowerShell (Microsoft-Windows-PowerShell)	53504	PowerShell Named Pipe IPC
    So 4104 or 4100 values didn't find on PowerShell


    • Edited by umutgur Wednesday, February 21, 2018 1:17 PM
    Wednesday, February 21, 2018 1:16 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    You cannot get all logs from modern Windows using the now obsolete Get-EventLog.

    You must take time to learn how event logs work and you must take time to learn how Get-WinEvent works.  You cannot learn this by guessing.

    Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PowerShell/Operational';ID=4100,4104}

    \_(ツ)_/

    Wednesday, February 21, 2018 3:32 PM