none
Powershell 3.0 Get-Eventlog EventID is missing RRS feed

  • Question

  • Hi,

    I want to get an output of all my "Windows PowerShell" events, listed by EventLog. Problem is, that i don't get this specific information in the output, which makes it quite complicated. Here's what i wrote:

    Get-Eventlog 'Windows Powershell' | Format-List

    So it's quite simple and almost nothing i could do wrong here but still my expected information is missing! I'm Logged in with an admin account, so i should have the rights to see all of the information. What i do get is the "InstanceID", but even though i don't have much experience with PowerShell, i strongly doupt that this is the information i am looking for.

    Any reply is helpful!

    Thanks alot :)

    Wednesday, April 2, 2014 9:41 AM

Answers

  • Unfortunately InstanceID is Not EventID.  It is similar but has two further defined fields folded in. "The EventID property equals the InstanceId with the top two bits masked off"

    Here is how to get the true EventId.

    Get-Eventlog 'Windows Powershell' -Newest 1|ft EventId,Category,Source,Message -auto

    See: http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.instanceid(v=vs.110).aspx

    Instance IDs greater than 0xC0000000 will not be found or recognized.

    Knowing that you can test the ID you are looking for.  If it cannot be found with InstanceID the add the two extra bits and look again.

    On Windows Vista and later Get-WinEvent is more flexible and reliable.


    ¯\_(ツ)_/¯

    Wednesday, April 2, 2014 1:31 PM

All replies

  • Hi Tobias,

    put your doubts to rest - InstanceID is exactly what you are looking for - it's the eventID oder Ereignis ID. Compare it to the Eventlog gui entries, and you can do the comparison by eye.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Wednesday, April 2, 2014 9:49 AM
  • Hi Fred,

    Thanks for the quick answer, i could have been working on this for hours and wouldn't have gotten a result!

    Cheers

    Wednesday, April 2, 2014 10:04 AM
  • Unfortunately InstanceID is Not EventID.  It is similar but has two further defined fields folded in. "The EventID property equals the InstanceId with the top two bits masked off"

    Here is how to get the true EventId.

    Get-Eventlog 'Windows Powershell' -Newest 1|ft EventId,Category,Source,Message -auto

    See: http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.instanceid(v=vs.110).aspx

    Instance IDs greater than 0xC0000000 will not be found or recognized.

    Knowing that you can test the ID you are looking for.  If it cannot be found with InstanceID the add the two extra bits and look again.

    On Windows Vista and later Get-WinEvent is more flexible and reliable.


    ¯\_(ツ)_/¯

    Wednesday, April 2, 2014 1:31 PM