none
Get PowerShell Operational Logs from Event Viewer RRS feed

  • Question

  • Hi,

    How can I get PowerShell Operational Logs from Event View? I tried 

    Get-EventLog -LogName "Windows PowerShell"
    command, but output's records aren't same with in the Event Viewer. I need get logs about Event ID = 4104 and 4100


    Wednesday, February 21, 2018 12:25 PM

All replies

  • HI,

    Get-EventLog -LogName "Windows PowerShell" | where {$_.InstanceID -eq "4104" -or "4100"}

    or

    Get-WinEvent -LogName "Windows PowerShell" | where {$_.InstanceID -eq "4104" -or "4100"}



    • Edited by VBosh Wednesday, February 21, 2018 1:09 PM
    Wednesday, February 21, 2018 1:08 PM
  • Thanks for your reply I tried that but records aren't same. These records from PowerShell

     Index Time          EntryType   Source                 InstanceID Message
     ----- ----          ---------   ------                 ---------- -------
       476 Şub 21 15:09  Information PowerShell                    403 Engine state is changed from Available to Stopped. ...
       475 Şub 21 15:09  Information PowerShell                    400 Engine state is changed from None to Available. ...
       474 Şub 21 15:09  Information PowerShell                    600 Provider "Variable" is Started. ...
       473 Şub 21 15:09  Information PowerShell                    600 Provider "Function" is Started. ...
       472 Şub 21 15:09  Information PowerShell                    600 Provider "FileSystem" is Started. ...
       471 Şub 21 15:09  Information PowerShell                    600 Provider "Environment" is Started. ...
       470 Şub 21 15:09  Information PowerShell                    600 Provider "Alias" is Started. ...
       469 Şub 21 15:09  Information PowerShell                    600 Provider "Registry" is Started. ...
       468 Şub 21 14:49  Information PowerShell                    403 Engine state is changed from Available to Stopped. ...
       467 Şub 21 14:49  Information PowerShell                    400 Engine state is changed from None to Available. ...
       466 Şub 21 14:49  Information PowerShell                    600 Provider "Variable" is Started. ...
       465 Şub 21 14:49  Information PowerShell                    600 Provider "Function" is Started. ...
       464 Şub 21 14:49  Information PowerShell                    600 Provider "FileSystem" is Started. ...
       463 Şub 21 14:49  Information PowerShell                    600 Provider "Environment" is Started. ...
       462 Şub 21 14:49  Information PowerShell                    600 Provider "Alias" is Started. ...
       461 Şub 21 14:49  Information PowerShell                    600 Provider "Registry" is Started. ...
       460 Şub 21 14:29  Information PowerShell                    403 Engine state is changed from Available to Stopped. ...
       459 Şub 21 14:29  Information PowerShell                    400 Engine state is changed from None to Available. ...
       458 Şub 21 14:29  Information PowerShell                    600 Provider "Variable" is Started. ...

    And these are from Event Viewer

    Bilgi	21.02.2018 14:29:39	PowerShell (Microsoft-Windows-PowerShell)	40962	PowerShell Console Startup
    Bilgi	21.02.2018 14:29:39	PowerShell (Microsoft-Windows-PowerShell)	53504	PowerShell Named Pipe IPC
    Bilgi	21.02.2018 14:29:39	PowerShell (Microsoft-Windows-PowerShell)	40961	PowerShell Console Startup
    Uyarı	21.02.2018 14:14:57	PowerShell (Microsoft-Windows-PowerShell)	4100	Executing Pipeline
    Uyarı	21.02.2018 14:14:48	PowerShell (Microsoft-Windows-PowerShell)	4100	Executing Pipeline
    Bilgi	21.02.2018 14:09:38	PowerShell (Microsoft-Windows-PowerShell)	40962	PowerShell Console Startup
    Bilgi	21.02.2018 14:09:38	PowerShell (Microsoft-Windows-PowerShell)	53504	PowerShell Named Pipe IPC
    Bilgi	21.02.2018 14:09:38	PowerShell (Microsoft-Windows-PowerShell)	40961	PowerShell Console Startup
    Uyarı	21.02.2018 13:59:35	PowerShell (Microsoft-Windows-PowerShell)	4100	Executing Pipeline
    Bilgi	21.02.2018 13:59:23	PowerShell (Microsoft-Windows-PowerShell)	40962	PowerShell Console Startup
    Bilgi	21.02.2018 13:59:23	PowerShell (Microsoft-Windows-PowerShell)	53504	PowerShell Named Pipe IPC
    So 4104 or 4100 values didn't find on PowerShell


    • Edited by umutgur Wednesday, February 21, 2018 1:17 PM
    Wednesday, February 21, 2018 1:16 PM
  • You cannot get all logs from modern Windows using the now obsolete Get-EventLog.

    You must take time to learn how event logs work and you must take time to learn how Get-WinEvent works.  You cannot learn this by guessing.

    Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PowerShell/Operational';ID=4100,4104}


    \_(ツ)_/

    Wednesday, February 21, 2018 3:32 PM
    Moderator