PowerShell and the Windows Event Log

What was once easy, is now exceptionally convoluted and difficult. There is some chance that your automated script is already logging to the event log (PowerShell Core/Operational) but there’s every chance that log is full of Warnings too. Good luck. LOL

New-WinEvent

The New-WinEvent cmdlet creates an Event Tracing for Windows (ETW) event for an event provider. You can use this cmdlet to add events to ETW channels from PowerShell.

New-WinEvent [-ProviderName] <String> [-Id] <Int32> [-Version <Byte>] [[-Payload] <Object[]>] [<CommonParameters>]

Examples:

New-WinEvent -ProviderName Microsoft-Windows-PowerShell -Id 45090 -Payload @("Workflow", "Running")

More on New-WinEvent here.

Get-WinEvent

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. The cmdlet gets data from event logs that are generated by the Windows Event Log technology introduced in Windows Vista and events in log files generated by Event Tracing for Windows (ETW). By default, Get-WinEvent returns event information in the order of newest to oldest.

Get-WinEvent [[-LogName] <String[]>] [-MaxEvents <Int64>] [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXPath <String>] [-Force] [-Oldest] [<CommonParameters>]

More on Get-WinEvent here.

The post below is the deprecated way of interacting with the Event Log from PowerShell. In Powershell 7 onwards, use New-WinEvent and Get-WinEvent cmdlets.

The command Get-Command -Name *Event will still list the deprecated commands shown below but they will not work and will error with “The term ‘New-EventLog’ is not recognised as a name of a cmdlet…”

The command Get-Command -Name *WinEvent will list the supported cmdlets, namely New-WinEvent and Get-WinEvent

PowerShell Commands to interact with Windows Event Log

New-EventLog
Get-EventLog
Show-EventLog
Clear-EventLog
Write-EventLog
Limit-EventLog
Remove-EventLog

New-EventLog

Creates a new event log and a new event source on a local or remote computer.
This cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.


New-EventLog
[-LogName]
[-Source]
[[-ComputerName] ]
[-CategoryResourceFile ]
[-MessageResourceFile ]
[-ParameterResourceFile ]
[]

Get-EventLog

Gets the events in an event log, or a list of the event logs, on the local computer or remote computers.


Get-EventLog
[-LogName]
[-ComputerName ]
[-Newest ]
[-After ]
[-Before ]
[-UserName ]
[[-InstanceId] ]
[-Index ]
[-EntryType ]
[-Source ]
[-Message ]
[-AsBaseObject]
[]

Show-EventLog

Displays the event logs of the local or a remote computer in Event Viewer.
The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.


Show-EventLog
[[-ComputerName] ]
[]

Clear-EventLog

Clears all entries from specified event logs on the local or remote computers.
The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers. To use Clear-EventLog, you must be a member of the Administrators group on the affected computer.


Clear-EventLog
[-LogName]
[[-ComputerName] ]
[-WhatIf]
[-Confirm]
[]

Write-EventLog

Writes an event to an event log.
To write an event to an event log, the event log must exist on the computer and the source must be registered for the event log.


Write-EventLog
[-LogName]
[-Source]
[[-EntryType] ]
[-Category ]
[-EventId]
[-Message]
[-RawData ]
[-ComputerName ]
[]

Limit-EventLog

Sets the event log properties that limit the size of the event log and the age of its entries.
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size. You can use it to limit the event logs on local or remote computers.


Limit-EventLog
[-LogName]
[-ComputerName ]
[-RetentionDays ]
[-OverflowAction ]
[-MaximumSize ]
[-WhatIf]
[-Confirm]
[]

Remove-EventLog

Deletes an event log or unregisters an event source.
The Remove-EventLogcmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can also use this cmdlet to unregister event sources without deleting any event logs.


Remove-EventLog
[[-ComputerName] ]
[-LogName]
[-WhatIf]
[-Confirm]
[]

Example: Write events from a powershell script to the Windows Event Viewer Application Log.

First register a new Application EventLog source.

New-EventLog -LogName Application -Source 'MyScript.ps1'

The Event Log itself requires five pieces of information before an event can be written to it.

  • LogName (Application)
  • Source (Script Name)
  • EventID
  • EntryType (Information, Error or Warning)
  • Message

The following code demonstrates how you might gather these pieces of information inside a statement and how you’d then write the event itself.

$filePath = 'C:\MyFile.txt'

$parameters = @
{

  'LogName'  = 'Application'

  'Source'  = 'MyScript.ps1'

}

if (Test-Path –Path $filePath) 
{

  $parameters  += @{

  'EventId'  = 1111 

  'EntryType'  = 'Information'

  'Message'  = 'The file already exists'

  }

  Write-EventLog  @parameters

} 
else 
{

  $parameters  += @{

  'EventId'  = 1112

  'EntryType'  = 'Error'

  'Message'  = 'The file does not exist'

  }

  Write-EventLog @parameters

  }

Top Tip: You may already have a Function in your script to perform Logging to a file. You could augment it to include some code to add an event to the Windows event log depending on the outcome of the script or code loop.

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.