Windows Events Logs
Wevtutil.exe
Get-WinEvent
Xpath Queries
Last updated
Last updated
# Breakdown of the command
wevtutil qe Application /c:3 /rd:true /f:text
# wevutil - Enables you to retrieve information about event logs and publishers
# qe - Tells wevtutil to query events from a specified log.
# Application - The name of the log to query (in this case, the Application log
# /c:3 c = Count, Limits the output to 3 events.
# rd:true = Reverse Direction, True means show the newest event first
Get-WinEvent -ListLog * # get all event logs locally
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" # To see all logs from a file=merged.evtx
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" | Where-Object { $_.Id -eq 400 } # find events in the merged.evtx file with id 400
Get-WinEvent -ListProvider * # event log providers and their associated logs. The Name is the provider, and LogLinks is the log that is written to.
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' } # Log filtering allows you to select events from an event log
Get-WinEvent -ListLog *smb* # to find log names contating the word"smb". This isn't case sensitive
(Get-WinEvent -ListProvider Microsoft-Windows-Powershell).Events |
>> Format-Table Id, Description | Measure-Object
# Displays how many different event IDs there are for Powershell
Get-WinEvent -Path D:\Downloads\Investigation-1.evtx -FilterXPath '*/EventData/Data[@Name="Image"] and */EventData/Data="C:\Windows\System32\svchost.exe"' |Format-List #
# "Image" is a technical term for a compiled binary file like an EXE or DLL. Also, it can match just the filename, or entire path.
Format-List - Property * # Format-List uses the Property parameter with the asterisk (*) wildcard to display each property.
-MaxEvents # To specify the number of events to display
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.5&viewFallbackFrom=powershell-7.1
# Syntax and examples of usagehttps://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100) # Syntax and functions
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=100' # This will filter events from the Windows Logs > Application with the tag of System, with event id 100
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" -FilterXPath '*/System/EventID=4104' # this will find event Ids in the supplied file
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"]' # This will filter events from the Windows Logs > Application with the tag of System, with Provider name of "WMLS" (Not case sensitive)
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]' # This will combine the first cmdlet of showing events with id of 100 and providername of WLMS
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"' -MaxEvents 1 # This will get the logs from Security with username=System, it will only show 1 event.
Format-List # Add at the end of a command to displays all properties of each object in a vertical, readable list, rather than a horizontal table (which often cuts off long values like event messages
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam"' # To see all Security events for the user=Sam
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720' # To see when user account was created
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' # will display events with provider name WLMS and specific this time 2020-12-15T01:09:08.940277500Z