Event Logs

Windows Event Logs are a record of significant events that occur within the Windows operating system, such as system errors, application crashes, security breaches, and other system events. These logs provide valuable information for diagnosing problems and troubleshooting issues on a Windows-based system. They can also be used for security auditing and compliance purposes, providing an audit trail of system activity. Windows Event Logs are typically managed through the Event Viewer tool, which allows users to view, filter, and analyze log data.

Wevtutil.exe

Wevtutil is a command-line tool in Windows that allows users to manage event logs and perform various tasks related to Windows Event Logs. It can be used to query, export, clear, and backup event logs, among other functions.

wevtutil qe Application /c:5 /rd:true /f:text

This command queries the "Application" log and returns the last 5 events in text format, including event metadata.

wevtutil epl System c:\temp\systemlog.evtx

This command exports the "System" log to a file called "systemlog.evtx" located in the "C:\temp" directory.

wevtutil cl Security

This command clears the "Security" log, deleting all events in the log.

Get-WinEvent

Get-WinEvent is a PowerShell cmdlet used to retrieve events from Windows Event Logs. It provides a flexible way to filter and search through event log data, and can be used to automate tasks related to event log management and analysis.

FilterHashTable

The FilterHashTable flag for Get-WinEvent is used to specify a set of key-value pairs that define filtering criteria for event log data. Each key corresponds to an event log property, such as LogName, ProviderName, Level, ID, StartTime, and EndTime, while each value specifies a matching criterion for the corresponding property. Multiple keys can be specified, and the resulting set of criteria are combined using a logical AND operator.

FilterXPath

The FilterXPath flag is another way to specify filtering criteria for Get-WinEvent. It allows users to define complex filtering expressions using XPath syntax. XPath expressions can be used to filter events based on any available event log property, as well as to perform operations such as string matching, arithmetic comparisons, and logical operations. I prefer this one, personally

Get-WinEvent -FilterXPath "*[System/EventID=100]"

This command retrieves all events from the current log that have an event ID of 100.

Get-WinEvent -FilterXPath "*[System/TimeCreated[@SystemTime>'2022-01-01T00:00:00']]"

This command retrieves events from the current log that were created after January 1st, 2022.

Get-WinEvent -FilterXPath "*[System[EventID=1000] and EventData[@Name='ProcessId']=1234]"

This command retrieves events with an event ID of 1000 and a ProcessId of 1234.

Get-WinEvent -FilterXPath "*[System[Level=2] and EventData[Data[@Name='ProcessName']='cmd.exe']]"

This command retrieves events with a Level of 2 and a ProcessName of "cmd.exe".

Get-WinEvent -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-WMI'] and TimeCreated[@SystemTime>'2022-01-01T00:00:00']] and (EventData[Data[@Name='ErrorCode']=2] or EventData[Data[@Name='ErrorCode']=3])] |
Select-Object TimeCreated,LevelDisplayName,Message |
Sort-Object TimeCreated -Descending

This command retrieves events with a ProviderName of "Microsoft-Windows-WMI" that were created after January 1st, 2022, and that have an ErrorCode of either 2 or 3. It then selects the TimeCreated, LevelDisplayName, and Message properties for each event, and sorts the results by TimeCreated in descending order.