Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PS using Get-WinEvent with FilterXPath and datetime variables?

Tags:

datetime

powershell

filtering

event-log

  • I'm grabbing a handful of events from an event log in chronological order
  • don't want to pipe to Where
  • want to use get-winevent

After I get the Event1, I need to get the 1st instance of another event that occurs some unknown amount of time after Event1. then grab Event3 that occurs sometime after Event2 etc.

Basically starting with:

$filterXML = @'
<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (Level=4 or Level=0) and (EventID=12)]]</Select>
  </Query>
</QueryList>
'@    
$event1=(Get-WinEvent -ComputerName $PCname -MaxEvents 1 -FilterXml $filterXML).timecreated

Give me the datetime of Event1. Then I want to do something like:

Get-WinEvent -LogName "System" -MaxEvents 1 -FilterXPath "*[EventData[Data = 'Windows Management Instrumentation' and TimeCreated -gt $event1]]"

Obviously the timecreated part bolded there doesn't work but I hope you get what I'm trying to do. any help?

I think perhaps filterhashtable is how I need to go? looking for clarification:

$Event2=(Get-WinEvent -Oldest -MaxEvents 1 -FilterHashtable @{logname="system"; providername="Microsoft-Windows-GroupPolicy"; starttime=$Event1}).TimeCreated
like image 626
Jordan W. Avatar asked Oct 27 '25 04:10

Jordan W.

1 Answers

This is what you want ...

$t = (((Get-WinEvent -ComputerName $PCname -MaxEvents 1 -FilterXml $filterXML).TimeCreated).ToUniversalTime()).ToString("s")

As an aside, I need the time the computer started, so did something like this ...

$t1 = (((Get-WinEvent -ComputerName "myhostname" -LogName "System" -MaxEvents 1 -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Kernel-General']][EventID=12]]").TimeCreated).ToUniversalTime()).ToString("s")

OR

$t1 = (($boottime.ConvertToDateTime($boottime.LastBootUpTime)).ToUniversalTime()).ToString("s")

THEN

(Get-WinEvent -ComputerName "myhostname" -LogName "Application" -MaxEvents 1 -FilterXPath "*[System[TimeCreated[@SystemTime>'$t1']][EventID=6005]][EventData[Data='Sens' and Data='Logoff']]")|fl

OR

(Get-WinEvent -ComputerName "myhostname" -LogName "Application" -MaxEvents 1 -FilterXPath "*[System[TimeCreated[@SystemTime>'$t1']][EventID=6005]][EventData[Data='Sens' and Data='Logoff']]").Count
like image 50
Byron Wu Avatar answered Oct 30 '25 05:10

Byron Wu

Sign in to Comment

Related questions

Ruby/Rails how to iterate months over a DateTime range?
Loop through range of dates in SQL Server
Laravel 5.1 Logger Timezone
Why is the html input type="datetime-local" value of YEAR 7 chars long?
Ansible datetime timezone conversion
How to convert pandas data frame datetime column to int?
Binding a nullable datetime within WPF application
Is there something like get DaysInMonth for in elixir?
How to get the date of "this Wednesday", "this Thursday" etc. in Rails
Why does numpy.datetime64 give an error with an array of years?
Convert a list of values to a time series in python
Truncate timestamp to arbitrary intervals
DateTime.ParseExact ignore first char C#
Parse JSON date in Flutter
Counting row entries in BigQuery table grouped on a time interval using SQL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!