Created
May 28, 2021 14:45
-
-
Save mgraeber-rc/9739f2d3c00854cc99d9bc905df6c63e to your computer and use it in GitHub Desktop.
Display only new event log events - I refer to this as event log differential analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Log the time prior to executing the action. | |
| # This will be used as parth of an event log XPath filter. | |
| $DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc) | |
| # Do the thing now that you want to see potential relevant events surface... | |
| $null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly | |
| # Allow a moment to allow events to populate | |
| Start-Sleep -Seconds 5 | |
| # Iterate over every event log that has populated events and | |
| # has events that were generated after we noted the time. | |
| $Events = Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 0 } | ForEach-Object { | |
| Get-WinEvent -LogName $_.LogName -FilterXPath "*[System[TimeCreated[@SystemTime >= '$DateTimeBefore']]]" -ErrorAction Ignore | |
| } | |
| $Events |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment