Skip to content

Instantly share code, notes, and snippets.

@robderickson

robderickson/WinEventsXml.md

Last active July 31, 2018 18:06
Show Gist options
  • Save robderickson/7fbf737ddf54297490f46ec073f7dad0 to your computer and use it in GitHub Desktop.
Save robderickson/7fbf737ddf54297490f46ec073f7dad0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
WinEventsXml.md 
# Get some events
$Computer = 'dc01'
$User = 'rob'
$Events = Get-WinEvent -ComputerName $Computer -LogName Security -FilterXPath "*[System[(EventID='4776']][EventData[Data='$User']]"
$xml = [xml]$Events[0].ToXml()

The document looks like this.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
  <System>
    <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/>
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime='2018-07-31T17:28:26.535931100Z'/>
    <EventRecordID>8229660506</EventRecordID>
    <Correlation/>
    <Execution ProcessID='632' ThreadID='6908'/>
    Channel>Security</Channel>
    <Computer>dc01</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name='PackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name='TargetUserName'>rob</Data>
    <Data Name='Workstation'>robpc</Data>
    <Data Name='Status'>0x0</Data>
  </EventData>
</Event>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment