functionGet-LoggedCode { # read all raw events $logInfo = @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 } Get-WinEvent-FilterHashtable$logInfo | # take each raw set of data... ForEach-Object { # create a new object and extract the interesting # parts from the raw data to compose a "cooked" # object with useful data [PSCustomObject]@{ # when this was logged Time = $_.TimeCreated # script code that was logged Code = $_.Properties[2].Value # if code was split into multiple log entries, # determine current and total part PartCurrent = $_.Properties[0].Value PartTotal = $_.Properties[1].Value
# if total part is 1, code is not fragmented IsMultiPart = $_.Properties[1].Value -ne1 # path of script file (this is empty for interactive # commands) Path = $_.Properties[4].Value # log level # by default, only level "Warning" will be logged Level = $_.LevelDisplayName # user who executed the code (SID) User = $_.UserId } } }
Time : 25.05.201810:57:36 Code : functionGet-LoggedCode { # read all raw events $logInfo = @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 } Get-WinEvent-FilterHashtable$logInfo | # take each raw set of data... ForEach-Object { # create a new object and extract the interesting # parts from the raw data to compose a "cooked" # object with useful data: [PSCustomObject]@{ # when this was logged: Time = $_.TimeCreated # script code that was logged: Code = $_.Properties[2].Value # if code was split into multiple log entries, # determine current and total part: PartCurrent = $_.Properties[0].Value PartTotal = $_.Properties[1].Value
# if total part is 1, code is not fragmented: IsMultiPart = $_.Properties[1].Value -ne1 # path of script file (this is empty for interactive # commands) Path = $_.Properties[4].Value # log level # by default, only level "Warning" will be logged: Level = $_.LevelDisplayName # user who executed the code (SID) User = $_.UserId } } }
