In the previous tip we illustrated how you can access detailed event log information that you retrieved via Get-EventLog by using ReplacementStrings. That worked beautifully, however Get-EventLog can only read the “classic” Windows logs. There are hundreds of additional logs in modern Windows versions.

These logs can be read via Get-WinEvent, and there is a wealth of information to discover. For example, to get a list of installed updates, try this:

$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; Id=19 }

Get-WinEvent -FilterHashtable $filter | Select-Object -ExpandProperty Message -First 4

Note that this is just an example. With the code above, you can query any log for any event ID you are after. The line above, for example, gets you the latest 4 updates that were installed:

 
PS> . 'C:\Users\tobwe\Documents\PowerShell\Untitled5.ps1' <# script is not saved yet #>
Installation Successful: Windows successfully installed the following update: Definitionsupdate für
 Windows Defender Antivirus – KB2267602 (Definition 1.269.69.0)
Installation Successful: Windows successfully installed the following update: 9WZDNCRFJ1XX-FITBIT.F
ITBIT
Installation Successful: Windows successfully installed the following update: Definitionsupdate für
 Windows Defender Antivirus – KB2267602 (Definition 1.269.28.0)
Installation Successful: Windows successfully installed the following update: 9WZDNCRFHVQM-MICROSOF
T.WINDOWSCOMMUNICATIONSAPPS   
 

However, this is just text, and it’s not easy to turn this into a nice report of installed updates. With Get-EventLog, like shown in our previous tip, you could use ReplacementStrings to easily access the pure information. Get-WinEvent has no ReplacementStrings, though.

However, there is a property called “Properties”. Here is how you can turn this property into an array that behaves just like ReplacementStrings:

$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; Id=19 }

Get-WinEvent -FilterHashtable $filter |  
  ForEach-Object {
    # create a ReplacementStrings array
    # this array holds the information that is inserted
    # into the event message template text
    $ReplacementStrings = $_.Properties | ForEach-Object { $_.Value }
    
    # return a new object with the required information
    [PSCustomObject]@{
      Time = $_.TimeCreated
      # index 0 contains the name of the update
      Name = $ReplacementStrings[0]
      User = $_.UserId.Value
    }
  }

This code returns a nice list of installed updates:

 
Time                Name
----                ----
25.05.2018 09:00:20 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
25.05.2018 07:59:44 9WZDNCRFJ1XX-FITBIT.FITBIT                                                    
24.05.2018 11:04:15 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
24.05.2018 08:36:26 9WZDNCRFHVQM-MICROSOFT.WINDOWSCOMMUNICATIONSAPPS                              
24.05.2018 08:34:30 9N4WGH0Z6VHQ-Microsoft.HEVCVideoExtension                                     
24.05.2018 08:34:24 9WZDNCRFJ2QK-ZDFGemeinntzigeAnstaltdes.ZDFmediathek                           
23.05.2018 11:57:42 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
23.05.2018 07:37:11 9WZDNCRFHVQM-MICROSOFT.WINDOWSCOMMUNICATIONSAPPS                              
23.05.2018 07:36:57 9WZDNCRFJ3PT-MICROSOFT.ZUNEMUSIC                                              
23.05.2018 04:01:11 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
22.05.2018 12:26:55 Definitionsupdate für Windows Defender Antivirus – KB2267602 (Definition 1....
22.05.2018 08:34:28 9NBLGGH5FV99-Microsoft.MSPaint                                                
22.05.2018 08:33:25 9WZDNCRFJ364-MICROSOFT.SKYPEAPP 
 

Twitter This Tip! ReTweet this Tip!

Anonymous