In the previous tip we looked at Get-WinEvent and how you can use a hash table to specify your query. The previous tip used below code to list all events written by the Windows Update Client using the event ID 19, across all event log files:

Get-WinEvent -FilterHashTable @{
    ID=19
    ProviderName='Microsoft-Windows-WindowsUpdateClient'
} | Select-Object -Property TimeCreated, Message

The result was a list of installed updates:

 
TimeCreated         Message
-----------         -------
05.05.2021 18:13:34 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
                    Microsoft Defender Antivirus - KB2267602 (Version 1.337.679.0)
05.05.2021 00:11:33 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
                    Microsoft Defender Antivirus - KB2267602 (Version 1.337.615.0)                              
04.05.2021 12:07:03 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
                    Microsoft Defender Antivirus - KB2267602 (Version 1.337.572.0)
03.05.2021 23:54:58 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
                    Microsoft Defender Antivirus - KB2267602 (Version 1.337.528.0) 
...  
 

Typically, you’d just need a list of actually installed software though, and when you look into the column “Message”, there is a lot of text noise that would need to be removed.

Save your efforts: event log messages consist of a static text template with placeholders, and the actual data that is inserted into the template. The actual data can be found in a property called “Properties”, and all you’d need to do is find out which of these properties is the information you require.

Here is an improved version of above code that uses a calculated property called “Software” that reads the first array element in Properties (index 0), which happens to be the actual name of the installed software:

$software = @{
    Name = 'Software'
    Expression = { $_.Properties[0].Value  }
}


Get-WinEvent -FilterHashTable @{
    Logname='System'
    ID=19
    ProviderName='Microsoft-Windows-WindowsUpdateClient'
} | Select-Object -Property TimeCreated, $software

So now the code returns a list of updates and when they were installed – no text parsing required:

 
TimeCreated         Software
-----------         --------
05.05.2021 18:13:34 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.679.0)
05.05.2021 00:11:33 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.615.0)
04.05.2021 12:07:03 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.572.0)
03.05.2021 23:54:58 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.528.0)
03.05.2021 00:57:52 9WZDNCRFJ3Q2-Microsoft.BingWeather                                                       
03.05.2021 00:57:25 9NCBCSZSJRSB-SpotifyAB.SpotifyMusic
03.05.2021 00:57:06 9PG2DK419DRG-Microsoft.WebpImageExtension      
 




Twitter This Tip! ReTweet this Tip!

Anonymous