In the previous tip we looked at Get-WinEvent and how you can use a hash table to specify your query. The previous tip used below code to list all events written by the Windows Update Client using the event ID 19, across all event log files:
Get-WinEvent -FilterHashTable @{ ID=19 ProviderName='Microsoft-Windows-WindowsUpdateClient' } | Select-Object -Property TimeCreated, Message
The result was a list of installed updates:
TimeCreated Message
----------- -------
05.05.2021 18:13:34 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
Microsoft Defender Antivirus - KB2267602 (Version 1.337.679.0)
05.05.2021 00:11:33 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
Microsoft Defender Antivirus - KB2267602 (Version 1.337.615.0)
04.05.2021 12:07:03 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
Microsoft Defender Antivirus - KB2267602 (Version 1.337.572.0)
03.05.2021 23:54:58 Installation erfolgreich: Das folgende Update wurde installiert. Security Intelligence-Update für
Microsoft Defender Antivirus - KB2267602 (Version 1.337.528.0)
...
Typically, you’d just need a list of actually installed software though, and when you look into the column “Message”, there is a lot of text noise that would need to be removed.
Save your efforts: event log messages consist of a static text template with placeholders, and the actual data that is inserted into the template. The actual data can be found in a property called “Properties”, and all you’d need to do is find out which of these properties is the information you require.
Here is an improved version of above code that uses a calculated property called “Software” that reads the first array element in Properties (index 0), which happens to be the actual name of the installed software:
$software = @{ Name = 'Software' Expression = { $_.Properties[0].Value } } Get-WinEvent -FilterHashTable @{ Logname='System' ID=19 ProviderName='Microsoft-Windows-WindowsUpdateClient' } | Select-Object -Property TimeCreated, $software
So now the code returns a list of updates and when they were installed – no text parsing required:
TimeCreated Software ----------- -------- 05.05.2021 18:13:34 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.679.0) 05.05.2021 00:11:33 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.615.0) 04.05.2021 12:07:03 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.572.0) 03.05.2021 23:54:58 Security Intelligence-Update für Microsoft Defender Antivirus - KB2267602 (Version 1.337.528.0) 03.05.2021 00:57:52 9WZDNCRFJ3Q2-Microsoft.BingWeather 03.05.2021 00:57:25 9NCBCSZSJRSB-SpotifyAB.SpotifyMusic 03.05.2021 00:57:06 9PG2DK419DRG-Microsoft.WebpImageExtension
