Cant create a custom object that contains event Properties

PowerShell Help
1

Hi,

I have a couple of questions related to the code below.

  1. If I call $prop in console, I get the output I want (The exe files that runs), why cant I put $prop in a custom object, then call $test insted and get the same results? If I do that, the console only returns; Fil : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing. Reader.EventProperty}
  2. Why do I have to specify a empty array $Prop = @() in the beginning of the script? If I don't I get a error msg: Method invocation failed because [System.Management.Automation.PSObject] does not con tain a method named 'op_Addition'.
  3. Is there a better way to achieve the results I'm after? I want to ouput the server names, and which path and exe files that runs in a CSV. ( I've activated a couple of GPO to get eventvwr to report error ID 4688)
Would appreciate some help, thanks!

 

$Prop = @() 
$filter = Get-WinEvent -FilterHashtable @{

LogName='security';
ID='4688';
StartTime = (Get-Date).AddDays(-2); 

}
foreach($f in $filter){
if ($f.Message -notlike "*C:\windows*"){

$Prop += $f.Properties[5]

$test += [PSCustomObject]@{

'Fil' = $Prop
}
}
}
2 
$ComputerList = $env:COMPUTERNAME

$myOutput = foreach ($ComputerName in $ComputerList) {
    $Filter = Get-WinEvent -ComputerName $ComputerName -FilterHashtable @{
        LogName   = 'security'
        ID        = 4688
        StartTime = (Get-Date).AddDays(-2)
    }

    foreach ($Event in $Filter){
        if ($Event.Message -notlike '*C:\windows*'){
            [PSCustomObject]@{
                ComputerName = $ComputerName
                EXE          = $Event.Properties[5].Value
            }
        }
    }
}

$myOutput | FT -a 
$myOutput | Out-GridView
$myOutput | Export-Csv .\bla.csv

Q1. $prop console output shows the ‘value’ property and its value. To see the same in the script you need to change the line $f.Properties[5] to $f.Properties[5].value
Q2. $Prop = @() explicitly declares $prop as an array. Otherwise, PS will auto-declare it as string the first time it comes across it. See this link for more information on arrays
Q3. Yes, see above

3

Sam Boutros, how/where did you find the properties for the hash used in Get-WinEvent? The option for StartTime just saved me a ton of time in a script I wrote previously. Went from 6 minutes to just a few seconds to execute. I did not see this in any of the documentation I could find on Get-Winevent. Certainly not in the help file.
Any insight is appreciated.

4

Creating Get-WinEvent queries with FilterHashtable