Convert time in to SystemTime

PowerShell Help
1

Hi,

I am writing a script that searches the event viewer for a user activity between start and end time.

I am using the XML query below.

*[System[Security[@UserID=‘$CtxUserSID’] and TimeCreated[@SystemTime>=‘2021-11-29T03:31:51.000Z’ and @SystemTime<=‘2021-11-29T04:31:50.999Z’]

I need help to understand how to convert the user input @SystemTime&gt and @SystemTime&lt, I also need to know how to minus or add 15 mins to the user input time.

Thanks

2

MR.
Welcome to the forum. :wave:t4:

Could you post the complete code you’re using?

I an easy case you can turn a text representation of a date into a proper [DateTime] type by using Get-Date

Get-Date '2021-11-29T04:31:50.999Z'

BTW: When you post code or sample data or console output please format it as code using the preformatted text button ( </> ). Simply place your cursor on an empty line, click the button and paste your code.
Thanks in advance

3

Hi Olaf,

Please find the code below…

$now = Get-Date # EndTime
$then =  (Get-Date).AddMinutes(-15) #StartTime
$date = Get-Date -format "yyyyMMdd-HH.mm.ss"
$EventsCol = @()

$LogTrackingSidMulti = $Null
$LogTrackingSidMulti=@()
$CtxServerName = "Server01.Test.com"
$CtxUserName = "jtestuser2"
Import-Module Activedirectory

$UserID = Get-ADUser -Identity $CtxUserName
$CtxUserSID = $UserID.SID.Value
$DataPattern = [regex] "\{(.*?)\}"

$UserActivity = Get-WinEvent -ComputerName $CtxServerName -FilterHashtable @{Logname='Microsoft-Windows-GroupPolicy/Operational';Id=4001} -ErrorAction Stop | Where-Object -Property Message -Match $CtxUserName | Select-Object -Property message

$StringTestmatch = $DataPattern.Match("$UserActivity")

$UserLogonGuid = $StringTestmatch.Groups[0].value

#$Events = Get-WinEvent -ComputerName $iServer.DNSHostName -FilterHashtable @{Logname='Application';ProviderName='Citrix Profile Management';Id=10;StartTime=$then;EndTime=$now} -ErrorAction Stop

$query11 = @"
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Security">*[EventData[Data[@Name='SubjectUserName'] and (Data='$CtxUserName') and TimeCreated[@SystemTime&gt;='$then' and @SystemTime&lt;='$now']]]</Select>
    <Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[Correlation[@ActivityID='$UserLogonGuid'] and TimeCreated[@SystemTime&gt;='$then' and @SystemTime&lt;='$now']]]</Select>

  </Query>
</QueryList>
"@

$LogTrackingSidMulti += Get-WinEvent -FilterXml $query11 -ComputerName $CtxServerName

$LogTrackingSidMulti | Select MachineName,TimeCreated,Id,TaskDisplayName,Message | Format-Table -AutoSize

$LogTrackingSidMulti | Out-GridView -PassThru | Export-CSV -Path "C:\User-Tracing_$date.csv"`Preformatted text`
5

I’m not sure if I got what you want to achieve because your code looks quite confusing to me.

You may start with a clean snippet like this and add code when needed:

$now = Get-Date
$then = (Get-Date).AddMinutes(-15)
$CtxServerName = 'Server01.Test.com'

$FilterHashTable = @{
    Logname   = 'Microsoft-Windows-GroupPolicy/Operational'
    Id        = 4001 
    StartTime = $then
    EndTime   = $now
}
$Result =
Get-WinEvent -FilterHashtable $FilterHashTable -ComputerName $CtxServerName
$Result |
    Select-Object -Property MachineName, TimeCreated, Id, TaskDisplayName, Message |
        Out-GridView

I’m not familiar with using the parameter -FilterXml. For me it’s been always enough to use -FilterHashtable.

6

I did try that but the output was an issue.

I will give it a go and will upload another issue I had.

Thanks for your response.

7

What issue?

Why another? If you describe it we may be able to help you with this issue.