Hello,
I want to retrieve all hardware events within Server 2k12 r2 or 2k8r2. I see the saved HardwareEvents evtx in my system32 path but I would like to retrieve all hardware events using POSH. Can anyone share some information on this - much appreciated!
I can see all of the listed event providers, but I am curious which provider represents the HardwareEvents.evtx file.
Jason
I am slightly confused (but I’m old and it happens to us old folks, well, to me, 8^}) by your statement…
I can see all of the listed event providers, but I am curious which provider represents the HardwareEvents.evtx file
These are the default PSproviders…
Get-PSProvider | Format-Table -AutoSize
Name Capabilities Drives
---- ------------ ------
Registry ShouldProcess, Transactions {HKLM, HKCU}
Alias ShouldProcess {Alias}
Environment ShouldProcess {Env}
FileSystem Filter, ShouldProcess, Credentials {C, D, E, F}
Function ShouldProcess {Function}
Variable ShouldProcess {Variable}
Certificate ShouldProcess {Cert}
WSMan Credentials {WSMan}
… and none of those are specific to event logs.
If you meant the Event log cmdlets, then sure.
Get-Command -CommandType Cmdlet -Name '*eventlog*' | Format-Table -AutoSize CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Clear-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Get-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Limit-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet New-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet New-PefEventLogTrigger 1.1.0.0 PEF Cmdlet Remove-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Show-EventLog 3.1.0.0 Microsoft.PowerShell.Management Cmdlet Write-EventLog 3.1.0.0 Microsoft.PowerShell.Management
Just call directly into the Hardware Event log using the eventlog cmdlets. Specifically Get-EventLog, for the ID’s you are interested in.