events logs: TimeCreated can be greater than LastWriteTime

This is based on a Scripting Guy blog about finding the latest event logs (Use PowerShell to Query All Event Logs for Recent Events - Scripting Blog). But how can the time of the log entry creation be 5 days more recent than the modification time of the log??

$starttime = (get-date).Addhours(-4)

Get-WinEvent -ListLog * -EA silentlycontinue -pv log |
foreach { get-winevent -filterhashtable @{logname=$_.logname;starttime=$starttime} -ea 0 } |
Format-Table TimeCreated, ID, ProviderName, @{n='LastWriteTime';e={$log.lastwritetime}} -AutoSize -Wrap

TimeCreated               Id ProviderName                                                       LastWriteTime
-----------               -- ------------                                                       -------------
10/23/2018 9:52:31 AM    916 ESENT                                                              10/18/2018 1:28:15 PM
10/23/2018 9:47:20 AM    916 ESENT                                                              10/18/2018 1:28:15 PM
10/23/2018 9:45:45 AM    916 ESENT                                                              10/18/2018 1:28:15 PM

Another weird thing is you can put a wildcard like ‘a*’ in the logname property of the filterhashtable, but not plain ‘*’.

The calculated property LastWriteTime is having the value from pipeline variable $log.LastWriteTime which is from the output of Get-WinEvent cmdlet.
hence it can be like this and will be same for each LogName

Indeed… I would presume that the error comes from having the ‘nested’ pipeline there, and you probably need to have the calculated property reference $_.LastWriteTime instead in order to get the correct value.

The lognames from both commands seem to match… It’s true that the 2nd get-winevent spins out multiple log entries per logname. There’s no lastwritetime property in the 2nd version of the command. The two time properties just don’t seem related.

$starttime = (get-date).Addhours(-4)

Get-WinEvent -ListLog * -EA silentlycontinue -pv log |
foreach { get-winevent -filterhashtable @{logname=$_.logname;starttime=$starttime} -ea 0 } |
Format-Table TimeCreated, ID, ProviderName, @{n='LastWriteTime';e={$log.lastwritetime}},Logname, 
  @{n='Logname2';e={$log.logname}} -AutoSize -Wrap


TimeCreated               Id ProviderName                   LastWriteTime          LogName     Logname2
-----------               -- ------------                   -------------          -------     --------
10/23/2018 12:07:54 PM 16384 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM  Application Application
10/23/2018 12:07:23 PM  1003 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM  Application Application
10/23/2018 12:07:22 PM  1003 Microsoft-Windows-Security-SPP 10/18/2018 1:28:15 PM  Application Application
10/23/2018 11:57:32 AM  8224 VSS                            10/18/2018 1:28:15 PM  Application Application
10/23/2018 11:54:31 AM   916 ESENT                          10/18/2018 1:28:15 PM  Application Application
10/23/2018 11:54:06 AM  1001 Windows Error Reporting        10/18/2018 1:28:15 PM  Application Application
10/23/2018 11:45:00 AM   916 ESENT                          10/18/2018 1:28:15 PM  Application Application
10/23/2018 11:20:21 AM   916 ESENT                          10/18/2018 1:28:15 PM  Application Application