about_eventlogs - PowerShell command help and examples

Windows PowerShell creates a Windows event log that is (about_eventlogs)

TOPIC
about_EventLogs
SHORT DESCRIPTION
Windows PowerShell creates a Windows event log that is named "Windows PowerShell" to record Windows PowerShell events. You can view this log in Event Viewer or by using cmdlets that get events, such as the Get-EventLog cmdlet. By default, Windows PowerShell engine and provider events are recorded in the event log, but you can use the event log preference variables to customize the event log. For example, you can add events about Windows PowerShell commands.
LONG DESCRIPTION
The Windows PowerShell event log records details of Windows PowerShell operations, such as starting and stopping the program engine and starting and stopping the Windows PowerShell providers. You can also log details about Windows PowerShell commands. In Windows Vista and later versions, the Windows PowerShell event log is in the Application and Services Logs group. The Windows PowerShell log is a classic event log that does not use the Windows Eventing technology. To view the log, use the cmdlets designed for classic event logs, such as Get-EventLog. Viewing the Windows PowerShell Event Log You can view the Windows PowerShell event log in Event Viewer or by using the Get-EventLog and Get-WmiObject cmdlets. To view the contents of the Windows PowerShell log, type: get-eventlog -logname "Windows PowerShell" To examine the events and their properties, use the Sort-Object cmdlet, the Group-Object cmdlet, and the cmdlets that contain the Format verb (the Format cmdlets). For example, to view the events in the log grouped by the event ID, type: get-eventlog "Windows PowerShell" | format-table -groupby eventid Or, type: get-eventlog "Windows PowerShell" | sort-object eventid ` | group-object eventid To view all the classic event logs, type: get-eventlog -list You can also use the Get-WmiObject cmdlet to use the event-related Windows Management Instumentation (WMI) classes to examine the event log. For example, to view all the properties of the event log file, type: get-wmiobject win32_nteventlogfile | where ` {$_.logfilename -eq "Windows PowerShell"} | format-list -property * To find the Win32 event-related WMI classes, type: get-wmiobject -list | where {$_.name -like "win32*event*"} For more information, type "get-help get-eventlog" and "get-help get-wmiobject". Selecting Events for the Windows PowerShell Event Log You can use the event log preference variables to determine which events are recorded in the Windows PowerShell event log. There are six event log preference variables; two variables for each of the three logging components: the engine (the Windows PowerShell program), the providers, and the commands. The LifeCycleEvent variables log normal starting and stopping events. The Health variables log error events. The following table lists the event log preference variables. Variable Description -------------------------- ---------------------------------------- $LogEngineLifeCycleEvent Logs starting and stopping of Windows PowerShell. $LogEngineHealthEvent Logs Windows PowerShell program errors. $LogProviderLifeCycleEvent Logs starting and stopping of Windows PowerShell providers. $LogProviderHealthEvent Logs Windows PowerShell provider errors. $LogCommandLifeCycleEvent Logs starting and completion of commands. $LogCommandHealthEvent Logs command errors. (For information about Windows PowerShell providers, type: "get-help about_providers".) By default, only the following event types are enabled: $LogEngineLifeCycleEvent $LogEngineHealthEvent $LogProviderLifeCycleEvent $LogProviderHealthEvent To enable an event type, set the preference variable for that event type to $true. For example, to enable command life-cycle events, type: $LogCommandLifeCycleEvent Or, type: $LogCommandLifeCycleEvent = $true To disable an event type, set the preference variable for that event type to $false. For example, to disable command life-cycle events, type: $LogProviderLifeCycleEvent = $false The variable settings apply only for the current Windows PowerShell session. To apply them to all Windows PowerShell sessions, add them to your Windows PowerShell profile. Security and Auditing The Windows PowerShell event log is designed to indicate activity and to provide operational details for troubleshooting. However, like most Windows-based application event logs, the Windows PowerShell event log is not designed to be secure. It should not be used to audit security or to record confidential or proprietary information. Event logs are designed to be read and understood by users. Users can read from and write to the log. A malicious user could read an event log on a local or remote computer, record false data, and then prevent the logging of their activities. SEE ALSO Get-EventLog Get-WmiObject about_Preference_Variables C:\Windows>powershell get-help about_execution_policies -full

Microsoft Windows [Version 10.0.19045.3693]
Copyright (c) 2023 Microsoft Corporation.

ColorConsole [Version 3.7.1000] PowerShell 2.0-Export

Windows 11, 10, 8.1, 8, 7 / Server 2022, 2019, 2016











Windows-10


... Windows 10 FAQ
... Windows 10 How To


Windows 10 How To


... Windows 11 How To
... Windows 10 FAQ



PowerShell: Windows PowerShell creates a Windows event log that is

HTTP: ... PS_Windows/en/about_eventlogs.htm
0.062
15218

Differences between the right and left shift keys?

Save your favorite notes and use them again and again!

Having problems with certain image formats when adjusting the image size?

How can i pictures and posters print from File Explorer Views?

Can i have a separate tree view for each explorer list view?

Kostenlos den Firefox Portable downloaden!



(0)