How To Check Logs In Microsoft Windows 10 To See If Someone Has Changed Something

Windows Result logs is i of the offset tools an admin uses to analyze issues and to see where does an issue come from. But information technology is not the just way you can use logged events. In this article, I will show you how to apply PowerShell and Get-EventLog to perform some Consequence Log magic. Only offset, a few words well-nigh the logs in general.

How to check event logs with Powershell (get-eventlog)

Upshot logging in Windows

First, there are ii ways to access the events logged in Windows – through the Event Viewer and using the Get-EventLog / Get-WinEvent cmdlets. The Consequence Viewer is an intuitive tool which lets you observe all the required info, provided yous know what to wait for. Searching the logs using the PowerShell has a certain advantage, though – y'all tin check events on the local or remote computers much quicker using the console. It is an invaluable nugget if you recollect about server health monitoring. PowerShell lets you generate automatic reports almost the nearly of import events to read while drinking your morning coffee.

Become-WinEvent vs Go-EventLog

You might wonder what is the divergence betwixt Get-WinEvent and Get-EventLog. Get-WinEvent is a newer version of Become-EventLog. The cmdlets piece of work in a like manner, and Get-EventLog does the trick in near cases. According to a Microsoft documentation, the chief deviation is that Become-WinEvent works with "the Windows Issue Log engineering science introduced in Windows Vista." To get a clearer explanation, you tin can employ two simple cmdlets:

Get-EventLog -listing

Get-WinEvent -ListLog * | where {$_.RecordCount -gt 0}

As y'all can see, Get-WinEvent is a articulate winner when it comes to the amount of data it can access.

Mind that some attributes' names are different in those two cmdlets, and so y'all might need to practise some translating if you want to employ the syntax of Go-WinEvent with the Get-EventLog cmdlet. If you want to know how to filter the results, only pipage the cmdlet to Get-Member:

Get-EventLog awarding -newest i | Get-Member

Although Get-EventLog is a "legacy cmdlet," it still works like a charm in most diagnostic cases. Information technology also has one articulate advantage: y'all tin use the -Later on and –Earlier attributes to filter results by date. Thanks to that, date-related queries are much quicker than piping all results and trying to sift through them.

Earlier you start searching through the logs for specific events, information technology is a practiced thought to get to know the structure and become the general idea of how the logging mechanism works. The Event Viewer is the right tool to get you started on that.

The Event Viewer

The amount of logging information tin be overwhelming. It ways that data filtering is your priority. In gild to go acquainted with the structure, you tin either use the Event Viewer.

The quickest way to starting time the Issue viewer is to use theWin+R cardinal combination and executing eventvwr:

Run event viewer through the run console

This action will open the Event Viewer:

The Event Viewer

The tree on the left lets you browse through all Event Viewer's entries. The near used logs are Awarding, System, and Security.

Use PowerShell to diagnose problems on multiple computers

The biggest challenge of setting upwardly the Get-EventLog or Become-WinEvent cmdlets is to filter results. First, you lot take to know what to wait for, next – y'all accept to brand sure that your query does not cause the PowerShell console to throw a fit. One fashion to run diagnostics is to utilise the script below:

$servers = Become-TransportService; foreach ($server in $servers) {Write-Host "Scanning the event log of: " -NoNewLine; Write-Host $server; Become-EventLog system -ComputerName $server -Later on (Get-Date).AddHours(-12) | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} | ft -wrap >> "C:/$server.csv"; Get-EventLog application -ComputerName $server -After (Get-Date).AddHours(-12) | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} | ft -wrap >> "C:/$server.csv"}

The script pulls data most all Error and Warning kinds of events generated in the terminal 12 hours in Organisation and Application logs for a list of servers. You lot can replace the Get-TransportService cmdlet with another list of machines you lot want to diagnose.

Checking login and logoff time with PowerShell

There are quite a few ways to check when a certain machine was turned on. If you just need to check when was the first time a user logged in on a specific date, use the following cmdlet:

Get-EventLog system -after (get-date).AddDays(-1) | where {$_.InstanceId -eq 7001}

To learn when the figurer was turned on a specific date, you can select the outset logged consequence:

$today = go-engagement -Hour 0 -Minute 0; Get-EventLog system -after $today | sort -Descending | select -First 1

Those cmdlets; however, will non work if you desire to monitor the usage of a shared computer.

You lot could scan through the security events, looking for 4624 (logon) and 4625 (logoff) issue IDs. However, the security log ordinarily holds the greatest number of records and going through it can be extremely time-consuming. Fortunately, the organisation log as well stores logon and logoff data and specifying the verbal source of the log entry allows a relatively quick search. The script below returns a list of logon and logoff events on the target reckoner with their exact times and users for the last 7 days.

$logs = get-eventlog system -ComputerName <name of the monitored estimator> -source Microsoft-Windows-Winlogon -Later on (Go-Date).AddDays(-vii); $res = @(); ForEach ($log in $logs) {if($log.instanceid -eq 7001) {$type = "Logon"} Elseif ($log.instanceid -eq 7002){$type="Logoff"} Else {Continue} $res += New-Object PSObject -Property @{Fourth dimension = $log.TimeWritten; "Event" = $blazon; User = (New-Object System.Security.Master.SecurityIdentifier $Log.ReplacementStrings[ane]).Interpret([Organization.Security.Principal.NTAccount])}}; $res

Result:

Logon and logoff dates PowerShell

If y'all need more detailed results, you could add together the Security log events IDs 4800 and 4801 for lock and unlock events. Mind that this will require you to run another Get-EventLog script to go info from the Security log. Information technology will also significantly increment the time your PowerShell console will demand to terminate the job.

Farther Reading: