Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, July 30, 2013 10:31 AM
Dear all,
We need to analysis the security event log (e.g. event ID 4720,4722,4725,4726,4662) for our production servers. However when I run the Get-EventLog I get follow error:
Get-EventLog : Requested registry access is not allowed.
I believe it is because I don't have sufficient permission to read. However I can copy the Security.evtx to somewhere else (e.g. offline computer) for analysis. Could I have some insight to change my script? Many thanks.
Get-EventLog -InstanceId 4720,4722,4725,4726,4662 -LogName Security -After 1/7/2013 -Before 1/8/2013 | Export-Csv "c:temp\july2013.csv"
All replies (12)
Tuesday, July 30, 2013 10:57 AM | 1 vote
You work with OS Win 2008 or grerater, or Vista or greater?
Then open the Powershell as Adminsitrator, click the icon with right and choose RUN AS ADMINISTRATOR, i think this solve your problem.
Best regards
brima
Tuesday, July 30, 2013 11:15 AM | 3 votes
You can use Get-WinEvent command.
http://technet.microsoft.com/en-us/library/hh849682.aspx
Copy the file to C:\ or desktop and then you can use
Get-Winevent -path c:\mylog.evtx
Check the link for formatting or parsing through the log.
Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"
Wednesday, July 31, 2013 2:47 AM
You can use Get-WinEvent command.
http://technet.microsoft.com/en-us/library/hh849682.aspx
Copy the file to C:\ or desktop and then you can use
Get-Winevent -path c:\mylog.evtx
Check the link for formatting or parsing through the log.
Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"
Dear Vik,
I run this command:
Get-WinEvent -path "C:\temp\Security*.evtx" -max 10 -FilterHashtable @{Providername="Microsoft-Windows-Security-Auditing"; id=4740; StartTime=1/7/2013; EndTime=1/8/2013}
But powershell return error:
Get-WinEvent : Parameter set cannot be resolved using the specified named parameters.
I have researched on web but no idea so far.. May I know what is missed?
Mark
Wednesday, July 31, 2013 5:34 AM
Dear Vik,
I run this command:
Get-WinEvent -path "C:\temp\Security*.evtx" -max 10 -FilterHashtable @{Providername="Microsoft-Windows-Security-Auditing"; id=4740; StartTime=1/7/2013; EndTime=1/8/2013}
But powershell return error:
Get-WinEvent : Parameter set cannot be resolved using the specified named parameters.
I have researched on web but no idea so far.. May I know what is missed?
Mark
Both StartTime and EndTime expect values in the DateTime type. What you provided cannot be directly cast into the type it expects.
Either put quotes around them or explicitly define them as DateTime.
Get-WinEvent -path "C:\temp\*Security*.evtx" -max 10 -FilterHashtable @{Providername="Microsoft-Windows-Security-Auditing"; id=4740; StartTime='1/7/2013'; EndTime='1/8/2013'}
Wednesday, July 31, 2013 6:43 AM
Start powershell with "Run as Administrator"
rgds,
Wednesday, July 31, 2013 7:51 AM
Thanks for reply. I found that I have to put the "path" parameter within -FilterHashtable array. The script as follow:
$EventLogonIDs="4624","4634"
Get-WinEvent -FilterHashtable @{Path="C:\temp\Security*.evtx";id= @($EventLogonIDs);StartTime="1/7/2013";EndTime="1/8/2013"} | Export-Csv c:\temp\result.csv
Although it is proven to be working, it is really slow. It takes hours to crawl through a 80MB evtx. I am wondering how to speed up. Maybe crawl for the column I need only?
Thursday, August 1, 2013 7:39 AM
Hi,
If you want to export out only some column, then please run below command first to select out one object and get those column:
$EventLogonIDs="4624","4634"
Get-WinEvent -FilterHashtable @{Path="C:\temp\Security*.evtx";id= @($EventLogonIDs);StartTime="1/7/2013";EndTime="1/8/2013"} | select-object -first 2
OR we also could use get-member command to get all properties of the result, and then choose what you want to export:
$EventLogonIDs="4624","4634"
Get-WinEvent -FilterHashtable @{Path="C:\temp\Security*.evtx";id= @($EventLogonIDs);StartTime="1/7/2013";EndTime="1/8/2013"} | select-object -first 1 | get-member
Regards,
Yan Li
If you have any feedback on our support, please click here .
Cataleya Li
TechNet Community Support
Friday, August 2, 2013 6:38 AM
Hi,
If you want to export out only some column, then please run below command first to select out one object and get those column:
$EventLogonIDs="4624","4634"
Get-WinEvent -FilterHashtable @{Path="C:\temp\Security*.evtx";id= @($EventLogonIDs);StartTime="1/7/2013";EndTime="1/8/2013"} | select-object -first 2OR we also could use get-member command to get all properties of the result, and then choose what you want to export:
$EventLogonIDs="4624","4634"
Get-WinEvent -FilterHashtable @{Path="C:\temp\Security*.evtx";id= @($EventLogonIDs);StartTime="1/7/2013";EndTime="1/8/2013"} | select-object -first 1 | get-memberRegards,
Yan Li
If you have any feedback on our support, please click here .
Cataleya Li
TechNet Community Support
Dear Yan,
Do you think it will shorten the running time?
Mark
Monday, August 5, 2013 4:46 AM
Hi,
There are many properties when export to excle file, we could find out all those properties and choose needed properties to export.
It may not save much time, but please try it.
Regards,
Yan Li
If you have any feedback on our support, please click here .
Cataleya Li
TechNet Community Support
Thursday, February 25, 2016 11:57 AM
Anybody can comment on the speed of this cmdlet? I find it unusably slow! I searched through a 300MB evtx file via
get-winevent -path archive-security.evtx|where {$_.message -like "*username*"}
and it took around an hour! There must be something horribly inefficient happening but there is hardly any big CPU load, so what the heck?
Thursday, February 25, 2016 12:09 PM
Years ago this was a question. Now it is a dead issue.
you need to learn PowerShell and Windows. After that you can come back and ask a question.
\(ツ)_/
Tuesday, August 1, 2017 4:36 PM
This is over a year ago, but I'll comment that the command really is very slow. I selected a 3.5 hour range from a large (2GB) EVTX file by using this command:
$start = [datetime]"7/27/2017 1:30AM"
$end = [datetime]"7/27/2017 5:00AM"
$evt = get-winevent -filterhashtable @{path="log.evtx"; starttime=$start; endtime=$end}
Running on an Intel i7 with 16GB RAM (RAM usage was never more than 30%) and SSD, this took around 20 minutes to load 112K objects (only those in the specified range).