Les logs de Windows peuvent être accédés de diverses façons
- Event Viewer (GUI-based application : eventvwr.msc). Observateur d’événements
- Wevtutil.exe (command-line tool)
- Get-WinEvent (PowerShell cmdlet)
Liste les journaux des événements
wevtutil el
Lit les événements à partir d’un journal
wevtutil qe Application /c:3 /rd:true /f:text
PowerShell cmdlet
Get-WinEvent -FilterHashTable @{
LogName=’Application’
ProviderName=’MsiInstaller’
ID=11707
}
Get-WinEvent -FilterHashtable @{LogName=’Microsoft-Windows-PowerShell/Operational’; ID=4104} | Select-Object -Property Message | Select-String -Pattern ‘SecureString’
Get-WinEvent -LogName Security -FilterXPath ‘*/EventData/Data[@Name=”TargetUserName”]=”System”‘
Get-WinEvent -LogName Application -FilterXPath ‘*/System/Provider[@Name=”WLMS”] and */System/TimeCreated[@SystemTime=”2020–12–15T01:09:08.940277500Z”]’
Get-WinEvent -LogName Security -FilterXPath ‘*/EventData/Data[@Name=”TargetUserName”]=”Sam” and */System/EventID=4720’
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1
Event IDs
The Windows Logging Cheat Sheet (Windows 7 – Windows 2012)