Accessing a Remote Security Event Log Using Windows PowerShell

I’ve been working with Windows PowerShell a lot recently. PowerShell is Microsoft’s new shell and scripting language. You can think of PowerShell as a vast improvement over the old cmd.exe and .bat files. There are two ways to access the system Event Log with PowerShell. The first is to use the built-in “cmdlet” named get-event. For example, the command $e = get-event stores into object $e an object representing the entire event log on the local machine. The second technique is to use the built-in get-wmiobject. For example, the command
$e = get-wmiobject –class win32_ntlogevent –computerName ‘zeus’
fetches event log information for remote computer ‘zeus’. Now you can get the System or the Application event log with a command like $app = $e | where-object { $_.logfile –eq “application” }. And then you can get just application errors with $errors = $app | where-object { $_.type –eq “error’ }. But unfortunately, by default, you cannot fetch the Security event log using this technique because by default, the WMI account cannot access the Security log. This is annoying as all heck and I haven’t been able to find a good work-around . . . yet. I am tentatively scheduled to facilitate a Windows PowerShell hands-on lab at the upcoming Microsoft Management Summit. There will be several PowerShell experts from the Microsoft PowerShell team at MMS 2007 including Jeffrey Snover (architect) and Scott Ottaway (senior product manager), and you can bet I’m giong to pick their brains on the problem of accessing a remote Security log file using the get-wmiobject cmdlet. Check out MMS 2007 at
This entry was posted in Software Test Automation. Bookmark the permalink.

3 Responses to Accessing a Remote Security Event Log Using Windows PowerShell

  1. MOW says:

    You can also use .NET to use remote Eventlogs in PowerShell

    Also you can enable privileges on the WMI connection by using a managementscope see :

    Greetings /\\/\\o\\/\\/

  2. James says:

    Thank you PowerShell guy. While researching the problem of accessing a remote Security event log, I came across both of the blog entries you mention but really didn\’t grasp their significance until your comment here. Anyway, I put together an end-to-end example, which uses the EnablePrivileges property of a Management.ConnectionOptions object as you mention, and just posted it. A few days ago I chatted with some of my buddies from my IE3 and IE4 days who worked on PowerShell for a couple of years (but left the group before release) and they agreed that the Windows PowerShell remoting story is currently a bit of a weakness — but they also pointed out some of the technical challenges — it\’s a surprisingly hard problem. At any rate, I expect the PowerShell v2.0 will have a way to directly access a remote Security event log, rather than resorting to .NET calls. 

  3. Leemay says:

    thank you, you give me an afflatus🙂

Comments are closed.