Cardboard Iguana Security

Search

SearchSearch

Get-WinEvent FilterHashtable

July 31, 20241 min read

There’s lots of good information about the various FilterHashtable keys in Microsoft’s documentation. Some important ones:

  • LogName (String)
  • ProviderName (String)
  • Path (String)
  • Keywords (Long)
  • ID (Int32)
  • Level (Int32)
  • StartTime (DateTime)
  • EndTime (DateTime)
  • UserID (SID)
  • Data (String)
  • [NamedData] (String)

Wildcards can be used with LogName and ProviderName, but not with other keys.

Event Viewer displays most of these values in the “General” when viewing an individual log entry, though note that Keywords is translated to a string.

Keywords

Get-WinEvent FilterHashtable keywords

  • AuditFailure (4503599627370496)
  • AuditSuccess (9007199254740992)
  • CorrelationHint2 (18014398509481984)
  • EventLogClassic (36028797018963968)
  • Sqm (2251799813685248)
  • WdiDiagnostic (1125899906842624)
  • WdiContext (562949953421312)
  • ResponseTime (281474976710656)
  • None (0)
Link to original

Levels

Get-WinEvent FilterHashtable log levels

  • Verbose (5)
  • Informational (4)
  • Warning (3)
  • Error (2)
  • Critical (1)
  • LogAlways (0)
Link to original

Event IDs

Windows event IDs

  • 104 — Event log was cleared
  • 1102 — Audit log was cleared (517 on Windows 2003 and earlier)
  • 4104 — PowerShell command and script logging
  • 4626 — Successful logon
    • LogonType 3 represents a (generic) network login
    • LogonType 9 represents a logon where the outbound credentials are different than the credentials used to authenticate to the account that is initiating that login (only logged by the host initiating the connection, however)

It’s hard to find documentation about event ID, and the meaning seems to shift between versions of Windows.

Link to original

Graph View

Backlinks