Scan archived winevt logs for an EventID

Wed May 03 2023

Bulk scanning of archived event logs to detect a specific event ID (in this example 4722(S): A user account was enabled.)

# Event details
$ProviderName = 'Microsoft-Windows-Security-Auditing'
$EventID = 4722
$EventFileNameFilter = 'Archive-Security-*'
# Folder
$FolderArchiveLogs = 'C:WindowsSystem32winevtLogs'
$ArchiveLogs = Get-ChildItem $FolderArchiveLogs | Where-Object { $_.Name -like $EventFileNameFilter }
# Properties to extract
$EventProperties = `
  'TimeCreated', `
  'ID', `
  @{N = 'Message'; E = { $_.Message -split "`n" | Select-Object -First 1 } }, `
  @{N = 'Target'; E = { $_.Properties[0].Value } }, `
  @{N = 'Actor'; E = { $_.Properties[4].Value } }

$Events = @()
foreach ($ArchiveLog in $ArchiveLogs) {
  Write-Verbose "Scanning for $EventID in file $($ArchiveLog.FullName) .."
  $Events += Get-WinEvent `
    -EA SilentlyContinue `
    -FilterHashtable @{Path = "$($ArchiveLog.FullName)"; ProviderName = $ProviderName; ID = $EventID }
}


$Events | Select-Object $EventProperties | Out-GridView