When working with Windows event logs, especially the Security log, there might be instances where you need to extract specific information from events. But you’ll find out, it’s not as easy as you’d anticipate. Recently, I needed to query Windows events from the Security event log for user logon events (Event ID 4624 to be specific). But not all events, just events matching a specific username syntax of domain_name/username. Join me on a journey of Windows event logs, XML and XPath as we parse Windows event logs with PowerShell. To demonstrate, let’s walk through an example. XPath event-log searches are useful, but they sit inside a larger PowerShell automation skill set. If you want structured practice beyond this example, compare PowerShell automation courses on Udemy before you buy. Query the Event Log with Get-WinEvent You first need to pull at least one Windows event. Since I’m working with user logon events, I’ll pull just one event as an example with event ID 4624. $eventRecord = Get-WinEvent -MaxEvents 1 -FilterHashtable @{LogName='Security';ID=4624} Done! You now have an System.Diagnostics.Eventing.Reader.EventLogRecord object. Convert the Event Record to XML Now, this tutorial would be pretty short if I just needed to filter on basic properties like Id or TimeCreated but unfortunately, I need to filter information from an event’s Message field. Get-WinEvent doesn’t create a friendly object for us to query. Instead, you must build your own. To do so, you must first convert the record to XML using the ToXml() method. The ToXml() method converts the entire event object to an XML string. $xmlEventRecord = $eventRecord.ToXml() Unless you’re a sadomasochist and prefer to use regex, you need to get this into a structured format to query elements inside of it. Lucky for us, you can easily cast XML strings to Xml.Document types using the [xml] type accelerator.

Adam Bertram 5 min. read