get-WinEvent and XPath/XML Filter

%3CLINGO-SUB%20id%3D%22lingo-sub-1341531%22%20slang%3D%22en-US%22%3Eget-WinEvent%20and%20XPath%2FXML%20Filter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1341531%22%20slang%3D%22en-US%22%3E%3CP%3ESmbd%2C%20please%2C%20do%20help%20me%20cause%20I%60m%20out%20of%20fantasy...%3C%2FP%3E%3CP%3EI%20filter%20yesterday%20events%20of%20Microsoft-Windows-TerminalServices-Gateway%2FOperational%20log%20by%20means%20of%20Eventviewer%20GUI%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20543px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186934iFF69AE9F6E4FF037%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B...and%20take%20an%20XML-query%20string%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20543px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186936i020D7D04563D1E65%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B...and%20as%20far%20as%20I%20got%2C%20the%20string%20surrounded%20by%26nbsp%3B%3CSTRONG%3E%3CSELECT%3E%3C%2FSELECT%3E%20%3C%2FSTRONG%3Eelements%20is%20an%20XPath%20string.%20Saving%20the%20filtered%20events%20to%20a%20file%20and%20opening%20it%20in%20Eventviewer%20helps%20to%20find%20out%20how%20to%20point%20an%20XML-query%20to%20the%20saved%20.evtx%20file.%3C%2FP%3E%3CP%3EBut%20unfortunately%20the%20following%20code%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24firstevent%20%3D%20(Get-Date%20-Hour%200%20-Minute%2000%20-Second%2000%20-Millisecond%20000).AddDays(-1).AddHours(-4).ToString(%22yyyy-MM-ddTHH%3Amm%3Ass.fffZ%22)%3C%2FP%3E%3CP%3E%24lastevent%26nbsp%3B%20%3D%20(Get-Date%20-Hour%2023%20-Minute%2059%20-Second%2059%20-Millisecond%20999).AddDays(-1).AddHours(-4).ToString(%22yyyy-MM-ddTHH%3Amm%3Ass.fffZ%22)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24XPathString%20%3D%20%22*%5BSystem%5BTimeCreated%5B%40SystemTime%26amp%3Bgt%3B%3D'%22%2B%24firstevent%2B%22'%20and%20%40SystemTime%26amp%3Blt%3B%3D'%24lastevent'%5D%5D%5D%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24PathString%20%3D%20%22Microsoft-Windows-TerminalServices-Gateway%2FOperational%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24XFilter%20%3D%20%22%3CQUERYLIST%3E%3CQUERY%20id%3D%22%60%26quot%3B0%60%26quot%3B%22%20path%3D%22%60%26quot%3B%24PathString%60%26quot%3B%22%3E%3CSELECT%20path%3D%22%60%26quot%3B%24PathString%60%26quot%3B%22%3E%24XPathString%3C%2FSELECT%3E%3C%2FQUERY%3E%3C%2FQUERYLIST%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24events%20%3D%20%40()%3C%2FP%3E%3CP%3E%24events%20%3D%20Get-WinEvent%20-LogName%20%24PathString%20-FilterXPath%20%24XPathString%3C%2FP%3E%3CP%3E%24events%3C%2FP%3E%3CP%3E'1%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24events%20%3D%20%40()%3C%2FP%3E%3CP%3E%24events%20%3D%20Get-WinEvent%20-FilterXml%20%24XFilter%3C%2FP%3E%3CP%3E%24events%3C%2FP%3E%3CP%3E'2%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24OpenFileDialog%20%3D%20New-Object%20'System.Windows.Forms.OpenFileDialog'%3C%2FP%3E%3CP%3E%24OpenFileDialog.ShowDialog()%20%7C%20Out-Null%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24PathString%20%3D%20%22file%3A%2F%2F%22%2B%24OpenFileDialog.FileName%3C%2FP%3E%3CP%3E%24XFilter%20%3D%20%22%3CQUERYLIST%3E%3CQUERY%20id%3D%22%60%26quot%3B0%60%26quot%3B%22%20path%3D%22%60%26quot%3B%24PathString%60%26quot%3B%22%3E%3CSELECT%20path%3D%22%60%26quot%3B%24PathString%60%26quot%3B%22%3E%24XPathString%3C%2FSELECT%3E%3C%2FQUERY%3E%3C%2FQUERYLIST%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24events%20%3D%20%40()%3C%2FP%3E%3CP%3E%24events%20%3D%20Get-WinEvent%20-Path%20%24OpenFileDialog.FileName%20-FilterXPath%20%24XPathString%3C%2FP%3E%3CP%3E%24events%3C%2FP%3E%3CP%3E'3%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24events%20%3D%20%40()%3C%2FP%3E%3CP%3E%24events%20%3D%20Get-WinEvent%20-FilterXml%20%24XFilter%3C%2FP%3E%3CP%3E%24events%3C%2FP%3E%3CP%3E'4%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ereturns%20an%20error%20in%201%20and%203%20variant%20of%20calling%20get-WinEvent%20%2C%20that%20is%20with%20-logname%20parameter%20and%20operational%20log%20and%20with%20-path%20parameter%20for%20working%20with%20.evtx%20file.%20An%20error%20message%20says%20that%20an%20XPath%20filter%20is%20incorrect.%3C%2FP%3E%3CP%3EThe%202-nd%20call%20performs%20without%20errors%20and%20the%204-th%20in%20fact%20gets%20event%20records%20from%20file%20but%20throws%20an%20exception%20saying%20PoSh%20couldn't%20get%20information%20(data)%20about%20log%20%26lt%3B.evtx%20file%26gt%3B%20and%20that%20the%20path%20to%20the%20channel%20is%20incorrect...%3C%2FP%3E%3CP%3EWhat%20the%20hell%20is%20going%20on%3F%20What%20that%20God%20damned%20mistakes%20are%20in%3F%20Can%20some1%20explain%20me%20why%26nbsp%3Bone%20the%20very%20same%26nbsp%3BXPath%20string%20works%20ok%20within%20an%20XML-query%20document%20but%20generates%20a%20mistake%20if%20used%26nbsp%3Bwith%20-FilterXPath%20parameter%3F%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1341531%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Smbd, please, do help me cause I`m out of fantasy...

I filter yesterday events of Microsoft-Windows-TerminalServices-Gateway/Operational log by means of Eventviewer GUI

 

2.png

 

 

 ...and take an XML-query string:

 

3.png

 

 

 

 

 ...and as far as I got, the string surrounded by <select></select> elements is an XPath string. Saving the filtered events to a file and opening it in Eventviewer helps to find out how to point an XML-query to the saved .evtx file.

But unfortunately the following code:

 

$firstevent = (Get-Date -Hour 0 -Minute 00 -Second 00 -Millisecond 000).AddDays(-1).AddHours(-4).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

$lastevent  = (Get-Date -Hour 23 -Minute 59 -Second 59 -Millisecond 999).AddDays(-1).AddHours(-4).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

 

$XPathString = "*[System[TimeCreated[@SystemTime&gt;='"+$firstevent+"' and @SystemTime&lt;='$lastevent']]]"

 

$PathString = "Microsoft-Windows-TerminalServices-Gateway/Operational"

 

$XFilter = "<QueryList><Query Id=`"0`" Path=`"$PathString`"><Select Path=`"$PathString`">$XPathString</Select></Query></QueryList>"

 

 

 

$events = @()

$events = Get-WinEvent -LogName $PathString -FilterXPath $XPathString

$events

'1##########################################################################################################################################'

 

$events = @()

$events = Get-WinEvent -FilterXml $XFilter

$events

'2##########################################################################################################################################'

 

 

 

$OpenFileDialog = New-Object 'System.Windows.Forms.OpenFileDialog'

$OpenFileDialog.ShowDialog() | Out-Null

 

$PathString = "file://"+$OpenFileDialog.FileName

$XFilter = "<QueryList><Query Id=`"0`" Path=`"$PathString`"><Select Path=`"$PathString`">$XPathString</Select></Query></QueryList>"

 

 

 

$events = @()

$events = Get-WinEvent -Path $OpenFileDialog.FileName -FilterXPath $XPathString

$events

'3##########################################################################################################################################'

 

$events = @()

$events = Get-WinEvent -FilterXml $XFilter

$events

'4##########################################################################################################################################'

 

returns an error in 1 and 3 variant of calling get-WinEvent , that is with -logname parameter and operational log and with -path parameter for working with .evtx file. An error message says that an XPath filter is incorrect.

The 2-nd call performs without errors and the 4-th in fact gets event records from file but throws an exception saying PoSh couldn't get information (data) about log <.evtx file> and that the path to the channel is incorrect...

What the hell is going on? What that God damned mistakes are in? Can some1 explain me why one the very same XPath string works ok within an XML-query document but generates a mistake if used with -FilterXPath parameter?

Thanks in advance!

0 Replies