Copy Code 
TOPIC
	about_EventLogs

SHORT DESCRIPTION
	Windows PowerShell creates a Windows event log that is 
	named "Windows PowerShell" to record Windows PowerShell events. You can
	view this log in Event Viewer or by using cmdlets that get events, such as
	the Get-EventLog cmdlet. By default, Windows PowerShell engine and provider
	events are recorded in the event log, but you can use the event log 
	preference variables to customize the event log. For example, you can add
	events about Windows PowerShell commands.


LONG DESCRIPTION
	The Windows PowerShell event log records details of Windows PowerShell 
	operations, such as starting and stopping the program engine and starting
	and stopping the Windows PowerShell providers. You can also log details 
	about Windows PowerShell commands.


	In Windows Vista and later versions, the Windows PowerShell event log
	is in the Application and Services Logs group. The Windows PowerShell log
	is a classic event log that does not use the Windows Eventing technology. 
	To view the log, use the cmdlets designed for classic event logs, such as 
	Get-EventLog.


  Viewing the Windows PowerShell Event Log

	You can view the Windows PowerShell event log in Event Viewer or by 
	using the Get-EventLog and Get-WmiObject cmdlets. To view the contents 
	of the Windows PowerShell log, type:

		get-eventlog -logname "Windows PowerShell"

   
	To examine the events and their properties, use the Sort-Object cmdlet,
	the Group-Object cmdlet, and the cmdlets that contain the Format verb 
	(the Format cmdlets).


	For example, to view the events in the log grouped by the event ID, type:

		get-eventlog "Windows PowerShell" | format-table -groupby eventid


	Or, type:

		get-eventlog "Windows PowerShell" | sort-object eventid `
			| group-object eventid


	To view all the classic event logs, type:

		get-eventlog -list


	You can also use the Get-WmiObject cmdlet to use the event-related 
	Windows Management Instumentation (WMI) classes to examine the event log.
	For example, to view all the properties of the event log file, type:

		get-wmiobject win32_nteventlogfile | where `
			{$_.logfilename -eq "Windows PowerShell"} | format-list -property * 


	To find the Win32 event-related WMI classes, type:

		get-wmiobject -list | where {$_.name -like "win32*event*"}


	For more information, type "get-help get-eventlog" and 
	"get-help get-wmiobject".


  Selecting Events for the Windows PowerShell Event Log

	You can use the event log preference variables to determine which events
	are recorded in the Windows PowerShell event log. 


	There are six event log preference variables; two variables for each of 
	the three logging components: the engine (the Windows PowerShell 
	program), the providers, and the commands. The LifeCycleEvent variables
	log normal starting and stopping events. The Health variables log error
	events.


	The following table lists the event log preference variables.

		Variable					 Description
		--------------------------   ----------------------------------------

		$LogEngineLifeCycleEvent	 Logs starting and stopping of
									 Windows PowerShell.

		$LogEngineHealthEvent		Logs Windows PowerShell program errors.

		$LogProviderLifeCycleEvent   Logs starting and stopping of 
									 Windows PowerShell providers.

		$LogProviderHealthEvent	Logs Windows PowerShell provider errors.

		$LogCommandLifeCycleEvent	Logs starting and completion of commands.

		$LogCommandHealthEvent	 Logs command errors.

	
	(For information about Windows PowerShell providers, 
	type: "get-help about_providers".)


	By default, only the following event types are enabled:

		$LogEngineLifeCycleEvent
		$LogEngineHealthEvent
		$LogProviderLifeCycleEvent
		$LogProviderHealthEvent

	
	To enable an event type, set the preference variable for that event type
	to $true. For example, to enable command life-cycle events, type:

		$LogCommandLifeCycleEvent

	
	Or, type:

		$LogCommandLifeCycleEvent = $true


	To disable an event type, set the preference variable for that event type
	to $false. For example, to disable command life-cycle events, type:

		$LogProviderLifeCycleEvent = $false

	You can disable any event, except for the events that indicate that the
	Windows PowerShell engine and the core providers are started. These events
	are generated before the Windows PowerShell profiles are run and before 
	the host program is ready to accept commands.	 

	The variable settings apply only for the current Windows PowerShell 
	session. To apply them to all Windows PowerShell sessions, add them to
	your Windows PowerShell profile.


  Security and Auditing

	The Windows PowerShell event log is designed to indicate activity and 
	to provide operational details for troubleshooting. 


	However, like most Windows-based application event logs, the 
	Windows PowerShell event log is not designed to be secure. It should not
	be used to audit security or to record confidential or proprietary 
	information.


	Event logs are designed to be read and understood by users. Users can 
	read from and write to the log. A malicious user could read an event log
	on a local or remote computer, record false data, and then prevent the
	logging of their activities.


SEE ALSO
	Get-EventLog
	Get-WmiObject
	about_Preference_Variables
  • about_Escape_Characters
  • about_Execution_Policies