The Win32_NTEventlogFile WMI classrepresents a logical file or directory of operating system events. The file is also known as the event log.
Methods
Win32_NTEventlogFile has 16 methods:
| Method | Description |
|---|---|
| BackupEventLog | Saves the specified event log to a backup file. |
| ChangeSecurityPermissions | Class method that changes the security permissions for the logical file specified in the Name property. |
| ChangeSecurityPermissionsEx | Class method that changes the security permissions for the logical file specified in the Name property. |
| ClearEventLog | Clears the specified event log. |
| Compress | Class method that compresses the logical file (or directory) specified in the Name property. |
| CompressEx | Class method that uses NTFS compression to compress the logical file (or directory) specified in the Name property. |
| Copy | Class method that copies the logical file or directory specified in the Name property to the location specified by the input parameter. |
| CopyEx | Class method that copies the logical file or directory specified in the Name property to the location specified by the <em>FileName</em> parameter. |
| Delete | Class method that deletes the logical file (or directory) specified in the Name property. |
| DeleteEx | Class method that deletes the logical file (or directory) specified in the Name property. |
| GetEffectivePermission | Class method that determines whether the caller has the aggregated permissions specified by the <em>Permission</em> argument not only on the file object, but on the share the file or directory resides on (if it is on a share). |
| Rename | Class method that renames the logical file (or directory) specified in the Name property. |
| TakeOwnerShip | Class method that obtains ownership of the logical file specified in the Name property. |
| TakeOwnerShipEx | Class method that obtains ownership of the logical file specified in the Name property. |
| Uncompress | Class method that uncompresses the logical file (or directory) specified in the Name property. |
| UncompressEx | Class method that uncompresses the logical file (or directory) specified in the Name property. |
Learn more about Invoke-CimMethod and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.
Properties
Win32_NTEventlogFile returns 39 properties:
'AccessMask','Archive','Caption','Compressed','CompressionMethod','CreationClassName',
'CreationDate','CSCreationClassName','CSName','Description','Drive','EightDotThreeFileName',
'Encrypted','EncryptionMethod','Extension','FileName','FileSize','FileType','FSCreationClassName',
'FSName','Hidden','InstallDate','InUseCount','LastAccessed','LastModified','LogfileName',
'Manufacturer','MaxFileSize','Name','NumberOfRecords','OverwriteOutDated','OverWritePolicy','Path',
'Readable','Sources','Status','System','Version','Writeable'
Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:
Get-CimInstance -ClassName Win32_NTEventlogFile -Property *
Most WMI classes return one or more instances.
When
Get-CimInstancereturns no result, then apparently no instances of class Win32_NTEventlogFile exist. This is normal behavior.Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).
AccessMask
Bitmask that represents the access rights required to access or perform specific operations on the event log file. For bit values, see File and Directory Access Rights Constants.
Note
On FAT volumes, the FULL_ACCESS value is returned instead, which indicates no security has been set on the object.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, AccessMask
Archive
If True, a file that contains Windows events should be archived.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Archive
Caption
Short description of the object.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Caption
Compressed
If True, a file that contains Windows events is compressed.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Compressed
CompressionMethod
Algorithm or tool used to compress the logical file that contains Windows events.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, CompressionMethod
CreationClassName
KEY PROPERTY STRING MAX 256 CHAR
Name of the first concrete class to appear in the inheritance chain used in the creation of an instance. When used with the other key properties of the class, this property allows all instances of this class and its subclasses to be uniquely identified.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name
CreationDate
Date that the file that contains Windows events was created.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, CreationDate
CSCreationClassName
Class of the computer system.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, CSCreationClassName
CSName
Name of the computer system.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, CSName
Description
Description of the object.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Description
Drive
Drive letter (including colon) of the file that contains Windows events.
Example: “C:”
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Drive
EightDotThreeFileName
DOS-compatible file name for the file that contains Windows events.
Example: “C:\PROGRA~1”
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, EightDotThreeFileName
Encrypted
File that contains Windows events is encrypted.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Encrypted
EncryptionMethod
Algorithm or tool used to encrypt the logical file.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, EncryptionMethod
Extension
File name extension (without the dot) of the file that contains Windows events.
Example: “txt”, “mof”, “mdb”
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Extension
FileName
File name (without extension) of the file that contains Windows events.
Example: “autoexec”
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, FileName
FileSize
Size of the file that contains Windows events (in bytes).
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, FileSize
FileType
File type (indicated by the Extension property).
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, FileType
FSCreationClassName
Class of the file system.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, FSCreationClassName
FSName
Name of the file system.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, FSName
Hidden
If True, a file that contains Windows events is hidden.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Hidden
InstallDate
Object is installed. This property does not need a value to indicate that the object is installed.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, InstallDate
InUseCount
Number of “file opens” that are currently active against the file that contains Windows events.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, InUseCount
LastAccessed
Date and time that the file that contains Windows events was last accessed.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, LastAccessed
LastModified
Date and time that the file that contains Windows events was last modified.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, LastModified
LogfileName
Name of the file that contains Windows events. Standard log file names include: Application, System, and Security.
To return the actual path and file name of the event log (for example, C:\Windows\System32\Config\Sysevent.evt), use the Name property instead.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, LogfileName
Manufacturer
Manufacturer from version resource, if one is present.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Manufacturer
MaxFileSize
Maximum size (in bytes) permitted for the file that contains Windows events. If the file exceeds its maximum size, its contents are moved to another file and the primary file is emptied. A value of zero indicates no size limit. WMI retrieves the Maxsize value from the Event Log Service registry values.
Although event logs can be sized as large as 4 gigabytes, in practice they should be limited to no more than 300 megabytes. Event logs larger than that can be difficult to analyze because of the number of events contained within the log and because event logs are not optimized for data retrieval.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, MaxFileSize
Name
Inherited name that serves as a key of a logical file instance that contains Windows events within a file system. Full path names should be provided.
Example: “c:\winnt\system\win.ini”
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name
NumberOfRecords
Number of records in the file that contains Windows events. This value is determined by calling the Windows function GetNumberOfEventLogRecords.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, NumberOfRecords
OverwriteOutDated
Number of days after which an event can be overwritten.
Possible values for OverwriteOutDated include the following.
OverwriteOutDated returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$OverwriteOutDated_map = @{
Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events. = '0 (0x0)'
Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared. = '1 365'
No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared. = '4294967295 (0xFFFFFFFF)'
}
Use a switch statement
switch([int]$value)
{
Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events. {'0 (0x0)'}
Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared. {'1 365'}
No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared. {'4294967295 (0xFFFFFFFF)'}
default {"$value"}
}
Use Enum structure
Enum EnumOverwriteOutDated
{
_0_0x0 = Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events.
_1_365 = Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared.
_4294967295_0xFFFFFFFF = No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared.
}
Examples
Use $OverwriteOutDated_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "OverwriteOutDated" to friendly text
Note: to use other properties than "OverwriteOutDated", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "OverwriteOutDated"
# to translate other properties, use their translation table instead
$OverwriteOutDated_map = @{
Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events. = '0 (0x0)'
Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared. = '1 365'
No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared. = '4294967295 (0xFFFFFFFF)'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "OverwriteOutDated", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$OverwriteOutDated = @{
Name = 'OverwriteOutDated'
Expression = {
# property is an array, so process all values
$value = $_.OverwriteOutDated
$OverwriteOutDated_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "OverwriteOutDated". The latter
# is defined by the hashtable in $OverwriteOutDated:
Get-CimInstance -Class Win32_NTEventlogFile | Select-Object -Property Caption, $OverwriteOutDated
# ...or dump content of property OverwriteOutDated:
$friendlyValues = Get-CimInstance -Class Win32_NTEventlogFile |
Select-Object -Property $OverwriteOutDated |
Select-Object -ExpandProperty OverwriteOutDated
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $OverwriteOutDated_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "Win32_NTEventlogFile" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "Win32_NTEventlogFile", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "Win32_NTEventlogFile"
# to translate other properties, use their translation table instead
$OverwriteOutDated_map = @{
Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events. = '0 (0x0)'
Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared. = '1 365'
No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared. = '4294967295 (0xFFFFFFFF)'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class Win32_NTEventlogFile | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.OverwriteOutDated
# translate raw value to friendly text:
$friendlyName = $OverwriteOutDated_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "OverwriteOutDated" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "OverwriteOutDated", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "OverwriteOutDated", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$OverwriteOutDated = @{
Name = 'OverwriteOutDated'
Expression = {
# property is an array, so process all values
$value = $_.OverwriteOutDated
switch([int]$value)
{
Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events. {'0 (0x0)'}
Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared. {'1 365'}
No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared. {'4294967295 (0xFFFFFFFF)'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName Win32_NTEventlogFile |
# ...and output properties "Caption" and "OverwriteOutDated". The latter is defined
# by the hashtable in $OverwriteOutDated:
Select-Object -Property Caption, $OverwriteOutDated
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "Win32_NTEventlogFile", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumOverwriteOutDated
{
_0_0x0 = Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events.
_1_365 = Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared.
_4294967295_0xFFFFFFFF = No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared.
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class Win32_NTEventlogFile | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.OverwriteOutDated
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **OverwriteOutDated**
[EnumOverwriteOutDated]$rawValue
# get a comma-separated string:
[EnumOverwriteOutDated]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumOverwriteOutDated]
#endregion
Enums must cover all possible values. If OverwriteOutDated returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
OverWritePolicy
Current overwrite policy the Event Log service employs for this log file. Data can be never overwritten, or can be overwritten when necessary or when outdated. When data is outdated depends on the OverwriteOutDated value.
OverWritePolicy returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$OverWritePolicy_map = @{
The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records. = 'WhenNeeded'
The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records. = 'OutDated'
The value of OverwriteOutDated equals 4294967295. Old records are never overwritten. = 'Never'
}
Use a switch statement
switch([int]$value)
{
The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records. {'WhenNeeded'}
The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records. {'OutDated'}
The value of OverwriteOutDated equals 4294967295. Old records are never overwritten. {'Never'}
default {"$value"}
}
Use Enum structure
Enum EnumOverWritePolicy
{
WhenNeeded = The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records.
OutDated = The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records.
Never = The value of OverwriteOutDated equals 4294967295. Old records are never overwritten.
}
Examples
Use $OverWritePolicy_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "OverWritePolicy" to friendly text
Note: to use other properties than "OverWritePolicy", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "OverWritePolicy"
# to translate other properties, use their translation table instead
$OverWritePolicy_map = @{
The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records. = 'WhenNeeded'
The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records. = 'OutDated'
The value of OverwriteOutDated equals 4294967295. Old records are never overwritten. = 'Never'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "OverWritePolicy", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$OverWritePolicy = @{
Name = 'OverWritePolicy'
Expression = {
# property is an array, so process all values
$value = $_.OverWritePolicy
$OverWritePolicy_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "OverWritePolicy". The latter
# is defined by the hashtable in $OverWritePolicy:
Get-CimInstance -Class Win32_NTEventlogFile | Select-Object -Property Caption, $OverWritePolicy
# ...or dump content of property OverWritePolicy:
$friendlyValues = Get-CimInstance -Class Win32_NTEventlogFile |
Select-Object -Property $OverWritePolicy |
Select-Object -ExpandProperty OverWritePolicy
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $OverWritePolicy_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "Win32_NTEventlogFile" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "Win32_NTEventlogFile", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "Win32_NTEventlogFile"
# to translate other properties, use their translation table instead
$OverWritePolicy_map = @{
The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records. = 'WhenNeeded'
The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records. = 'OutDated'
The value of OverwriteOutDated equals 4294967295. Old records are never overwritten. = 'Never'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class Win32_NTEventlogFile | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.OverWritePolicy
# translate raw value to friendly text:
$friendlyName = $OverWritePolicy_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "OverWritePolicy" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "OverWritePolicy", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "OverWritePolicy", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$OverWritePolicy = @{
Name = 'OverWritePolicy'
Expression = {
# property is an array, so process all values
$value = $_.OverWritePolicy
switch([int]$value)
{
The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records. {'WhenNeeded'}
The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records. {'OutDated'}
The value of OverwriteOutDated equals 4294967295. Old records are never overwritten. {'Never'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName Win32_NTEventlogFile |
# ...and output properties "Caption" and "OverWritePolicy". The latter is defined
# by the hashtable in $OverWritePolicy:
Select-Object -Property Caption, $OverWritePolicy
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "Win32_NTEventlogFile", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumOverWritePolicy
{
WhenNeeded = The value of OverwriteOutDated equals 0 (zero). Any record can be overwritten to make room for new records.
OutDated = The value of OverwriteOutDated ranges from 1 to 365. Records older than a specified number of days can be overwritten to make room for new records.
Never = The value of OverwriteOutDated equals 4294967295. Old records are never overwritten.
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class Win32_NTEventlogFile | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.OverWritePolicy
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **OverWritePolicy**
[EnumOverWritePolicy]$rawValue
# get a comma-separated string:
[EnumOverWritePolicy]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumOverWritePolicy]
#endregion
Enums must cover all possible values. If OverWritePolicy returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
Path
Path of the file that contains Windows event. This includes leading and trailing backslashes.
Example: “\windows\system"
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Path
Readable
If True, a file that contains Windows events can be read.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Readable
Sources
List of applications that are registered to log into this log file.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Sources
Status
Current status of an object. Various operational and nonoperational statuses can be defined. Available values:
$values = 'Degraded','Error','Lost Comm','No Contact','NonRecover','OK','Pred Fail','Service','Starting','Stopping','Stressed','Unknown'
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Status
System
If True, a file that contains Windows event is a system file.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, System
Version
Version string from version resource if one is present.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Version
Writeable
If True, a file that contains Windows events can be written.
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property CreationClassName, Name, Writeable
Examples
List all instances of Win32_NTEventlogFile
Get-CimInstance -ClassName Win32_NTEventlogFile
Learn more about Get-CimInstance and the deprecated Get-WmiObject.
View all properties
Get-CimInstance -ClassName Win32_NTEventlogFile -Property *
View key properties only
Get-CimInstance -ClassName Win32_NTEventlogFile -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties = 'AccessMask',
'Archive',
'Caption',
'Compressed',
'CompressionMethod',
'CreationClassName',
'CreationDate',
'CSCreationClassName',
'CSName',
'Description',
'Drive',
'EightDotThreeFileName',
'Encrypted',
'EncryptionMethod',
'Extension',
'FileName',
'FileSize',
'FileType',
'FSCreationClassName',
'FSName',
'Hidden',
'InstallDate',
'InUseCount',
'LastAccessed',
'LastModified',
'LogfileName',
'Manufacturer',
'MaxFileSize',
'Name',
'NumberOfRecords',
'OverwriteOutDated',
'OverWritePolicy',
'Path',
'Readable',
'Sources',
'Status',
'System',
'Version',
'Writeable'
Get-CimInstance -ClassName Win32_NTEventlogFile | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class Win32_NTEventlogFile -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_NTEventlogFile -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT FSName, Readable, InUseCount, Caption FROM Win32_NTEventlogFile WHERE Caption LIKE 'a%'"
Any property you did not specify is still present but empty. You might need to use
Select-Objectto remove all unwanted properties:Get-CimInstance -Query "SELECT FSName, Readable, InUseCount, Caption FROM Win32_NTEventlogFile WHERE Caption LIKE 'a%'" | Select-Object -Property FSName, Readable, InUseCount, Caption
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_NTEventlogFile -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance Win32_NTEventlogFile -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use Win32_NTEventlogFile, the following requirements apply:
PowerShell
Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
Win32_NTEventlogFile was introduced on clients with Windows XP and on servers with Windows Server 2003.
Namespace
Win32_NTEventlogFile lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.
Implementation
Win32_NTEventlogFile is implemented in Ntevt.dll and defined in Ntevt.mof. Both files are located in the folder C:\Windows\system32\wbem:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\Ntevt.mof