The Win32_NTLogEvent WMI class is used to translate instances from the Windows event log. An application must have SeSecurityPrivilege to receive events from the security event log, otherwise "Access Denied" is returned to the application.
Methods
Win32_NTLogEvent has no methods.
Properties
Win32_NTLogEvent returns 16 properties:
'Category','CategoryString','ComputerName','Data','EventCode','EventIdentifier',
'EventType','InsertionStrings','Logfile','Message','RecordNumber','SourceName','TimeGenerated',
'TimeWritten','Type','User'
Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:
Get-CimInstance -ClassName Win32_NTLogEvent -Property *
Most WMI classes return one or more instances.
When
Get-CimInstancereturns no result, then apparently no instances of class Win32_NTLogEvent exist. This is normal behavior.Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).
Category
Classification of the event as determined by the source. This subcategory is source-specific.
Although primarily used when recording Security events, this property is available in other event logs as well. Common Security categories include Logon/Logoff, Account Management, and System Event.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, Category
CategoryString
Translation of the subcategory. The translation is source-specific.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, CategoryString
ComputerName
Name of the computer that generated this event.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, ComputerName
Data
List of the binary data that accompanied the report of the Windows event.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, Data
EventCode
Value of the lower 16-bits of the EventIdentifier property. It is present to match the value displayed in the Windows Event Viewer.
Note
Two events from the same source may have the same value for this property but may have different severity and EventIdentifier values. For example, a successful logoff is recorded in the Security log with the Event ID 538. However, Event IDs are not necessarily unique. It is possible that, when retrieving Event ID 538, you can get other kinds of events with ID 538. If this happens, you might need to filter by the source as well as ID.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, EventCode
EventIdentifier
Identifier of the event. This is specific to the source that generated the event log entry and is used, together with SourceName, to uniquely identify a Windows event type.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, EventIdentifier
EventType
Type of event.
EventType returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$EventType_map = @{
Error = '1'
Warning = '2'
Information = '3'
Security Audit Success = '4'
Security Audit Failure = '5'
}
Use a switch statement
switch([int]$value)
{
Error {'1'}
Warning {'2'}
Information {'3'}
Security Audit Success {'4'}
Security Audit Failure {'5'}
default {"$value"}
}
Use Enum structure
Enum EnumEventType
{
_1 = Error
_2 = Warning
_3 = Information
_4 = Security Audit Success
_5 = Security Audit Failure
}
Examples
Use $EventType_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "EventType" to friendly text
Note: to use other properties than "EventType", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "EventType"
# to translate other properties, use their translation table instead
$EventType_map = @{
Error = '1'
Warning = '2'
Information = '3'
Security Audit Success = '4'
Security Audit Failure = '5'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "EventType", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$EventType = @{
Name = 'EventType'
Expression = {
# property is an array, so process all values
$value = $_.EventType
$EventType_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "EventType". The latter
# is defined by the hashtable in $EventType:
Get-CimInstance -Class Win32_NTLogEvent | Select-Object -Property Caption, $EventType
# ...or dump content of property EventType:
$friendlyValues = Get-CimInstance -Class Win32_NTLogEvent |
Select-Object -Property $EventType |
Select-Object -ExpandProperty EventType
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $EventType_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "Win32_NTLogEvent" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "Win32_NTLogEvent", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "Win32_NTLogEvent"
# to translate other properties, use their translation table instead
$EventType_map = @{
Error = '1'
Warning = '2'
Information = '3'
Security Audit Success = '4'
Security Audit Failure = '5'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class Win32_NTLogEvent | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.EventType
# translate raw value to friendly text:
$friendlyName = $EventType_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "EventType" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "EventType", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "EventType", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$EventType = @{
Name = 'EventType'
Expression = {
# property is an array, so process all values
$value = $_.EventType
switch([int]$value)
{
Error {'1'}
Warning {'2'}
Information {'3'}
Security Audit Success {'4'}
Security Audit Failure {'5'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName Win32_NTLogEvent |
# ...and output properties "Caption" and "EventType". The latter is defined
# by the hashtable in $EventType:
Select-Object -Property Caption, $EventType
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "Win32_NTLogEvent", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumEventType
{
_1 = Error
_2 = Warning
_3 = Information
_4 = Security Audit Success
_5 = Security Audit Failure
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class Win32_NTLogEvent | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.EventType
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **EventType**
[EnumEventType]$rawValue
# get a comma-separated string:
[EnumEventType]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumEventType]
#endregion
Enums must cover all possible values. If EventType returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
InsertionStrings
List of the insertion strings that accompanied the report of the Windows event.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, InsertionStrings
Logfile
Name of Windows event log file. Together with RecordNumber, this is used to uniquely identify an instance of this class.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber
Message
Event message as it appears in the Windows event log. This is a standard message with zero or more insertion strings supplied by the source of the Windows event. The insertion strings are inserted into the standard message in a predefined format. If there are no insertion strings or there is a problem inserting the insertion strings, only the standard message will be present in this field.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, Message
RecordNumber
Identifies the event within the Windows event log file. This is specific to the log file and is used together with the log file name to uniquely identify an instance of this class.
Record numbers are always unique; they are not reset to 1 when an event log is cleared. As a result, the highest record number also indicates the number of records that have been written to the event log since the operating system was installed
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber
SourceName
Name of the source (application, service, driver, or subsystem) that generated the entry. It is used, together with EventIdentifier to uniquely identify a Windows event type.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, SourceName
TimeGenerated
The time when the event is generated.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, TimeGenerated
TimeWritten
The time when the event is written to the log file.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, TimeWritten
Type
Type of event. This is an enumerated string. It is preferable to use the EventType property rather than the Type property.
Type returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$Type_map = @{
Error = '1'
Warning = '2'
Information = '4'
Security Audit Success = '8'
Security Audit Failure = '16'
}
Use a switch statement
switch([int]$value)
{
Error {'1'}
Warning {'2'}
Information {'4'}
Security Audit Success {'8'}
Security Audit Failure {'16'}
default {"$value"}
}
Use Enum structure
Enum EnumType
{
_1 = Error
_2 = Warning
_4 = Information
_8 = Security Audit Success
_16 = Security Audit Failure
}
Examples
Use $Type_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "Type" to friendly text
Note: to use other properties than "Type", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "Type"
# to translate other properties, use their translation table instead
$Type_map = @{
Error = '1'
Warning = '2'
Information = '4'
Security Audit Success = '8'
Security Audit Failure = '16'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "Type", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$Type = @{
Name = 'Type'
Expression = {
# property is an array, so process all values
$value = $_.Type
$Type_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "Type". The latter
# is defined by the hashtable in $Type:
Get-CimInstance -Class Win32_NTLogEvent | Select-Object -Property Caption, $Type
# ...or dump content of property Type:
$friendlyValues = Get-CimInstance -Class Win32_NTLogEvent |
Select-Object -Property $Type |
Select-Object -ExpandProperty Type
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $Type_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "Win32_NTLogEvent" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "Win32_NTLogEvent", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "Win32_NTLogEvent"
# to translate other properties, use their translation table instead
$Type_map = @{
Error = '1'
Warning = '2'
Information = '4'
Security Audit Success = '8'
Security Audit Failure = '16'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class Win32_NTLogEvent | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.Type
# translate raw value to friendly text:
$friendlyName = $Type_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "Type" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "Type", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "Type", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$Type = @{
Name = 'Type'
Expression = {
# property is an array, so process all values
$value = $_.Type
switch([int]$value)
{
Error {'1'}
Warning {'2'}
Information {'4'}
Security Audit Success {'8'}
Security Audit Failure {'16'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName Win32_NTLogEvent |
# ...and output properties "Caption" and "Type". The latter is defined
# by the hashtable in $Type:
Select-Object -Property Caption, $Type
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "Win32_NTLogEvent", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumType
{
_1 = Error
_2 = Warning
_4 = Information
_8 = Security Audit Success
_16 = Security Audit Failure
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class Win32_NTLogEvent | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.Type
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **Type**
[EnumType]$rawValue
# get a comma-separated string:
[EnumType]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumType]
#endregion
Enums must cover all possible values. If Type returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
User
User name of the logged-on user when the event occurred. If the user name cannot be determined, this will be NULL.
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property Logfile, RecordNumber, User
Examples
List all instances of Win32_NTLogEvent
Get-CimInstance -ClassName Win32_NTLogEvent
Learn more about Get-CimInstance and the deprecated Get-WmiObject.
View all properties
Get-CimInstance -ClassName Win32_NTLogEvent -Property *
View key properties only
Get-CimInstance -ClassName Win32_NTLogEvent -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties = 'Category',
'CategoryString',
'ComputerName',
'Data',
'EventCode',
'EventIdentifier',
'EventType',
'InsertionStrings',
'Logfile',
'Message',
'RecordNumber',
'SourceName',
'TimeGenerated',
'TimeWritten',
'Type',
'User'
Get-CimInstance -ClassName Win32_NTLogEvent | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class Win32_NTLogEvent -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_NTLogEvent -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT TimeWritten, User, Data, Message FROM Win32_NTLogEvent WHERE Caption LIKE 'a%'"
Any property you did not specify is still present but empty. You might need to use
Select-Objectto remove all unwanted properties:Get-CimInstance -Query "SELECT TimeWritten, User, Data, Message FROM Win32_NTLogEvent WHERE Caption LIKE 'a%'" | Select-Object -Property TimeWritten, User, Data, Message
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_NTLogEvent -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance Win32_NTLogEvent -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use Win32_NTLogEvent, the following requirements apply:
PowerShell
Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
Win32_NTLogEvent was introduced on clients with Windows XP and on servers with Windows Server 2003.
Namespace
Win32_NTLogEvent lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.
Implementation
Win32_NTLogEvent is implemented in Ntevt.dll and defined in Ntevt.mof. Both files are located in the folder C:\Windows\system32\wbem:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\Ntevt.mof