Last active
February 27, 2023 04:11
-
-
Save ConanChiles/ccccee13b8a39d9631473f5b073b8c8a to your computer and use it in GitHub Desktop.
list disabled WinEventLogs, enable some
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| Set-StrictMode -Version 'latest' | |
| $ErrorActionPreference = 'stop' | |
| <# | |
| there's some weirdness here | |
| running as Administrator and/or SYSTEM gets the same results | |
| but this seems to get most of the way there | |
| the remainder dont't show up in eventvwr.msc so guessing there's something special/weird about how they're setup, maybe security related | |
| #> | |
| $WinEventProviders = Get-WinEvent -ListProvider * -ErrorAction SilentlyContinue | |
| <# problem for another day | |
| Get-WinEvent : Could not retrieve information about the Microsoft-Windows-DxgKrnl-SysMm provider. Error: The data is invalid. | |
| Get-WinEvent : Could not retrieve information about the Microsoft-Windows-Security-Isolation-BrokeringFileSystem provider. Error: The specified resource type cannot be found in the image file. | |
| Get-WinEvent : Could not retrieve information about the Microsoft-Windows-SystemSettingsThreshold provider. Error: The system cannot find the file specified. | |
| Get-WinEvent : Could not retrieve information about the Microsoft-Windows-USB-CCID provider. Error: The system cannot find the file specified. | |
| Get-WinEvent : Could not retrieve information about the NisDrvWFP Provider provider. Error: The specified resource type cannot be found in the image file. | |
| #> | |
| $allEventLogConfigs = [System.Collections.ArrayList]::new() | |
| $sbLogger = [System.Text.StringBuilder]::new() | |
| foreach ( $LogProvider in $WinEventProviders ) { | |
| if ( [string]::IsNullOrWhiteSpace($LogProvider.LogLinks) ) { | |
| [void]$sbLogger.AppendLine("no LogLinks, skipping: $($LogProvider.Name)") | |
| ($sbLogger.ToString() -split [System.Environment]::NewLine)[-2] | Write-Host -ForegroundColor Red | |
| continue | |
| } | |
| $LogLinks = $LogProvider.LogLinks | Where-Object -FilterScript { | |
| @( | |
| 'Application' | |
| 'Security' | |
| 'Setup' | |
| 'System' | |
| ) -notcontains $PSItem.LogName | |
| } | |
| foreach ( $LogLink in $LogLinks ) { | |
| try { | |
| $EventLogConfig = [System.Diagnostics.Eventing.Reader.EventLogConfiguration]::new($LogLink.LogName) | |
| [void]$allEventLogConfigs.Add($EventLogConfig) | |
| } catch { | |
| [void]$sbLogger.AppendLine("failed to to event info for: $($LogProvider.Name) > $($LogLink.LogName)") | |
| ($sbLogger.ToString() -split [System.Environment]::NewLine)[-2] | Write-Host -ForegroundColor Red | |
| <# WTF? found by enumeration, but can't find by name ... problem for another day: | |
| $WinEventProviders | Where-Object -FilterScript {$PSItem.Name -eq 'Microsoft-Windows-UserDataAccess-UserDataApis'} | Format-List -Property * | |
| Get-WinEvent -LogName 'Microsoft-Windows-UserDataAccess-UserDataApis' | |
| #> | |
| } | |
| } | |
| } | |
| $sbLogger.ToString() | Write-Host | |
| # which ones do you care about? | |
| $allEventLogConfigs | Where-Object -FilterScript { | |
| $PSItem.IsEnabled -eq $false | |
| } | Select-Object -Property @( | |
| 'IsEnabled' | |
| 'LogName' | |
| #LogFilePath' | |
| 'MaximumSizeInBytes' | |
| 'LogMode' | |
| 'OwningProviderName' | |
| ) | Sort-Object -Property 'LogName' | Out-GridView | |
| break | |
| # change me | |
| $EventLogsToEnable = @( | |
| 'Microsoft-Windows-DNS-Client/Operational' | |
| ) | |
| foreach ( $EventLogToEnable in $EventLogsToEnable ) { | |
| $EventLogConfig = [System.Diagnostics.Eventing.Reader.EventLogConfiguration]::new($EventLogToEnable) | |
| $EventLogConfig.IsEnabled = $true | |
| $EventLogConfig.SaveChanges() | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment