deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
Justin Hall f8d87f146c edits
2018-10-15 13:59:58 -07:00

3.3 KiB
Raw Blame History

title, description, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.date
title description ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author ms.date
How to get a list of XML elements in <EventData> (Windows 10) This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in <EventData>. w10 deploy library security medium tedhardyMSFT 10/15/2018

How to get a list of XML elements in EventData

Applies to

  • Windows 10

The Security log uses a manifest where you can get all of the event schema.

Run the following from an elevated PowerShell prompt:

$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"

The .events property is a collection of all of the events listed in the manifest on the local machine.

For each event, there is a .Template property for the XML template used for the event properties (if there are any).

For example:

PS C:\WINDOWS\system32> $SecEvents.events[100]


Id          : 4734
Version     : 0
LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
Level       : System.Diagnostics.Eventing.Reader.EventLevel
Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
Task        : System.Diagnostics.Eventing.Reader.EventTask
Keywords    : {}
Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
                <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
                <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
                <data name="TargetSid" inType="win:SID" outType="xs:string"/>
                <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
                <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
                <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
                <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
                <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
              </template>

Description : A security-enabled local group was deleted.

              Subject:
                Security ID:            %4
                Account Name:           %5
                Account Domain:         %6
                Logon ID:               %7

              Group:
                Security ID:            %3
                Group Name:             %1
                Group Domain:           %2

              Additional Information:
                Privileges:             %8



PS C:\WINDOWS\system32> $SecEvents.events[100].Template
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
  <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
  <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
  <data name="TargetSid" inType="win:SID" outType="xs:string"/>
  <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
  <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
  <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
  <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
  <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>