Event Log Providers

An event log provider is writes to an event log.  I’ve used WMI in the past to get these but while looking for somethign else discovered that Get-WinEvent can also find this information


Get-WinEvent -ListProvider * | ft Name, LogLinks -AutoSize –Wrap


Provides a nice long list of all of the providers and the event logs they write to.


Usually I’m only interested in what’s writing to a particular event log. And that’s where things get a bit more messy.


The loglinks are supplied as a System.Collections.Generic.IList[System.Diagnostics.Eventing.Reader.EventLogLink] LogLinks  object that doesn’t play nicely with –in or –contains


So we need a bit of PowerShell manipulation to get what we want


$log = ‘System’

Get-WinEvent -ListProvider * |
foreach {
if ($log -in ($psitem | select -ExpandProperty Loglinks | select -ExpandProperty Logname)){
    New-Object -TypeName psobject -Property @{
      Name = $psitem.Name
      Log = $log


The trick here is that the loglinks are a collection of objects so you need to expand them twice to get to the name.  Not pretty but it works

This entry was posted in Powershell Basics. Bookmark the permalink.

One Response to Event Log Providers

  1. MattS says:

    Thanks for this post Richard – it helped my solve my problem. I ended up tweaking the code a little to work on PSv2 (which doesn’t have the -in operator). Here are my notes for fun:

    PSv2> Get-WinEvent -ListProviders * | foreach {
    if( ($_ | select -expand LogLinks | select -expand LogName) -contains “log_of_interest”) {
    $_ # I just want to filter orig output, so printing out $_ works fine
    For those wondering, the second “select -expand…” is needed to return a string instead of an object with a single value (REF: https://blogs.msdn.microsoft.com/powershell/2009/09/13/select-expandproperty-propertyname/)

    You could also substitute -contains with -match or -eq and the second expand for the single property access syntax:
    PSv2> if( ($_ | select -expand LogLinks).LogName -eq “log_of_interest” )

    Finally, I figured out how to put it in a more natural (to me) pipeline form:
    PSv2> Get-WinEvent -ListProviders * | where { ($_ | select -expand LogLinks).LogName -eq ‘log_of_interest’ }

    I guess the key in the last one is recognizing that you can have a “pipeline within a pipeline”. Or that you can have a separate pipeline within the where statement to help you create your match criteria.

    In hindsight the command is so simple that you wouldn’t have thought I spent hours on getting to that solution 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s