get-winevent: changing format file to groupby logname has no effect

Question

I want to change the default output of get-winevent to look like this in powershell 5.1, so the header says the LogName instead of ProviderName.

get-winevent application -MaxEvents 1


   LogName: Application

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
8/23/2020 10:32:25 AM            0

I can do this very easily in powershell 7, by editing Event.format.ps1xml somewhere under $PSHOME:

            <ViewSelectedBy>
                <TypeName>System.Diagnostics.Eventing.Reader.EventLogRecord</TypeName>
            </ViewSelectedBy>
            <GroupBy>
                <PropertyName>LogName</PropertyName>
                <Label>LogName</Label>
            </GroupBy>

But in powershell 5.1, after changing the ownership and security so I can write to that file, the same change seems to have no effect! It seems like get-winevent ignores that file completely. How can I make this change?

cd $pshome
takeown /f Event.Format.ps1xml /a
icacls event.format.ps1xml /grant administrators:w

I think this format is defined in c# somewhere? Remove generated types and formats for Microsoft.PowerShell.Diagnostics #1218

@MathiasR.Jessen No but I've restarted powershell, logged in again, etc. I just tried it now but no effect. — js2010, Aug 23 '20 at 15:25
I remember Don Jones saying that the ps1xml files are digitally signed and you should not modify the originals but instead make a copy. I've confirmed without changing any permissions I can simply copy the file to another location, modify it and then `Update-TypeData -Appendpath \path\to\new.ps1xml` and it works fine. Would this not be sufficient? — Doug Maurer, Aug 23 '20 at 19:13
The about_format.ps1xml says "Beginning in PowerShell 6, the default views are defined in PowerShell source code. The Format.ps1xml files from PowerShell 5.1 and earlier versions don't exist in PowerShell 6 and later versions. The PowerShell source code defines the default display of objects in the PowerShell console. You can create your own Format.ps1xml files to change the display of objects or to define default displays for new object types that you create in PowerShell." — Doug Maurer, Aug 23 '20 at 19:13
@DougMaurer Yes, making a new format file is a solution. The docs are incorrect, which is not unusual. The file is still there but it's in $pshome\Modules\Microsoft.PowerShell.Diagnostics\event.format.ps1xml. I had no trouble modifying it and having it take effect. In powershell 5.1, the file is there at $pshome\event.format.ps1xml but serves no purpose. — js2010, Aug 23 '20 at 20:56
@DougMaurer I tried loading the .ps1xml file but I got errors about node "types" not found. It doesn't seem like any format data is accessible for that type. — js2010, Aug 23 '20 at 21:48

js2010 · Answer 1 · 2020-08-24T00:48:17.043

Someone confirmed that event.format.ps1xml isn't used in powershell 5.1 for performance reasons. The format is defined in c# instead. https://github.com/PowerShell/PowerShell/issues/1218#issuecomment-678804787

"Format-table -groupby logname" sort of works in ps 5. The header still says "providername", but it really isn't. It's best to sort it first. $pshome\event.format.ps1xml has no function in powershell 5.1. I don't believe the EventLogRecord type is accessible for formatting.

get-winevent application,system -maxevents 3 | sort logname | ft -GroupBy logname


   ProviderName: Application

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
8/23/2020 7:10:04 PM         16384 Information      Successfully scheduled Software Protection service for re-start at 20...
8/23/2020 8:06:25 PM           455 Error            svchost (7476,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) ...


   ProviderName: System

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
8/23/2020 8:14:59 PM         10016 Warning          The machine-default permission settings do not grant Local Activation...

get-winevent: changing format file to groupby logname has no effect

1 Answers1