0

Need help to filter eventID and processName to get windows event via powershell.

I'm using "get-winevent -FilterHashtable @{Logname='Security';ID=4688 ; 'ParentProcessName'='OAW' ", It doen't work.

I need ID=4688 and ProcessName='OAW'

ProcessName is some application like "c:\xxx\xxx\xxx\abcOAWxxx.exe"

Thanks.

big0
  • 11
  • 2
  • `'OAW'` or `'OWA'`? – iRon Jun 16 '22 at 08:27
  • some application name like c:\xxx\xxx\OWAxxxx.exe – big0 Jun 16 '22 at 08:54
  • Are you saying you want to search the log for events where the 'ParentProcessName' is something like '`*OWA*`' (i.e. a partial string match)? If so, then you're not going to be able to do it with the filter option since `Get-WinEvent` uses a subset of XPath 1.0 behind the scenes and this has some [limitation](https://learn.microsoft.com/en-us/windows/win32/wes/consuming-events#xpath-10-limitations). In particular it doesn't support XPath functions like `contains()` that you might use to match like this. – boxdog Jun 16 '22 at 09:20

0 Answers0