List all possible security events and their descriptions in PowerShell
If you'd like to know all the possible security event in your system, the best way to do it is to download the spreadsheet that has the full list:
This is great, very complete but also implies that you have an Internet connection and Excel to open the file. An other geek way to do it is to leverage PowerShell to list all possible events from one specific provider. The provider for security events is: Microsoft-Windows-Security-Auditing. So here is the extended one-liner which will enable you to do that:
(Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing").Events | `
Select-Object @{Name='Id';Expression={$_.Id -band 0xffffff}}, Description, @{Name='Parameters';Expression={($_.Template).template.data}} | `
Out-GridView -Title "Audit Event IDs" -PassThru | `
Format-List
And here is the output:
Because this is an Out-GridView output, you can easily navigate, and filter. For example, if you don't recall the event ID for the account lockout:
And because you can also use the -PassThrough parameter, you can even select one or more events, click on OK and get the details into the PowerShell console:
Give it a try! And try other providers, you can get the list of provider in the system with the following:
Get-WinEvent -ListProvider *
Special thanks to my colleague Chris Wu for sharing the tips of listing events for a specific provider. A french version of this article is available here.
Comments
- Anonymous
May 18, 2019
This is great, I used it to get all possible DHCP events from Microsoft-Windows-Dhcp-Client for some troubleshooting I am doing.Thanks