List all possible security events and their descriptions in PowerShell

If you'd like to know all the possible security event in your system, the best way to do it is to download the spreadsheet that has the full list:

This is great, very complete but also implies that you have an Internet connection and Excel to open the file. An other geek way to do it is to leverage PowerShell to list all possible events from one specific provider. The provider for security events is: Microsoft-Windows-Security-Auditing. So here is the extended one-liner which will enable you to do that:

 (Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing").Events | `
    Select-Object @{Name='Id';Expression={$_.Id -band 0xffffff}}, Description, @{Name='Parameters';Expression={($_.Template).template.data}} | `
        Out-GridView -Title "Audit Event IDs" -PassThru | `
            Format-List

And here is the output:

audit_ps_1

Because this is an Out-GridView output, you can easily navigate, and filter. For example, if you don't recall the event ID for the account lockout:

audit_ps_2

And because you can also use the -PassThrough parameter, you can even select one or more events, click on OK and get the details into the PowerShell console:

audit_ps_3

Give it a try! And try other providers, you can get the list of provider in the system with the following:

 Get-WinEvent -ListProvider *

Special thanks to my colleague Chris Wu for sharing the tips of listing events for a specific provider. A french version of this article is available here.

Comments

  • Anonymous
    May 18, 2019
    This is great, I used it to get all possible DHCP events from Microsoft-Windows-Dhcp-Client for some troubleshooting I am doing.Thanks