Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Get Process Termination events looking for specific processes via the event properties which are used to create the message
- get-winEvent -filterhash @{ ProviderName = '*security-audit*' ; id = 4689 ; StartTime = '08:00' } -Oldest | where { $_.properties[6].value -match 'pwsh|terminal' -and $_.properties[4].value -ne 0 }|select TimeCreated,@{n='Process';e={$_.Properties[6].value}},@{n='Exit Code';e={$_.properties[4].value}}
Advertisement
Add Comment
Please, Sign In to add comment
