This PowerShell script fetches 'log cleared' events from the Windows security log and exports them to a CSV file.
Here is the PowerShell code:
# Get the 'Log cleared' events from the Windows log.
# 'Get-WinEvent' is a command that fetches Windows event logs.
# 'FilterHashtable' is a filter we're applying to only get events from the 'Security' log with an ID of 1102.
$logs = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102}
# Select only the desired columns from the logs that we want to show.
# The Select-Object cmdlet is used to select specific columns from these logs.
$selectedLogs = $logs | Select-Object TimeCreated, Message, Id, LogName, MachineName, ProcessId
# Export logs to CSV
# We're asking Windows to take those events ('$logs') and put them into a CSV file.
# 'Export-Csv' is a command that exports data to a CSV file.
# '-Path' is where we want to save the file. You should replace it.
# '-NoTypeInformation' is an option that prevents PowerShell from writing type information to the CSV file.
$selectedLogs | Export-Csv -Path "C:\path\to\your\desktop\SecurityLogsCleared.csv" -NoTypeInformation
PowerShell is a powerful scripting language and administrative framework for Windows. Here's a guide on how to create and run a simple PowerShell script.
-
Open Notepad. You can do this by searching for Notepad in the start menu or by typing
notepad
in the Run dialog (Win + R). -
Write or copy the script in Notepad.
⚠️ Make sure to change-Path
⚠️ -
Save the file with a
.ps1
extension. This is the extension for PowerShell scripts. To do this in Notepad, click onFile > Save As
, then in theSave as type
dropdown, selectAll Files
. Name your file with a.ps1
extension, likelogs_cleared.ps1
.
-
To run your script, type in the Windows search bar
Windows Powershell
and right clickRun as adminastrator
. Now use thecd
command to navigate to your desktop. Once you're on your desktop type.\logs_cleared.ps1
-
If you encounter any issues with running the script, you may need to change your script execution policy. You can do this by opening PowerShell as an administrator and running the command:
Set-ExecutionPolicy RemoteSigned
. This allows you to run scripts that you've written and scripts from trusted publishers.