How can I get the Event XML from a Windows logon event triggered by the event itself?

Question

This seemed simply to start with and using a scheduled task that ran every minute worked fine. I then found an interesting post at https://community.spiceworks.com/how_to/123434-run-powershell-script-on-windows-event that gave me the idea to actually use the event itself to fire the PowerShell rather than being lazy and running the task every minute.

If I run Get-WinEvent with the EventID passed from the above technique there is no event found. The event itself triggers the PowerShell but the PowerShell cannot find the event that spawned it!

I have tried Start-Sleep just in case there was some kind of propagation issue but no joy.

I could make it work by passing the OuterXML of the event as a param to PowerShell but I just can't understand why this doesn't work!

The PowerShell is simple:-

    Param(
        $eventChannel,
        $eventRecordID
    )
    Add-Content "$PSScriptRoot\AdmininstratorLogin.txt" "$(Get-Date) - I got $eventChannel and $eventRecordID"
    $event = Get-WinEvent -LogName $eventChannel -FilterXPath "*[System[EventRecordID=$eventRecordID]]"
    $rawXML = ([xml]$event.ToXml()).Event
    $eventXml = $rawXml.OuterXml
    Add-Content "$PSScriptRoot\AdmininstratorLogin.txt" "The XML is:- $eventXml"

All it does for now is add the event to a text file...

Answer 1

I've run several tests and I'm not having any problems retrieving an event using the EventRecordID passed into the script; however, I am triggering the task on different events than you. Perhaps that has something to do with it. Have you tried triggering the task on a different Log Name, Source, and/or Event ID?

I tested with the following:
Log Name: Security
Source: Microsoft Windows security auditing
Event ID: 4625
--------------------------------------------------
Log Name: Windows PowerShell
Source: PowerShell (PowerShell)
Event ID: 400
--------------------------------------------------

Below is how I set up one of my working tests:

Task XML snippets

...
<EventTrigger>
  <Enabled>true</Enabled>
  <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
  <ValueQueries>
    <Value name="eventChannel">Event/System/Channel</Value>
    <Value name="eventRecordID">Event/System/EventRecordID</Value>
  </ValueQueries>
</EventTrigger>
...

...
<Exec>
  <Command>powershell.exe</Command>
  <Arguments>c:\test.ps1 -ExecutionPolicy Bypass -eventChannel '$(eventChannel)' -eventRecordID '$(eventRecordID)'</Arguments>
  <WorkingDirectory>c:\</WorkingDirectory>
</Exec>
...

PowerShell code

param (
    $eventChannel,
    $eventRecordID
)

Set-Content -Path "C:\test.txt" -Value "eventChannel = $eventChannel"
Add-Content -Path "C:\test.txt" -Value "eventRecordID = $eventRecordID"
$event = Get-WinEvent -LogName $eventChannel -FilterXPath "*[System[EventRecordID=$eventRecordID]]"
$rawXml = ([xml]$event.ToXml()).Event
$eventXml = $rawXml.OuterXml
Add-Content -Path "C:\test.txt" -Value "`n$eventXml"

Results

eventChannel = Security
eventRecordID = 322647

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /><EventID>4625</EventID>...(*omitted*)