I want to know the name of the value for properties[0] in the eventlog

Question

I want to know the name of the value for properties[0] in the eventlog : powershell code

$log = Get-WinEvent -FilterHashtable @{
    Logname ='System'
    ProviderName = 'Microsoft-Windows-Power-Troubleshooter'
    id = 1
} -Maxevents 1

$log.Properties[0].value

powershell

• What does properties[0] mean?
• How do I know what the value is for?
• want to get a name for this property value.
• want to know what the value of properties[0] is for what name.

Answer 1

What does properties[0] mean?

properties is a collection of objects. Those objects contain a single member named "value". properties[0] is the 1st item in the properties array, eg properties[3] would be the 4th item in the collection etc.

How do I know what the value is for?

You don't, directly. All you know for sure are those properties are associated with the current eventlog event object your inspecting. ie the current line in the EventLog application.

As an example, the below properties are like those included with a The system has returned from a low power state type of eventlog entry.

"Properties":  [
               {
                   "Value":  "\/Date(1462182672532)\/"
               },
               {
                   "Value":  0
               },
               {
                   "Value":  "AMD USB x.yy Host Controller ..."
               }
               ]

Other typos of events will include their own properties.

I want to get a name for this property value.

There is no name provided in the event object that i can see.

I want to know what the value of properties[0] is for what name.

There is no name for any of the values, or an order. The properties for a given event relate to that particular kind of event - they are just a simple set of values of standard types like integers, strings and dates. The properties of an event will vary by event type/the application that sent the event and other reasons.

---

A simple hack to inspect any object (including your $log variable) would be to send it through | ConvertTo-Json to make a "human readable" JSON string from the object and output it. Eg i can output a representation of your $log variable like this:

PS C:\Users\MyUsername>
$log | ConvertTo-Json
{
    "Id":  1,
    "Version":  3,
    "Qualifiers":  null,
    "Level":  4,
    "Task":  0,
    "Opcode":  0,
    "Keywords":  -123456789,
    "RecordId":  123456789,
    "ProviderName":  "Microsoft-Windows-Power-Troubleshooter",
    "ProviderId":  "cdc05e28-c449-49c6-b9d2-88cf761644df",
    "LogName":  "System",
    "ProcessId":  123456789,
    "ThreadId":  123456789,
    "MachineName":  "computer-123456789",
    "UserId":  {
                   "BinaryLength":  12,
                   "AccountDomainSid":  null,
                   "Value":  "S-1-5-19"
               },
    "TimeCreated":  "\/Date(1213168537996)\/",
    "ActivityId":  "f60c79b6-fb0c-4d4f-a46e-099ff8d3b072",
    "RelatedActivityId":  null,
    "ContainerLog":  "System",
    "MatchedQueryIds":  [

                        ],
    "Bookmark":  {

                 },
    "LevelDisplayName":  "Information",
    "OpcodeDisplayName":  "Info",
    "TaskDisplayName":  null,
    "KeywordsDisplayNames":  [

                             ],
    "Properties":  [
                       {
                           "Value":  "\/Date(1213168537996)\/"
                       },
                       {
                           "Value":  "\/Date(1213168537996)\/"
                       },
                       {
                           "Value":  0
                       },
                       {
                           "Value":  "USB 7.02 Host Controller - 3.5 (Microsoft)"
                       }
                   ],
    "Message":  "The system has returned from a low power state. ..."
}

This shows you all the properties of the object sent to ContentTo-Json. "RecordId": 123456789 from the output can be accessed with $log.RecordId in code etc. Properties, MatchedQueryIds, KeywordsDisplayNames are all arrays (only Properties has any contents). Here you must use the array syntax eg [0] where 0 is the element to access. If an array is empty, its shown as [ ] in JSON

Answer 2

You can use the xml method to see the names:

$log = Get-WinEvent @{ProviderName = 
  'Microsoft-Windows-Power-Troubleshooter'} -Maxevents 1
$xml = [xml]$log.toxml()
$xml.event.eventdata.data

Name                     #text
----                     -----
SleepTime                2024-05-12T05:02:03.8933908Z
WakeTime                 2024-05-12T13:10:24.4362685Z
SleepDuration            1367
WakeDuration             936
DriverInitDuration       185
BiosInitDuration         1002
HiberWriteDuration       4767
HiberReadDuration        0
HiberPagesWritten        525740
Attributes               1912623361
TargetState              4
EffectiveState           5
WakeSourceType           5
WakeSourceTextLength     39
WakeSourceText           Intel(R) Ethernet Connection (7) I219-V
WakeTimerOwnerLength     0
WakeTimerContextLength   0
NoMultiStageResumeReason 0
WakeTimerOwner
WakeTimerContext
CheckpointDuration       22

The -listprovider also parameter provides the info:

get-winevent -ListProvider Microsoft-Windows-Power-Troubleshooter | % events | 
  select -first 1

Id          : 1
Version     : 0
LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
Level       : System.Diagnostics.Eventing.Reader.EventLevel
Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
Task        : System.Diagnostics.Eventing.Reader.EventTask
Keywords    : {}
Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
                <data name="SleepTime" inType="win:FILETIME" outType="xs:dateTime"/>
                <data name="WakeTime" inType="win:FILETIME" outType="xs:dateTime"/>
                <data name="SleepDuration" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="WakeDuration" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="DriverInitDuration" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="BiosInitDuration" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="HiberWriteDuration" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="HiberReadDuration" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="HiberPagesWritten" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="Attributes" inType="win:UInt32" outType="win:HexInt32"/>
                <data name="TargetState" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="EffectiveState" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="WakeSourceType" inType="win:UInt32" outType="xs:unsignedInt"/>
                <data name="WakeSourceTextLength" inType="win:UInt16" outType="xs:unsignedShort"/>
                <data name="WakeSourceText" inType="win:UnicodeString" outType="xs:string"
              length="WakeSourceTextLength"/>
              </template>

Description : The system has returned from a low power state.

              Sleep Time: %1
              Wake Time: %2

              Wake Source: %13%15

Answer 3

$log | Get-Member
($log | Get-Member).Name