Write Event to Windows Event Log using PowerShell


Creating an EventLog entry using PowerShell is shown below:

Write-EventLog -LogName 'Application' -Source 'MyEventSource' -EventID 1000 -EntryType Warning -Message "This is a test of writing to the Event Log using PowerShell."


Note: The Event Source needs to be created before writing entries to the Event Log. (See this post for further info: Create Event Source with PowerShell)



Create Event Source with PowerShell

To create a Event Source in PowerShell use this:

$Source = "MyEventSource"
if ([System.Diagnostics.EventLog]::SourceExists($Source) -eq $false {
  [System.Diagnostics.EventLog]::CreateEventSource($Source, "Application")

Get more info on CreateEventSource method here : http://msdn.microsoft.com/en-us/library/2awhba7a.aspx


In PowerShell 2.0 this is even simpler:

$Source = "MyEventSource"
New-EventLog -LogName Application -Source $Source


EventLog: Determine Windows startup (Event Log Service)

To determine when Windows was started search for Event ID 6005 in the System Event Log. The entry should look like this:

Log Name:     System
Source:       EventLog
Event ID:     6005
User:         N/A
Computer:     computername
Description:  The Event log service was started.

Microsoft Baseline Security Analyzer (MBSA) – on remote computer without a trust

In order to run Microsoft Baseline Security Analyzer (MBSA) against a remote computer with alternative credentials – such as computers in a perimeter without a trust – you have to either call MBSA from command line or connect to the remote computer using NET USE. Below are shown both alternatives:

Alternative #1 – command line

MBSACLI.EXE /target <server name> /u <username> /p <password>


Alternative #2 – GUI (with net use)


Before the scan is started run a Command Prompt as Administrator to specify alternative credentials with NET USE and the remote computer ip-adress.

NOTE: It is important to use Run As Administrator because Microsoft Baseline Security Analyzer (MBSA) is also running as administrator!

net use \\<computer-ip> <remote-password> /user:<remote-user>

When this is done Microsoft Baseline Security Analyzer (MBSA) can start scanning the remote computer from GUI