New-WinEvent
Creates a new Windows event for the specified event provider.
语法
Default (默认值)
New-WinEvent
[-ProviderName] <String>
[-Id] <Int32>
[-Version <Byte>]
[[-Payload] <Object[]>]
[<CommonParameters>]
说明
This cmdlet is only available on the Windows platform.
The New-WinEvent cmdlet creates an Event Tracing for Windows (ETW) event for an event provider.
You can use this cmdlet to add events to ETW channels from PowerShell.
示例
Example 1 - Create a new event
New-WinEvent -ProviderName Microsoft-Windows-PowerShell -Id 45090 -Payload @("Workflow", "Running")
This command uses the New-WinEvent cmdlet to create event 45090 for the
Microsoft-Windows-PowerShell provider.
Example 2 - Get the template for an event
In this example, Get-WinEvent is used to get the template for event id 8007 from the Group Policy
event provider. Notice that the event has two formats.
In version 0, the IsMachine field is a boolean value. In version 1, the IsMachine field is an unsigned integer value.
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Where-Object Id -EQ 8007
Id : 8007
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="PolicyElaspedTimeInSeconds" inType="win:UInt32" outType="xs:unsignedInt"/>
<data name="ErrorCode" inType="win:UInt32" outType="win:HexInt32"/>
<data name="PrincipalSamName" inType="win:UnicodeString" outType="xs:string"/>
<data name="IsMachine" inType="win:Boolean" outType="xs:boolean"/>
<data name="IsConnectivityFailure" inType="win:Boolean" outType="xs:boolean"/>
</template>
Description : Completed periodic policy processing for user %3 in %1 seconds.
Id : 8007
Version : 1
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="PolicyElaspedTimeInSeconds" inType="win:UInt32" outType="xs:unsignedInt"/>
<data name="ErrorCode" inType="win:UInt32" outType="win:HexInt32"/>
<data name="PrincipalSamName" inType="win:UnicodeString" outType="xs:string"/>
<data name="IsMachine" inType="win:UInt32" outType="xs:unsignedInt"/>
<data name="IsConnectivityFailure" inType="win:Boolean" outType="xs:boolean"/>
</template>
Description : Completed periodic policy processing for user %3 in %1 seconds.
The Description property contains the message that gets written to the event log. The %3 and
%1 value are placeholders for the values passed into the template. The %3 string is replace with
the value passed to the PrincipalSamName field. The %1 string is replaced with value passed
to the PolicyElaspedTimeInSeconds field.
Example 3 - Create a new event using a versioned template
This example shows how to create an event using a specific template version.
$Payload = @(300, [uint32]'0x8001011f', $Env:USERNAME, 0, 1)
New-WinEvent -ProviderName Microsoft-Windows-GroupPolicy -Id 8007 -Version 1 -Payload $Payload
Get-WinEvent -ProviderName Microsoft-Windows-GroupPolicy -MaxEvents 1
ProviderName: Microsoft-Windows-GroupPolicy
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/4/2022 8:40:24 AM 8007 Information Completed periodic policy processing for user User1 in 300 seconds
If the values in the payload do not match the types in the template, the event is logged but the payload contains an error.
参数
-Id
Specifies an event Id that is registered in the event provider.
参数属性
| 类型: | Int32 |
| 默认值: | None |
| 支持通配符: | False |
| 不显示: | False |
参数集
(All)
| Position: | 1 |
| 必需: | True |
| 来自管道的值: | False |
| 来自管道的值(按属性名称): | False |
| 来自剩余参数的值: | False |
-Payload
The payload is an array of values passed as positional arguments to the event template. The values are inserted into the template to construct the message for the event. Events can have multiple template versions that use different formats.
If the values in the payload do not match the types in the template, the event is logged but the payload contains an error.
参数属性
| 类型: | Object[] |
| 默认值: | None |
| 支持通配符: | False |
| 不显示: | False |
参数集
(All)
| Position: | 2 |
| 必需: | False |
| 来自管道的值: | False |
| 来自管道的值(按属性名称): | False |
| 来自剩余参数的值: | False |
-ProviderName
Specifies the event provider that writes the event to an event log, such as "Microsoft-Windows-PowerShell". An ETW event provider is a logical entity that writes events to ETW sessions.
参数属性
| 类型: | String |
| 默认值: | None |
| 支持通配符: | False |
| 不显示: | False |
参数集
(All)
| Position: | 0 |
| 必需: | True |
| 来自管道的值: | False |
| 来自管道的值(按属性名称): | False |
| 来自剩余参数的值: | False |
-Version
Specifies the version number of the event. PowerShell converts the number to the required Byte type. The value specifies the version of the event when different versions of the same event are defined.
参数属性
| 类型: | Byte |
| 默认值: | None |
| 支持通配符: | False |
| 不显示: | False |
参数集
(All)
| Position: | Named |
| 必需: | False |
| 来自管道的值: | False |
| 来自管道的值(按属性名称): | False |
| 来自剩余参数的值: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
输入
None
You can't pipe objects to this cmdlet.
输出
None
This cmdlet returns no output.
备注
After the provider writes the event to an eventlog, you can use the Get-WinEvent cmdlet to get the
event from the event log.
