get Event Log Forwarder Subscribers with powershell

Paul Saunders 1 Reputation point

I want to get a list of subscribers for specific source initiated Event log forwarder subscriptions. Is there a way to get this in powershell?

Eventually I want to to develop a script that will tell me when a new subscriber is added.
It would also be nice if it would be possible to identify which subscribers are active and inactive.

I know they are all in the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions{Subscription Name}\EventSources{Machine Name}

If that is the only way to enumerate a list, does anyone know how to identify which are active?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,230 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,184 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 24,461 Reputation points Microsoft Vendor


    Does this meet your needs? The creation time of a subscription is not recorded in the registry.

    $path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions"  
    Get-ChildItem -Path $path|Select-Object -Property PSChildName,@{name='Enabled';expression={($_|Get-ItemProperty -Name Enabled).Enabled}}  

    Best Regards,
    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments