This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 41%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
How to select-object (Task category) in event logs.
For example :
Get-eventlog -LogName Security -After '8/15/2021 1:17:00' | where-object {$_.Category -like "removable storage"}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
The 'Task Category' you see in the UI is based upon the language of the OS. Under the hood an event just has a category ID. The UI maps it to the localized name for convenience. Personally I think you should stick with the ID as it is consistent across locales and will work even from remote machines.
You are not, at this time, able to filter on task category strings as this information isn't directly stored in the event source that Get-EventLog (or even the newer Get-WinEvent) commandlets use. The ID is the most efficient approach. But note that it is not recommended that you use Where-Object with Get-EventLog (or anything that returns lots of data) because it is a filter. It is applied AFTER the previous pipeline command executes and therefore you're retrieving ALL the event log data and then filtering in PS from there. The better option is to do the filtering using the Get-EventLog filtering support directly. However you won't be able to filter by named category as that isn't stored in the event log data.
Hi @RocxieDan-0063 ,
please try this:
Get-EventLog -LogName Security -After '8/15/2021 1:17:00' | Where-Object {$_.Category -match 12812}
I found the number 12812 for the removable storage category here: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwintqmSt8zyAhXWhv0HHV3pA_sQFnoECBYQAQ&url=https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F6%2F0%2Fb%2F60b27ded-705a-4751-8e9f-642e635c3cf3%2Fmicrosoft%2520windows%25208%2520windows%2520server%25202012%2520common%2520criteria%2520supplemental%2520admin%2520guidance.docx&usg=AOvVaw3rQxNXMeNTUHjL1mdr1tU0
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten