I thought I was finished covering eventing with PowerShell, but a recent message on Twitter led to one final article. The question was about watching for new entries in an event log. This is a perfect use case and is right in the name. When some event occurs, it is recorded. The question from Twitter was about watching events without using WMI or CIM. First, let’s look at how you would use WMI or CIM.

Win32_NTLogEvent

You can use the system __InstanceCreationEvent class. Use the Win32_NTLogEvent class to watch for new event entries.

$query = "Select * from __InstanceCreationEvent within 10 WHERE TargetInstance ISA 'Win32_NTLogEvent'"
Register-CimIndicationEvent -Query $query -MessageData "An event was logged" -SourceIdentifier "WatchEventLog"