Viewing Windows Event Logs as Toast Notifications
There is a way you can display event logs as Windows Action Center’s billboards (aka toast notifications or tray balloon popups).
All you will need is a BurntToast module for making toast notifications accessible from PowerShell, and the PowerShell console wide open (hit Win+X and choose ‘PowerShell Admin’).
1. Install BurntToast module
Download BurntToast.zip and extract the contents into %USERPROFILE%.
Invoke-WebRequest https://github.com/Windos/BurntToast/releases/download/v0.6.0/BurntToast.zipExpand-Archive -Path '.\BurntToast.zip' -DestinationPath ${env:USERPROFILE}\Documents\WindowsPowerShell\modules\BurntToast
2. Create an event source
We will need it to check everything works.
New-EventLog –LogName Application –Source “My Script”3. Monitoring events
Save the following code chunk as ‘NewEventToast.ps1’
Import-Module BurntToast$Computer = "."
$QS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"
Register-WmiEvent -Query $QS -SourceIdentifier "AppLogEntry" -ComputerName $Computer -Action {
$Value = $Event.SourceEventArgs.NewEvent.Properties.Value
# You can use these variables for any purpose
$Category = $Value.Category
$CategoryString = $Value.CategoryString
$ComputerName = $Value.ComputerName
$Data = $Value.Data # System.Byte[]
$EventCode = $Value.EventCode
$EventIdentifier = $Value.EventIdentifier
$EventType = $Value.EventType
$InsertionStrings = $Value.InsertionStrings
$Logfile = $Value.Logfile # Application, ...
$Message = $Value.Message # Text message
$RecordNumber = $Value.RecordNumber
$SourceName = $Value.SourceName # Event source
$TimeGenerated = $Value.TimeGenerated
$TimeWritten = $Value.TimeWritten
$Type = $Value.Type # Error, ...
$User = $Value.User
$ClassPath = $Value.ClassPath # Win32_NTLogEvent
$Site = $Value.Site
$Container= $Value.Container Toast -Text "$Type $EventCode, ${Logfile}: $Message" $EventInstance = $Event.SourceeventArgs.NewEvent.TargetInstance Remove-Event -EventIdentifier $Event.EventIdentifier
}
This code uses WMI (Windows Management Instrumentation) for querying all the log events. Another approach is utilizing CIM (Common Information Model), which WMI is grounded by.
4. Run
Source our script. An action will be created and will die after PS session finished. The first line would be needed uncommented if PowerShell would have denied sourcing:
# Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
. NewEventToast.ps15. Test it
Let’s write a test message to our event source ‘My Script’:
Write-EventLog –LogName Application –Source “My Script” –EntryType Information –EventID 1 –Message “My toast from event log!”Something like this should happen:
You may want to check logs with ‘eventvwr.msc’ command.
6. More fun with events
- Beware Windows can generate loads of garbage logs, you may have to disable them for sake of not being sunk inside of a load of crap:
(wevtutil.exe el) | Select-String -Pattern “(/(Perf|Analytic|Debug|Diagnostic)$)|Telemetry” | foreach { wevtutil.exe sl “$_” /e:false }2. There are a lots of other CIM classes, you can pop them up too. Here’s one line to get a list of them:
Get-CimClass | select * | Out-GridView
… or use ‘wbemtest.exe’ GUI utility which comes with Windows.
Here’s an example of showing popup toasts on a new process creation:
Import-Module BurntToast$action = {
$name = $event.SourceEventArgs.NewEvent.ProcessName;
$id = $event.SourceEventArgs.NewEvent.ProcessId;
Toast -Text "$name; PID = $id"
}Register-CimIndicationEvent -ClassName 'Win32_ProcessStartTrace' -SourceIdentifier "ProcessStarted" -Action $action
Start it and try to open a new tab in Chrome.
3. Use this tool for viewing evens, including .evtx files on offline systems.
I hope you found it useful. Your feedback will be highly appreciated.
