robbering folder...hacking

Get-WinEvent with non-administrative user

This gives our support people instant access to the latest history without any elevated privileges....

$event = Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} -MaxEvents 1

$ns = @{'ns'='http://schemas.microsoft.com/win/2004/08/events/event'}

https://social.technet.microsoft.com/Forums/azure/en-US/b72162d1-2c86-4d1a-9727-ec7269814cc4/getwinevent-with-nonadministrative-user?forum=winserverpowershell&fbclid=IwAR0YT0oMPhbRw_4J-Wx8Che6cExIChJriUw5p7a8Jdh06QDC8o6KTgllY3c

...you could see. the hashpi file offline..between a period of time...
Get-WinEvent -path "C:\temp\*Security*.evtx" -max 10 -FilterHashtable @{Providername="Microsoft-Windows-Security-Auditing"; id=4740; StartTime=1/7/2013; EndTime=1/8/2013}
But powershell return error:
Get-WinEvent : Parameter set cannot be resolved using the specified named parameters.
answer was :" put quotes around them or explicitly define them as DateTime."

SOCIAL.TECHNET.MICROSOFT.COM

How to Get-EventLog for offline evtx files?

",c,">"].join("")}var c="body",e=h[c];if(!e)return setTimeout(q,100);a.P(1);var…

https://social.technet.microsoft.com/Forums/ie/en-US/c8330f58-f2e5-4681-beb2-b2b6a185f818/how-to-geteventlog-for-offline-evtx-files?forum=winserverpowershell