Event Details
Operating System->Microsoft Windows->Application logs->PowerShellCore/Operational->EventID 4104 - Execute a Remote Command
EventID 4104 - Execute a Remote Command
 Sample: 
Creating Scriptblock text (%1 of %2):%n%3%n%nScriptBlock ID: %4%nPath: %5

Creating Scriptblock text (4 of 4):
lready available on this system. This module '{1}' may override the existing commands. If you still want to install this module '{1}', use -AllowClobber parameter.
CatalogFileFound=Found the catalog file '{0}' in the module '{1}' contents.
CatalogFileNotFoundInAvailableModule=Catalog file '{0}' is not found in the contents of the previously-installed module '{1}' with the same name.
CatalogFileNotFoundInNewModule=Catalog file '{0}' is not found in the contents of the module '{1}' being installed.
ValidAuthenticodeSignature=Valid authenticode signature found in the catalog file '{0}' for the module '{1}'.
ValidatingCatalogSignature=Validating the '{0}' module files for catalog signing using the catalog file '{1}'.
AuthenticodeIssuerMatch=Authenticode issuer '{0}' of the new module '{1}' with version '{2}' matches with the authenticode issuer '{3}' of the previously-installed module '{4}' with version '{5}'.
ValidCatalogSignature=The catalog signature in '{0}' of the module '{1}' is valid and matches with the hash generated from the module contents.
SkippingPublisherCheck=Skipping the Publisher check for the version '{0}' of module '{1}'.
SourceModuleDetailsForPublisherValidation=For publisher validation, using the previously-installed module '{0}' with version '{1}' under '{2}' with publisher name '{3}'. Is this module signed by Microsoft: '{4}'.
NewModuleVersionDetailsForPublisherValidation=For publisher validation, current module '{0}' with version '{1}' with publisher name '{2}'. Is this module signed by Microsoft: '{3}'.
PublishersMatch=Publisher '{0}' of the new module '{1}' with version '{2}' matches with the publisher '{3}' of the previously-installed module '{4}' with version '{5}'. Both versions are signed with a Microsoft root certifacte.
PublishersMismatch=A Microsoft-signed module named '{0}' with version '{1}' that was previously installed conflicts with the new module '{2}' from publisher '{3}' with version '{4}'. Installing the new module may result in system instability. If you still want to install or update, use -SkipPublisherCheck parameter.
ModuleIsNotCatalogSigned=The version '{0}' of the module '{1}' being installed is not catalog signed. Ensure that the version '{0}' of the module '{1}' has the catalog file '{2}' and signed with the same publisher '{3}' as the previously-installed module '{0}' with version '{4}' under the directory '{5}'. If you still want to install or update, use -SkipPublisherCheck parameter.
###PSLOC
'@



ScriptBlock ID: 99d94184-6286-4ea0-b761-9f3c35e98c55
Path:
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: PowerShellCore/Operational
Filtering Field Equals to Value
EventId 4104
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Event in Sequence InsertionString1
Sequence Length InsertionString2
Scriptblock InsertionString3
Scriptblock ID InsertionString4
Path InsertionString5
Payload InsertionString3
Comments
You must be logged in to comment