Check out the new version: https://github.com/BeanBagKing/EventFinder2

EventFinder 2.0 was re-written in C# to avoid the massive number of PowerShell logs. I'm leaving this version for reference and as an alternative, but I highly suggest checking out the new version.

Finds event logs between two time points. Useful for support/malware analysis.

This program allows you to mark (or set) a beginning and end time period, then grabs all events between those periods. It dumps these to a sorted CSV on the desktop.

This program will not read certain logs (Security, Sysmon) without Administrator privileges.

This is EXTREAMLY noisy in PowerShell logs due to nested loops. I don't think this is avoidable so be careful not to push legitimate logs you need off the end of the stack.

Support teams can mark a begin time, and perform an action that may cause a crash or other problem on a workstation. Then mark the end and dump the logs to determin what might have happened.

A security analyst could use this to run malware (in a contained environment) and determin via logs what this malware did and in what order, which may be used to create IOC's

• Open a PowerShell window as Administrator
• Run the program (e.g. .\EventFinder.ps1)
• In the resulting window, click Start Time button
• Perform whatever action that you want to see events for
• Click the End Time button - At this point (or any other), the time periods can be manually adjusted
• Click Find Events
• Wait while the program generates a CSV of found events on the current desktop - File name will be "Logs_Runtime_<datestamp>_<runtime>.csv"