Hi Pro,
I got one even viewer file AdmPwd.evtx save in C:\Users\knliew\Desktop\AdmPwd.evtx.
I wanted to filter the user name "maadmin_asamit" in event but keep failed, below are the full detail for one of the even:
========================
The description for Event ID 1 from source Portal cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: Timestamp: 7/16/2015 2:06:11 PM Description: Password retrieved for computer. User: PRG-DC\maadmin_asamit Computer: macaswna1110001 Comment: This event is logged in case that user retrieves password for computer. Username format: domain\sAMAccountName Computer is NetBIOS name of computer EventId: 1 Severity: Information
=========================
I'm using Get-WinEvent -FilterHashtable @{Path="C:\Users\knliew\Desktop\AdmPwd.evtx";Logname="AdmPwd"} | Where-object {$_.message -match "maadmin_asamit"}
but it always say that there is not an event log on the localhost computer that matches "AdmPwd"