I'm using this code below to retrieve the value for the TimeGenerated on a win32 event log on a remote server.
$event = Get-WMIObject -ComputerName $server -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Application' AND CategoryString = 'Server Startup'" |
Select -ExpandProperty TimeGenerated -First 1
The return value is:
20160123155933.000000-000
but the event log via the event viewer shows this as the value:
Logged: 1/23/2016 10:59:33 AM
How would I extract the correct date in the format above?
As an aside, if you run your command in the ISE, you can discover properties and commands on the objects returned using IntelliSense.
That said, this article talks a lot about "eventlog" and "TimeGenerated" (the 2 terms I searched on the find this answer).
Don't use -ExpandProperty, but rather call ConvertToDateTime() something similar to what I show below (I modified your call to just grab the first event in my log).
$obj = Get-WMIObject -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Application'" | Select -First 1
$obj.ConvertToDateTime($obj.TimeGenerated).ToString()
This outputs a formatted date converted from raw UTC to local time.
TimeGenerated : 20160124010615.134877-000
becomes
1/23/2016 5:06:15 PM
I think with this info, you have a workable solution to build upon.