Category Archives: Uncategorized

Find the largest files modified today

If you’re not using fancy file auditing software to track things, it may be challenging to find out who just filled up your drive with a bunch of data.  Here’s a PowerShell script to brute force way, crawling through your network shared drive to find the largest files that were modified today.  It can take a while to run if you have many folders and files to crawl through.  Now you can have a list of your top 100 largest files and who owns them.

# Largest X files created today
$limit = 100
$filesToday = Get-Childitem $searchPath * -Recurse -File -ErrorAction "SilentlyContinue" | 
 Where-Object {($_.LastWriteTime -gt (Get-Date).Date)} 
$largestFiles = $filesToday | Sort-Object -Property length -Descending | Select-Object Name, @{Name="SizeInMB";Expression={$_.Length / 1MB}},@{Name="Path";Expression={$}}, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}} -First $limit
$largestFiles | Export-Csv (".\largestFilesToday_" + (Get-Date -Format "yyyy_MM_dd_hhmm") + ".csv")

JSON vs XML for PowerShell

It felt like XML was a bit dated for data transport.  It is/has been a bit cumbersome to parse and manage from PowerShell.  I’ve been seeing a lot more JSON everywhere and was curious to know if support for it was implemented in PowerShell.  It is.  As it turns out, it’s much easier to use.  Now to go back and update all my scripts to start using it.  Sigh…

Here’s an awesome article by June Blender on how to transition to start using it:


Get-WinEvent vs. Get-EventLog

So, these two appear to be very similar at first glance.  However, depending on the data one wants to filter in on, one is significantly better than the other.  For me, the bottom line is using Get-Eventlog for filtering the Security Event Log is much faster.  That’s what I needed to know.

An article by Mark Berry was very helpful:

PowerShell: Get-WinEvent vs. Get-EventLog


  1. If you’re writing a PowerShell script to handle events from Vista or Server 2008, avoid the Get-WinEvent –FilterHashtable parameter; use –FilterXML instead.
  2. Even on Vista and beyond, consider using Get-EventLog if you need to filter the Security log for Audit Failures.