Broke solution up into 3 parts: A common core library, a windows GUI and a automated console version that takes only a .config file as input.

Author: AdamWhiteHat

.gitignore

@@ -5,3 +5,12 @@
 /.vs
 /obj
 /bin
+
+/WELSConsole/bin
+/WELSConsole/obj
+
+/WELSCore/bin
+/WELSCore/obj
+
+/WELSearchGUI/bin
+/WELSearchGUI/obj

Form1.cs

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+	<startup>
+		<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
+	</startup>
+	<appSettings>
+
+		<add key="Path.Input" value="C:\Temp\wEventLogSearch\InputEventFiles.evtx"/>
+		<add key="Path.Output" value="C:\Temp\wEventLogSearch\EventLogSearch.csv"/>
+
+		<add key="Search.EventIDs" value="4689 or EventID=4688"/>
+		<add key="Search.Filter" value=""/>
+		<add key="Search.ValueLocations" value=""/>
+		<add key="Search.TimeDifference" value="-1"/>
+
+		<add key="Bool.InputIsSingleFile" value="True"/>
+		<add key="Bool.IncludeLogSource" value="True"/>
+		<add key="Bool.GroupIntoOneColumn" value="False"/>
+
+	</appSettings>
+</configuration>

Program.cs

@@ -0,0 +1,23 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace WELSConsole
+{
+	public static class Configuration
+	{
+		public static string Path_Input = ConfigurationReader.GetConfigurationValue<string>("Path.Input") ?? "";
+		public static string Path_Output = ConfigurationReader.GetConfigurationValue<string>("Path.Output") ?? "";
+
+		public static string Search_EventIDs = ConfigurationReader.GetConfigurationValue<string>("Search.EventIDs") ?? "";
+		public static string Search_Filter = ConfigurationReader.GetConfigurationValue<string>("Search.Filter") ?? "";
+		public static string Search_ValueLocations = ConfigurationReader.GetConfigurationValue<string>("Search.ValueLocations") ?? "";
+		public static long Search_TimeDifference = ConfigurationReader.GetConfigurationValue<long>("Search.TimeDifference");
+
+		public static bool Bool_InputIsSingleFile = ConfigurationReader.GetConfigurationValue<bool>("Bool.InputIsSingleFile");
+		public static bool Bool_IncludeLogSource = ConfigurationReader.GetConfigurationValue<bool>("Bool.IncludeLogSource");
+		public static bool Bool_GroupIntoOneColumn = ConfigurationReader.GetConfigurationValue<bool>("Bool.GroupIntoOneColumn");
+	}
+}

WELSConsole/App.config

@@ -0,0 +1,40 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Configuration;
+
+namespace WELSConsole
+{
+	public static class ConfigurationReader
+	{
+		public static T GetConfigurationValue<T>(string SettingName)
+		{
+			if (ConfigurationExists(SettingName))
+			{
+				T result = (T)Convert.ChangeType(ConfigurationManager.AppSettings[SettingName], typeof(T));
+				if (result != null)
+				{
+					return result;
+				}
+			}
+			return default(T);
+		}
+
+		public static bool ConfigurationExists(string SettingName)
+		{
+			if (
+				!string.IsNullOrWhiteSpace(SettingName)
+				&& ConfigurationManager.AppSettings.HasKeys()
+				&& !string.IsNullOrWhiteSpace(ConfigurationManager.AppSettings[SettingName])
+				)
+			{
+				return true;
+			}
+			else
+			{
+				return false;
+			}
+		}
+	}
+}

WELSConsole/Configuration.cs

@@ -0,0 +1,70 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using WELSCore;
+
+namespace WELSConsole
+{
+	internal class Program
+	{
+		static void Main(string[] args)
+		{
+			AppDomain.CurrentDomain.UnhandledException += CurrentDomain_UnhandledException;
+
+			LogInformation($"{AppDomain.CurrentDomain.FriendlyName} executed on: {DateTime.Now.ToLongDateString()} at {DateTime.Now.ToLongTimeString()}.");
+			SearchParameters parameters = GetSearchParameters();
+			LogInformation($"Configuration acquired from {AppDomain.CurrentDomain.FriendlyName}.config. Starting Search...");
+			SearchCore.Search(parameters);
+			LogInformation($"Search completed on {DateTime.Now.ToLongDateString()} at {DateTime.Now.ToLongTimeString()}. Exiting...");
+		}
+
+		private static SearchParameters GetSearchParameters()
+		{
+			SearchParameters result = new SearchParameters()
+			{
+				LogInformationFunction = LogInformation,
+				LogErrorFunction = LogError,
+				LogExceptionFunction = LogException,
+
+				InputPath = Configuration.Path_Input,
+				OutputPath = Configuration.Path_Output,
+
+				EventIDs = Configuration.Search_EventIDs,
+				Filter = Configuration.Search_Filter,
+				ValueLocations = Configuration.Search_ValueLocations,
+				TimeDifference = Configuration.Search_TimeDifference,
+
+				InputIsSingleFile = Configuration.Bool_InputIsSingleFile,
+				IncludeLogSource = Configuration.Bool_IncludeLogSource,
+				GroupIntoOneColumn = Configuration.Bool_GroupIntoOneColumn
+			};
+
+			return result;
+		}
+
+		private static void CurrentDomain_UnhandledException(object sender, UnhandledExceptionEventArgs e)
+		{
+			LogException($"Global exception handler caught an exception! Is terminating: {e.IsTerminating}.", (Exception)e.ExceptionObject);
+		}
+
+		private static void LogInformation(string message)
+		{
+			Console.WriteLine(message);
+		}
+
+		private static void LogError(string message)
+		{
+			Console.ForegroundColor = ConsoleColor.Red;
+			Console.Error.WriteLine(message);
+			Console.ResetColor();
+		}
+
+		private static void LogException(string message, Exception ex)
+		{
+			LogError(message);
+			LogError(ex.ToString());
+		}
+	}
+}

WELSConsole/ConfigurationReader.cs

@@ -0,0 +1,35 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("WindowsEventLogSearchConsole")]
+[assembly: AssemblyDescription("https://github.com/RandomRhythm/wEventLogSearch")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("WindowsEventLogSearchConsole")]
+[assembly: AssemblyCopyright("Copyright © Ryan B & Adam White 2023")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("34e0bbce-cc08-40df-a0db-544f54c5130c")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]