Sysinternal's ProcMon program is a great debugging tool that can be used to achieve various objectives.  Whether helping a developer debug a software issue, an exploit developer looking for security holes, or a threat hunter looking for particular activity (although a little bit of an overt method).  It's a great tool for "looking under the hood" when it comes to the Windows API.

Sifting through the data via the GUI can be a little painful unless you--at least--have an idea of what you're looking for.  Even then, stacking entries from disparate locations is about as fun as not ever having jumped on a trampoline as a kid...  As you suspected, Powershell lends itself to cutting all ze datas!

Once you've grabbed all the data you intend to analyze, save the file as a .CSV so it can be imported in Powershell.   You can use XML as well, but this only covers .CSV.

After that, pull the CSV file into an array with the Get-Content cmdlet, then pipe it to the ConvertFrom-CSV cmdlet:

Note that the bigger the file, the longer the time it will take to process.  If you're working with huge data-sets, you may want to split the .csv.  It's all dependent on your processing power (aka how many gerbils you have enlisted inside your puter).

Depending on how you're conducting analysis, you may choose to change the output.  From a timestamp analysis standpoint, I find that using the table format (Format-Table) is kinder on the eyes as it stacks the timestamps.  If, for instance, you want to see more verbose Command Line output, you might choose List format.

Cutting the data: Easy...  below I read the first 300 lines in the $content variable and look for any "operation" that has the word create in it.