PowerShell Logo Small

Get-WinEvent



This is the built-in help made by Microsoft for the command 'Get-WinEvent', in PowerShell version 2 - as retrieved from Windows version 'Microsoft® Windows Vista™ Ultimate ' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Gets events from event logs and event tracing log files on local and remote computers.

SYNTAX


Get-WinEvent [-LogName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <i
nt64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-Path] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int6
4>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ProviderName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEven
ts <int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent -FilterHashTable <Hashtable[]> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest
] [<CommonParameters>]
Get-WinEvent [-ListLog] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]
Get-WinEvent [-ListProvider] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]
Get-WinEvent -FilterXml <XmlDocument> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<Co
mmonParameters>]



Search powershellhelp.space

DESCRIPTION


The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are
generated by the new Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for W
indows (ETW).

Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.

Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event provid
ers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, stru
ctured XML queries, and simplified hash-table queries.

Note: Get-WinEvent requires Windows Vista, Windows Server 2008 R2, or later versions of Windows. And, it requires the Microsoft .NET Framework 3.
5 or a later version.



<

RELATED LINKS

Online version: http://go.microsoft.com/fwlink/?LinkID=138336
Get-EventLog
Get-Counter
about_EventLogs

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

C:\PS>get-winevent -listlog *



Description
-----------
This command gets all the logs on the local computer.

Logs are listed in the order that Get-WinEvent gets them. Classic logs are usually retrieved first, followed by the new Windows Eventing logs.

Because there are typically more than a hundred event logs, this parameter requires a log name or name pattern. To get all the logs, use *.








-------------------------- EXAMPLE 2 --------------------------

C:\PS>get-winevent -listlog Setup | format-list -property *


FileSize : 69632
IsLogFull : False
LastAccessTime : 2/14/2008 12:55:12 AM
LastWriteTime : 7/9/2008 3:12:05 AM
OldestRecordNumber : 1
RecordCount : 3
LogName : Setup
LogType : Operational
LogIsolation : Application
IsEnabled : True
IsClassicLog : False
SecurityDescriptor : O:BAG:SYD:(A;;0xf0007;;;SY)(A;
(A;;0x1;;;S-1-5-32-573)
LogFilePath : %SystemRoot%\System32\Winevt\L
MaximumSizeInBytes : 1052672
LogMode : Circular
OwningProviderName : Microsoft-Windows-Eventlog
ProviderNames : {Microsoft-Windows-WUSA, Micro
ProviderLevel :
ProviderKeywords :
ProviderBufferSize : 64
ProviderMinimumNumberOfBuffers : 0
ProviderMaximumNumberOfBuffers : 64
ProviderLatency : 1000
ProviderControlGuid :



Description
-----------
These commands get an object that represents the classic System log on the local computer. The object includes useful information about the log,
including its size, event log provider, file path, and whether it is enabled.








-------------------------- EXAMPLE 3 --------------------------

C:\PS>get-winevent -listlog * -computername Server01| where {$_.recordcount}



Description
-----------
This command gets only event logs on the Server01 computer that contain events. Many logs might be empty.

The command uses the RecordCount property of the EventLogConfiguration object that Get-WinEvent returns when you use the ListLog parameter.








-------------------------- EXAMPLE 4 --------------------------

C:\PS>$s = "Server01", "Server02", "Server03"

C:\PS> foreach ($server in $s)
{$server; get-winevent -listlog "Windows PowerShell" -computername $server}



Description
-----------
The commands in this example get objects that represent the Windows PowerShell event logs on the Server01, Server02, and Server03 computers. This
command uses the Foreach keyword because the ComputerName parameter takes only one value.

The first command saves the names of the computers in the $s variable.

The second command uses a Foreach statement. For each of the computers in the $s variable, it performs the command in the script block (within th
e braces). First, the command prints the name of the computer. Then, it runs a Get-WinEvent command to get an object that represents the Windows
PowerShell log.








-------------------------- EXAMPLE 5 --------------------------

C:\PS>get-winevent -listprovider *



Description
-----------
This command gets the event log providers on the local computer and the logs to which they write, if any.








-------------------------- EXAMPLE 6 --------------------------

C:\PS>(get-winevent -listlog Application).providernames



Description
-----------
This command gets all of the providers that write to the Application log on the local computer.








-------------------------- EXAMPLE 7 --------------------------

C:\PS>>get-winevent -listprovider *policy*



Description
-----------
This command gets the event log providers whose names include the word "policy."








-------------------------- EXAMPLE 8 --------------------------

C:\PS>(get-winevent -listprovider microsoft-windows-grouppolicy).events | format-table id, description -auto



Description
-----------
This command lists the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.

It uses the Events property of the object that Get-WinEvent returns when you use the ListProvider parameter, and it uses the ID and Description p
roperties of the object in the Events property.








-------------------------- EXAMPLE 9 --------------------------

C:\PS>$events = get-winevent -logname "Windows PowerShell"

C:\PS> $events.count
195

C:\PS> $events | group-object id -noelement | sort-object count -desc
Count Name
----- ----
147 600
22 400
21 601
3 403
2 103

C:\PS> $events | group-object leveldisplayname -noelement
Count Name
----- ----
2 Warning
193 Information



Description
-----------
This example shows how to use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.

The first command uses the Get-WinEvent cmdlet to get all of the events in the Windows PowerShell event log. Then, it saves them in the $events v
ariable. The log name is enclosed in quotation marks because it contains a space.

The second command uses the Count property of object collections to find the number of entries in the event log.

The third command displays the incidence of each event in the log, with the most frequent events first. In this example, event ID 600 is the most
frequent event.

The fourth command groups the items by the value of their LevelDisplayName property to show how many Error, Warning, and Information events are i
n the log.








-------------------------- EXAMPLE 10 --------------------------

C:\PS>get-winevent -logname *disk*, Microsoft-Windows-Kernel-WHEA



Description
-----------
This command gets the error events whose names include "disk" from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WH
EA event log.








-------------------------- EXAMPLE 11 --------------------------

C:\PS>get-winevent -path 'c:\ps-test\Windows PowerShell.evtx'



Description
-----------
This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks becaus
e the log name includes a space.








-------------------------- EXAMPLE 12 --------------------------

C:\PS>get-winevent -path 'c:\tracing\tracelog.etl' -maxevents 100 -oldest

C:\PS> get-winevent -path 'c:\tracing\tracelog.etl' -oldest | sort-object -property timecreated -desc | select-object -first 100



Description
-----------
These commands get the first 100 events from an Event Tracing for Windows (ETW) event trace log file.

The first command gets the 100 oldest events in the log. It uses the Get-WinEvent cmdlet to get events from the Tracelog.etl file. It uses the Ma
xEvents parameter to limit the retrieval to 100 events. Because the events are listed in the order in which they are written to the log (oldest f
irst), the Oldest parameter is required.

The second command gets the 100 newest events in the log. It uses the Get-WinEvent cmdlet to get all the events from the Tracing.etl file. It pas
ses
the events to the Sort-Object cmdlet, which sorts them in descending order by the value of the TimeCreated property. Then, it sends the sorted ev
ents to the Select-Object cmdlet to select the newest 100 events.








-------------------------- EXAMPLE 13 --------------------------

C:\PS>get-winevent -path "c:\tracing\tracelog.etl", "c:\Logs\Windows PowerShell.evtx" -oldest | where {$_.id -eq "103"}



Description
-----------
This example shows how to get the events from an event trace log file (.etl) and from a copy of the Windows PowerShell log file (.evtx) that was
saved to a test directory.

You can combine multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord obje
ct), you can use the same properties to filter them.

Note that the command requires the Oldest parameter because it is reading from an .etl file, but the Oldest parameter applies to both of the file
s.








-------------------------- EXAMPLE 14 --------------------------

C:\PS># Use the Where-Object cmdlet
C:\PS> $yesterday = (get-date) - (new-timespan -day 1)
C:\PS> get-winevent -logname "Windows PowerShell" | where {$_.timecreated -ge $yesterday}


# Uses FilterHashTable
C:\PS> $yesterday = (get-date) - (new-timespan -day 1)
C:\PS> get-winevent -FilterHashTable @{LogName='Windows PowerShell'; Level=3; StartTime=$yesterday}


# Use FilterXML
C:\PS> get-winevent -FilterXML "<QueryList><Query><Select Path='Windows PowerShell'>*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 864
00000]]]</Select></Query></QueryList>"


# Use FilterXPath
C:\PS> get-winevent -LogName "Windows Powershell" -FilterXPath "*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"



Description
-----------
This example shows different filtering methods for selecting events from an event log. All of these commands get events that occurred in the last
24 hours from the Windows PowerShell event log.

The filter methods are more efficient than using the Where-Object cmdlet because the filters are applied while the objects are being retrieved, r
ather than retrieving all the objects and then filtering them.

Because dates are difficult to formulate in the XML and XPath formats, to create the XML content for the date, the Filter Current Log feature of
Event Viewer is used. For more information about this feature, see Event Viewer Help.








-------------------------- EXAMPLE 15 --------------------------

C:\PS>$date = (get-date).AddDays(-2)

C:\PS> $events = get-winevent -FilterHashTable @{ logname = "Microsoft-Windows-Diagnostics-Performance/Operational"; StartTime = $date; ID = 100
}



Description
-----------
This example uses a filter hash table to get events from the performance log.

The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the current date. It saves the date in th
e $date variable.

The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects event
s from the performance log that occurred within the last two days and that have event ID 100.

The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event ID.








-------------------------- EXAMPLE 16 --------------------------

C:\PS>$starttime = (get-date).adddays(-7)

C:\PS> $ie-error = Get-WinEvent -FilterHashtable @{logname="application"; providername="Application Error"; data="iexplore.exe"; starttime=$start
time}



Description
-----------
This example uses a filter hash table to find Internet Explorer application errors that occurred within the last week.

The first command gets the date that is seven days before the current date and stores it in the $starttime variable.

The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects event
s from the Application log that were written by the Application Error provider and include the phrase "iexplore.exe".

The LogName key specifies the event log. The ProviderName key specifies the event provider, the StartTime key specifies the starting date of the
events, and the Data key specifies the text in the event message.