NAME
Get-WinEvent
SYNOPSIS
Gets events from event logs and event tracing log files on local and remote computers.
SYNTAX
Get-WinEvent [-LogName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-Path] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ProviderName] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterXPath <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent -FilterHashTable <Hashtable[]> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ListLog] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]
Get-WinEvent [-ListProvider] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [<CommonParameters>]
Get-WinEvent -FilterXml <XmlDocument> [-ComputerName <string>] [-Credential <PSCredential>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]
DESCRIPTION
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the new Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).
Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.
Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.
Note: Get-WinEvent requires Windows Vista, Windows Server 2008 R2, or later versions of Windows. And, it requires the Microsoft .NET Framework 3.5 or a later version.
PARAMETERS
-ComputerName <string>
Gets events from the event logs on the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. The default value is the local computer.
This parameter accepts only one computer name at a time. To find event logs or events on multiple computers, use a ForEach statement. For more information about this parameter, see the examples.
To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.
This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default value is the current user.
Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password.
Required? false
Position? named
Default value Current user
Accept pipeline input? false
Accept wildcard characters? false
-FilterHashTable <Hashtable[]>
Uses a query in hash table format to select events from one or more event logs. The query contains a hash table with one or more key-value pairs.
Hash table queries have the following rules:
— Keys and values are case-insensitive.
— Wildcard characters are valid only in the values associated with the LogName and ProviderName keys.
— Each key can be listed only once in each hash-table.
— The Path value takes paths to .etl, .evt, and .evtx log files.
— The LogName, Path, and ProviderName keys can be used in the same query.
— The UserID key can take a valid security identifier (SID) or a domain account name that can be used to construct a valid System.Security.Principal.NTAccount object.
— The Data value takes event data in an unnamed field. This is for events in classic event logs.
— The * key represents a named event data field.
When Get-WinEvent cannot interpret a key-value pair, it interprets the key as a case-sensitive name for the event data in the event.
The valid key-value pairs are as follows:
— LogName=<String[]>
— ProviderName=<String[]>
— Path=<String[]>
— Keywords=<Long[]>
— ID=<Int32[]>
— Level=<Int32[]>
— StartTime=<DateTime>
— EndTime=<DataTime>
— UserID=<SID>
— Data=<String[]>
— *=<String[]>
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-FilterXml <XmlDocument>
Uses a structured XML query to select events from one or more event logs.
To generate a valid XML query, use the Create Custom View and Filter Current Log features in Event Viewer. Use the items in the dialog box to create a query, and then click the XML tab to view the query in XML format. You can copy the XML from the XML tab into the value of the FilterXml parameter. For more information about the Event Viewer features, see Event Viewer Help.
Typically, you use an XML query to create a complex query that contains several XPath statements. The XML format also allows you to use a “Suppress” XML element that excludes events from the query. For more information about the XML schema for event log queries, see the following topics in the MSDN (Microsoft Developer Network) library.
— “Query Schema”: http://go.microsoft.com/fwlink/?LinkId=143685
— “XML Event Queries” in “Event Selection”: http://go.microsoft.com/fwlink/?LinkID=143608
Required? true
Position? named
Default value None
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-FilterXPath <string>
Uses an XPath query to select events from one or more logs.
For more information about the XPath language, see “Selection Filters” in “Event Selection” and in the “XPath Reference” in the MSDN library.
Required? false
Position? named
Default value None
Accept pipeline input? false
Accept wildcard characters? false
-Force <switch>
Gets debug and analytic logs, in addition to other event logs. The Force parameter is required to get a debug or analytic log when the value of the name parameter includes wildcard characters.
By default, Get-WinEvent excludes these logs unless you specify the full name of a debug or analytic log.
Required? false
Position? named
Default value Debugging and analytic logs are not returned in response to queries that use wildcard characters.
Accept pipeline input? false
Accept wildcard characters? false
-ListLog <string[]>
Gets the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. To get all the logs, enter a value of *.
Required? true
Position? 1
Default value None
Accept pipeline input? false
Accept wildcard characters? true
-ListProvider <string[]>
Gets the specified event log providers. An event log provider is a program or service that writes events to the event log.
Enter the provider names in a comma-separated list. Wildcards are permitted. To get the providers of all the event logs on the computer, enter a value of *.
Required? true
Position? 1
Default value None
Accept pipeline input? false
Accept wildcard characters? true
-LogName <string[]>
Gets events from the specified event logs. Enter the event log names in a comma-separated list. Wildcards are permitted. You can also pipe log names to Get-WinEvent.
Required? true
Position? 1
Default value None
Accept pipeline input? true (ByValue)
Accept wildcard characters? true
-MaxEvents <int64>
Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.
Required? false
Position? named
Default value All events
Accept pipeline input? false
Accept wildcard characters? false
-Oldest [<SwitchParameter>]
Returns the events in oldest-first order. By default, events are returned in newest-first order.
This parameter is required to get events from .etl and .evt files and from debug and analytic logs. In these files, events are recorded in oldest-first order, and the events can be returned only in oldest-first order.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Path <string[]>
Gets events from the specified event log files. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns.
Get-WinEvent supports files with the .evt, .evtx, and .etl file name extensions. You can include events from different files and file types in the same command.
Required? true
Position? 1
Default value None
Accept pipeline input? false
Accept wildcard characters? true
-ProviderName <string[]>
Gets events written by the specified event log providers. Enter the provider names in a comma-separated list, or use wildcard characters to create provider name patterns.
An event log provider is a program or service that writes events to the event log. It is not a Windows PowerShell provider.
Required? true
Position? 1
Default value None
Accept pipeline input? false
Accept wildcard characters? true
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
“Get-Help about_CommonParameters“.
INPUTS
System.String, System.Xml.XmlDocument, System.Collections.Hashtable.
You can pipe a LogName (string), a FilterXML query, or a FilterHashTable query to Get-WinEvent.
OUTPUTS
System.Diagnostics.Eventing.Reader.EventLogConfiguration, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.ProviderMetadata
With the ListLog parameter, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogConfiguration objects. With the ListProvider parameter, Get-WinEvent returns
System.Diagnostics.Eventing.Reader.ProviderMetadata objects. With all other parameters, Get-WinEvent returns System.Diagnostics.Eventing.Reader.EventLogRecord objects.
NOTES
Get-WinEvent is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell 2.0 for systems earlier than Windows Vista.
————————– EXAMPLE 1 ————————–
C:\PS>Get-WinEvent -listlog *
Description
———–
This command gets all the logs on the local computer.
Logs are listed in the order that Get-WinEvent gets them. Classic logs are usually retrieved first, followed by the new Windows Eventing logs.
Because there are typically more than a hundred event logs, this parameter requires a log name or name pattern. To get all the logs, use *.
————————– EXAMPLE 2 ————————–
C:\PS>Get-WinEvent -listlog Setup | Format-List -property *
FileSize : 69632
IsLogFull : False
LastAccessTime : 2/14/2008 12:55:12 AM
LastWriteTime : 7/9/2008 3:12:05 AM
OldestRecordNumber : 1
RecordCount : 3
LogName : Setup
LogType : Operational
LogIsolation : Application
IsEnabled : True
IsClassicLog : False
SecurityDescriptor : O:BAG:SYD:(A;;0xf0007;;;SY)(A;
(A;;0x1;;;S-1-5-32-573)
LogFilePath : %SystemRoot%\System32\Winevt\L
MaximumSizeInBytes : 1052672
LogMode : Circular
OwningProviderName : Microsoft-Windows-Eventlog
ProviderNames : {Microsoft-Windows-WUSA, Micro
ProviderLevel :
ProviderKeywords :
ProviderBufferSize : 64
ProviderMinimumNumberOfBuffers : 0
ProviderMaximumNumberOfBuffers : 64
ProviderLatency : 1000
ProviderControlGuid :
Description
———–
These commands get an object that represents the classic System log on the local computer. The object includes useful information about the log, including its size, event log provider, file path, and whether it is enabled.
————————– EXAMPLE 3 ————————–
C:\PS>Get-WinEvent -listlog * -ComputerName Server01| where {$_.recordcount}
Description
———–
This command gets only event logs on the Server01 computer that contain events. Many logs might be empty.
The command uses the RecordCount property of the EventLogConfiguration object that Get-WinEvent returns when you use the ListLog parameter.
————————– EXAMPLE 4 ————————–
C:\PS>$s = “Server01”, “Server02”, “Server03”
C:\PS> foreach ($server in $s)
{$server; Get-WinEvent -listlog “Windows PowerShell” -ComputerName $server}
Description
———–
The commands in this example get objects that represent the Windows PowerShell event logs on the Server01, Server02, and Server03 computers. This command uses the Foreach keyword because the ComputerName parameter takes only one value.
The first command saves the names of the computers in the $s Variable.
The second command uses a Foreach statement. For each of the computers in the $s Variable, it performs the command in the script block (within the braces). First, the command prints the name of the computer. Then, it runs a Get-WinEvent command to get an object that represents the Windows PowerShell log.
————————– EXAMPLE 5 ————————–
C:\PS>Get-WinEvent -listprovider *
Description
———–
This command gets the event log providers on the local computer and the logs to which they write, if any.
————————– EXAMPLE 6 ————————–
C:\PS>(Get-WinEvent -listlog Application).providernames
Description
———–
This command gets all of the providers that write to the Application log on the local computer.
————————– EXAMPLE 7 ————————–
C:\PS>>Get-WinEvent -listprovider *policy*
Description
———–
This command gets the event log providers whose names include the word “policy.”
————————– EXAMPLE 8 ————————–
C:\PS>(Get-WinEvent -listprovider microsoft-windows-grouppolicy).events | Format-Table id, description -auto
Description
———–
This command lists the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.
It uses the Events property of the object that Get-WinEvent returns when you use the ListProvider parameter, and it uses the ID and Description properties of the object in the Events property.
————————– EXAMPLE 9 ————————–
C:\PS>$events = Get-WinEvent -LogName “Windows PowerShell”
C:\PS> $events.count
195
C:\PS> $events | Group-Object id -noelement | Sort-Object count -desc
Count Name
—– —-
147 600
22 400
21 601
3 403
2 103
C:\PS> $events | Group-Object leveldisplayname -noelement
Count Name
—– —-
2 Warning
193 Information
Description
———–
This example shows how to use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.
The first command uses the Get-WinEvent cmdlet to get all of the events in the Windows PowerShell event log. Then, it saves them in the $events Variable. The log name is enclosed in quotation marks because it contains a space.
The second command uses the Count property of object collections to find the number of entries in the event log.
The third command displays the incidence of each event in the log, with the most frequent events first. In this example, event ID 600 is the most frequent event.
The fourth command groups the items by the value of their LevelDisplayName property to show how many Error, Warning, and Information events are in the log.
————————– EXAMPLE 10 ————————–
C:\PS>Get-WinEvent -LogName *disk*, Microsoft-Windows-Kernel-WHEA
Description
———–
This command gets the error events whose names include “disk” from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WHEA event log.
————————– EXAMPLE 11 ————————–
C:\PS>Get-WinEvent -path ‘c:\ps-test\Windows PowerShell.evtx’
Description
———–
This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks because the log name includes a space.
————————– EXAMPLE 12 ————————–
C:\PS>Get-WinEvent -path ‘c:\tracing\tracelog.etl’ -MaxEvents 100 -Oldest
C:\PS> Get-WinEvent -path ‘c:\tracing\tracelog.etl’ -Oldest | Sort-Object -property timecreated -desc | Select-Object -first 100
Description
———–
These commands get the first 100 events from an Event Tracing for Windows (ETW) event trace log file.
The first command gets the 100 oldest events in the log. It uses the Get-WinEvent cmdlet to get events from the Tracelog.etl file. It uses the MaxEvents parameter to limit the retrieval to 100 events. Because the events are listed in the order in which they are written to the log (oldest first), the Oldest parameter is required.
The second command gets the 100 newest events in the log. It uses the Get-WinEvent cmdlet to get all the events from the Tracing.etl file. It passes
the events to the Sort-Object cmdlet, which sorts them in descending order by the value of the TimeCreated property. Then, it sends the sorted events to the Select-Object cmdlet to select the newest 100 events.
————————– EXAMPLE 13 ————————–
C:\PS>Get-WinEvent -path “c:\tracing\tracelog.etl”, “c:\Logs\Windows PowerShell.evtx” -Oldest | where {$_.id -eq “103”}
Description
———–
This example shows how to get the events from an event trace log file (.etl) and from a copy of the Windows PowerShell log file (.evtx) that was saved to a test directory.
You can combine multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord object), you can use the same properties to filter them.
Note that the command requires the Oldest parameter because it is reading from an .etl file, but the Oldest parameter applies to both of the files.
————————– EXAMPLE 14 ————————–
C:\PS># Use the Where-Object cmdlet
C:\PS> $yesterday = (Get-Date) – (New-TimeSpan -day 1)
C:\PS> Get-WinEvent -LogName “Windows PowerShell” | where {$_.timecreated -ge $yesterday}
# Uses FilterHashTable
C:\PS> $yesterday = (Get-Date) – (New-TimeSpan -day 1)
C:\PS> Get-WinEvent -FilterHashTable @{LogName=’Windows PowerShell’; Level=3; StartTime=$yesterday}
# Use FilterXML
C:\PS> Get-WinEvent -FilterXML “<QueryList><Query><Select Path=’Windows PowerShell’>*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select></Query></QueryList>”
# Use FilterXPath
C:\PS> Get-WinEvent -LogName “Windows Powershell” -FilterXPath “*[System[Level=3 and TimeCreated[timediff(@SystemTime) <= 86400000]]]”
Description
———–
This example shows different filtering methods for selecting events from an event log. All of these commands get events that occurred in the last 24 hours from the Windows PowerShell event log.
The filter methods are more efficient than using the Where-Object cmdlet because the filters are applied while the objects are being retrieved, rather than retrieving all the objects and then filtering them.
Because dates are difficult to formulate in the XML and XPath formats, to create the XML content for the date, the Filter Current Log feature of Event Viewer is used. For more information about this feature, see Event Viewer Help.
————————– EXAMPLE 15 ————————–
C:\PS>$date = (Get-Date).AddDays(-2)
C:\PS> $events = Get-WinEvent -FilterHashTable @{ logname = “Microsoft-Windows-Diagnostics-Performance/Operational”; StartTime = $date; ID = 100 }
Description
———–
This example uses a filter hash table to get events from the performance log.
The first command uses the Get-Date cmdlet and the AddDays method to get a date that is two days before the current date. It saves the date in the $date Variable.
The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the performance log that occurred within the last two days and that have event ID 100.
The LogName key specifies the event log, the StartTime key specifies the date, and the ID key specifies the event ID.
————————– EXAMPLE 16 ————————–
C:\PS>$starttime = (Get-Date).adddays(-7)
C:\PS> $ie-error = Get-WinEvent -FilterHashtable @{logname=”application”; providername=”Application Error”; data=”iexplore.exe”; starttime=$starttime}
Description
———–
This example uses a filter hash table to find Internet Explorer application errors that occurred within the last week.
The first command gets the date that is seven days before the current date and stores it in the $starttime Variable.
The second command uses the Get-WinEvent cmdlet with the FilterHashTable parameter. The keys in the hash table define a filter that selects events from the Application log that were written by the Application Error provider and include the phrase “iexplore.exe”.
The LogName key specifies the event log. The ProviderName key specifies the event provider, the StartTime key specifies the starting date of the events, and the Data key specifies the text in the event message.
RELATED LINKS
Online version: http://go.microsoft.com/fwlink/?LinkID=138336
Get-EventLog
Get-Counter
about_eventlogs