alex_aldo - Fotolia

Get started Bring yourself up to speed with our introductory content.

Perform a Windows event log search with PowerShell

Event log monitoring is vital to an IT environment's health and success, but finding a specific event in the flood is challenging. PowerShell enables admins to simplify this task.

Admins who've had to troubleshoot something on Windows Server are familiar with the Event Viewer monitoring tool, which enables IT teams to search for and filter certain events in the Windows event log.

Event Viewer is a powerful tool, but its GUI can lead to slow and manual search processes. Alternatively, admins can use PowerShell to streamline and narrow down a Windows event log search.

First, enter the Get-WinEvent cmdlet in PowerShell. This is the easiest method to query for events in the Windows event log. If you run the command by itself, however, you might end up with a screen full of red error text:

Get-WinEvent error text

To avoid this error, use more specific parameters. Return entries from a specific log using the -LogName parameter:

Get-WinEvent -LogName System

You'll notice the ProviderName header in the output below.

ProviderName header

To query for a specific provider -- which, in this example, is the entity that produces the log -- use the –ProviderName parameter. Here, we look for the Microsoft-Windows-Kernel-General provider:

Get-WinEvent -ProviderName 'Microsoft-Windows-Kernel-General'

The output from this Windows event log search should show information, such as time created, as seen below:

Windows event log search output

You can't use the –LogName and –ProviderName parameters at the same time, unless you use one of the filter parameters, such as -FilterHashtable.

With -FilterHashtable, you can specify the following values:

  • LogName
  • ProviderName
  • Path
  • Keywords
  • ID
  • Level
  • StartTime
  • EndTime
  • UserID
  • Data
  • *

To see the list, run the following:

help Get-WinEvent -Parameter FilterHashtable

To find, for example, a computer's startup events, enter the following:

Get-WinEvent -FilterHashtable @{
    ProviderName = 'Microsoft-Windows-Kernel-General'
    LogName = 'System'
    Id = 12

For this Windows event log search, PowerShell should return what is seen below.

PowerShell return

Editor's note: This expert answer is second in a three-part series on PowerShell automation. See this expert answer on ACL folder management, and stay tuned for the final installment on PATH environment management.

Dig Deeper on Scripting, Scheduling and IT Orchestration