PowerShell 2.0: One Cmdlet at a Time #69 Get-WinEvent

Continuing the series looking at new cmdlets available in PowerShell 2.0. This time we look at the Get-WinEvent cmdlet.

What can I do with it?

Retrieve items from Event Logs including event logs generated by the Windows Event Log technology, new since Windows Vista / 2008 Server, in addition to the classic System, Security and Application Logs. Note: it requires .NET Framework 3.5 or later installed.

Examples:

Retrieve events from the Setup Event Log.

Get-WinEvent -LogName Setup

You’ll see the typical information you would normally view in Event Viewer.

Get-WinEvent1

Get-WinEvent includes a -FilterHashTable parameter which allows you to filter results at source rather than pulling back all the events and then piping them through to Where-Object to perform filtering, so much more effiicient.

Retrieve events from the System Event Log only where the Event ID is 10148.

Get-WinEvent -FilterHashtable @{Logname='System';ID=10148}

You will see that only the events with ID 10148 are returned.

Get-WinEvent2

How could I have done this in PowerShell 1.0?

You could have used the Get-EventLog cmdlet, however it is not able to retrieve information from event logs generated by the Windows Event Log technology such as the Setup log mentioned in the above examples.

Get-EventLog -LogName System | Where-Object {$_.EventID -eq 10148}

1000 things 1% better!

One thought on “PowerShell 2.0: One Cmdlet at a Time #69 Get-WinEvent

  1. I used next command to extract security event log from a evtx file(On a win2008 R2).

    PS>get-winevent -path c:910.evtx >> c:\tst.csv

    It need about 7 minutes. c:910.evtx is about 15MB and contains only security event log.

    Because wevtutil needs only several seconds to convert the same c:910.evtx to a evt file,

    I wonder why get-winevent was so slowly.

    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>