author: Nathan Acks
date: 2021-09-25

Get-WinEvent is a PowerShell command for working with Windows event logs.

# Get help on Get-WinEvent (calls out to Microsoft).
Get-Help Get-WinEvent

# Filter event log output using the Where-Object command. This
# apparently pipes the entire output to the Where-Object command, which
# then scans for the appropriate field. So a bit inefficient for large
# logs.
Get-WinEvent -LogName Application | Where-Object {
	$_.ProviderName -Match 'WLMS'

# To match event IDs with Where-Object, use the slightly different form
# `Where-Object Id -eq  100`, etc.

# Use the -FilterHashtable flag. This causes the filtering to be done
# during the call made by Get-WinEvent, and has a more straight-forward
# syntax too. However, it only works when called against the system
# event log; Where-Object needs to be used when specifying an archived
# log via -Path.
# Note that hashes can be specified with newlines instead of semicolons
# as well, which can make scripts A LOT more readable!
Get-WinEvent -FilterHashtable @{
	LogName = 'Application';
	ProviderName = 'WLMS'

# To display all information about an event, pipe the output of
# Get-WinEvent to `Format-List -Property *`

FilterHashtable Keys

Wildcards can be used with LogName and ProviderName, but not with other keys.

Event Viewer displays most of these values in the “General” when viewing an individual log entry, though note that Keywords is translated to a string.