The graphical Event Viewer console (Eventvwr.msc) is usually used to check Windows logs. Event Viewer provides information on most system and security events. You can use PowerShell to search, filter, and parse a large number of events in Event Viewer.
There are two built-in PowerShell cmdlets available in Windows for getting information from Event Viewer logs:
- Get-Eventlog — a simple, convenient, and fast cmdlet for getting information from standard Windows logs: Application, Security, System. However, it cannot be used to get events from the extended application and service logs in Event Viewer;
- Get-WinEvent — provides a more universal way to search and filter events in any of the logs available in Event Viewer. In modern versions of Windows, this cmdlet is the preferred way to get and process event logs.
To get the names of available Windows logs, run the command:
Get-WinEvent -ListLog *
There are more than 400 event logs by default in Windows 10 and 11. Each log is stored in a separate .EVTX file in the %SystemRoot%\System32\Winevt\Logs\ directory.
To display the last 10 events from a specific log, specify the name of the log in the –LogName parameter, and then run the command:
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -MaxEvents 10
You can use the Where-Object cmdlet to filter received events by specified criteria. For example, you may need to find all of the Windows Defender events with an Event ID of 1002:
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational'| Where-Object ID -eq 1002
However, if you have a large number of events, this method of filtering will be very slow. To search the log more quickly, you can use the following Get-WinEvent filters:
- -FilterXPath <String>
- -FilterXml <XmlDocument>
- -FilterHashtable <Hashtable[]>
For example, to get the same results as the previous command, you can use the following hash table query:
Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-Windows Defender/Operational';ID='1002'}
This log search command is many times faster than the previous one (with Where-Object filtering).
Example of a hash table to search for multiple event IDs for the last 7 days:
$date = (Get-Date).AddDays(-7)
$hash = @{
LogName='Security';
ProviderName='Microsoft-Windows-Security-Auditing';
ID=4723,4724,4740;
StartTime=$date
}
Get-WinEvent -FilterHashtable $hash
You can create an XPath filter template to select events from the log using the graphical Event Viewer snap-in.
-
- Right-click on the required log name and select Filter Current Log;
- Configure filter parameters;
- Go to the XML tab. Copy the XPath query code that is generated for you;
- Paste the code into the $xmlQuery variable to run this query using PowerShell:
$xmlQuery = @' <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(Level=1 or Level=2) and (EventID=2 or EventID=8194 or EventID=100 or EventID=264) and TimeCreated[timediff(@SystemTime) <= 604800000]]]</Select> </Query> </QueryList> '@
Use XML query to select events:
$Events= Get-WinEvent -FilterXML $xmlQuery
You can now export the events found to a CSV file:
$Events | Export-CSV "C:\Report\LastEvents.CSV" -NoTypeInformation -Encoding UTF8
You can get logs from a remote computer using the -ComputerName parameter. For example, the following PowerShell script can be used to search domain controllers for AD user account lockout events (Event ID 4740):
$DCs = "dc01", "dc02", "dc03" foreach ($server in $DCs)
