Introduction
Windows Events can be extremely useful for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process.
The FilterXml Parameter
The FilterXml parameter allows you use a simple XML document to filter events quickly. You can use the “Create Custom View” and “Filter Current Log” features in Event Viewer to create a valid XML query. The exact query schema can be found here: http://go.microsoft.com/fwlink/?LinkId=143685.
An Example
In Event Viewer, select a log, and then click “Filter Current Log”…
Select the items to filter and then click the XML tab.
Now you can use the XML query in Windows PowerShell.
PS C:\Windows\system32> $filterXml = ‘<QueryList>
<Query Id=”0″ Path=”Windows PowerShell”>
<Select Path=”Windows PowerShell”>*[System[(Level=4 or Level=0)]]</Select>
</Query>
</QueryList>’
PS C:\Windows\system32> Get-WinEvent –FilterXml $filterXml
TimeCreated ProviderName Id Message
———– ———— — ——-
4/14/2011 10:48:01 AM PowerShell 600 Provider “WSMan” is Starte…
4/14/2011 10:48:00 AM PowerShell 600 Provider “Variable” is Sta…
4/14/2011 10:48:00 AM PowerShell 600 Provider “Registry” is Sta…
4/14/2011 10:48:00 AM PowerShell 600 Provider “Function” is Sta…
4/14/2011 10:48:00 AM PowerShell 600 Provider “FileSystem” is S…
4/14/2011 10:48:00 AM PowerShell 600 Provider “Environment” is …
4/14/2011 10:48:00 AM PowerShell 600 Provider “Alias” is Starte…
4/14/2011 10:47:58 AM PowerShell 400 Engine state is changed fr…
This query retrieves all Windows PowerShell events. You can then pipe the results to downstream cmdlets for further processing.
James Wei SDE MSFT
0 comments