Using Get-WinEvent –FilterXml to process Windows Events

PowerShell Team

Introduction

Windows Events can be extremely useful for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process.

The FilterXml Parameter

The FilterXml parameter allows you use a simple XML document to filter events quickly. You can use the “Create Custom View” and “Filter Current Log” features in Event Viewer to create a valid XML query. The exact query schema can be found here: http://go.microsoft.com/fwlink/?LinkId=143685.

An Example

In Event Viewer, select a log, and then click “Filter Current Log”…

Image 3806 FilterCurrentLog

Select the items to filter and then click the XML tab.

Image 4426 FilterMXL

Now you can use the XML query in Windows PowerShell.

PS C:\Windows\system32> $filterXml = ‘<QueryList>

  <Query Id=”0″ Path=”Windows PowerShell”>

    <Select Path=”Windows PowerShell”>*[System[(Level=4 or Level=0)]]</Select>

  </Query>

</QueryList>’

PS C:\Windows\system32> Get-WinEvent –FilterXml $filterXml

TimeCreated                   ProviderName                                             Id Message

———–                   ————                                             — ——-

4/14/2011 10:48:01 AM         PowerShell                                              600 Provider “WSMan” is Starte…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Variable” is Sta…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Registry” is Sta…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Function” is Sta…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “FileSystem” is S…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Environment” is …

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Alias” is Starte…

4/14/2011 10:47:58 AM         PowerShell                                              400 Engine state is changed fr…

This query retrieves all Windows PowerShell events. You can then pipe the results to downstream cmdlets for further processing.

James Wei SDE MSFT

0 comments

Discussion is closed.

Feedback usabilla icon