{"id":2671,"date":"2011-04-14T11:17:00","date_gmt":"2011-04-14T11:17:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2011\/04\/14\/using-get-winevent-filterxml-to-process-windows-events\/"},"modified":"2024-02-28T12:10:06","modified_gmt":"2024-02-28T20:10:06","slug":"using-get-winevent-filterxml-to-process-windows-events","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/using-get-winevent-filterxml-to-process-windows-events\/","title":{"rendered":"Using Get-WinEvent \u2013FilterXml to process Windows Events"},"content":{"rendered":"

Introduction<\/span><\/span><\/b><\/p>\n

Windows Events can be extremely useful\u00a0for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process. <\/span><\/span><\/p>\n

The FilterXml Parameter<\/span><\/span><\/b><\/p>\n

The FilterXml parameter allows you\u00a0use a simple XML document to filter events quickly. You can use the “Create Custom View” and “Filter Current Log” features in Event Viewer to create a valid XML query. The exact query schema can be found here: <\/span>http:\/\/go.microsoft.com\/fwlink\/?LinkId=143685<\/span><\/a>.<\/span><\/span><\/p>\n

An Example<\/span><\/span><\/b><\/p>\n

\n

\n

In Event Viewer, select a log, and then click\u00a0“Filter Current Log”…<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

\"Image<\/a><\/span><\/span><\/p>\n

Select the items to filter and then click the XML tab.<\/span><\/span><\/span><\/p>\n

\"Image<\/a><\/span><\/span><\/p>\n

Now you can use the XML query in Windows PowerShell.<\/span><\/span><\/span><\/p>\n

PS C:\\Windows\\system32> $filterXml = ‘<QueryList><\/span><\/span><\/span><\/span><\/p>\n

\u00a0 <Query Id=”0″ Path=”Windows PowerShell”><\/span><\/span><\/span><\/span><\/p>\n

\u00a0\u00a0\u00a0 <Select Path=”Windows PowerShell”>*[System[(Level=4 or Level=0)]]<\/Select><\/span><\/span><\/span><\/span><\/p>\n

\u00a0 <\/Query><\/span><\/span><\/span><\/span><\/p>\n

<\/QueryList>\u2019<\/span><\/span><\/span><\/span><\/p>\n

PS C:\\Windows\\system32> Get-WinEvent \u2013FilterXml $filterXml<\/span><\/span><\/span><\/p>\n

TimeCreated\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ProviderName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Id Message<\/span><\/span><\/span><\/p>\n

———–\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ————\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 — ——-<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:01 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0600 Provider “WSMan” is Starte…<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:00 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600 Provider “Variable” is Sta…<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:00 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0600 Provider “Registry” is Sta…<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:00 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600 Provider “Function” is Sta…<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:00 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0600 Provider “FileSystem” is S…<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:00 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600 Provider “Environment” is …<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:48:00 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600 Provider “Alias” is Starte…<\/span><\/span><\/span><\/p>\n

4\/14\/2011 10:47:58 AM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PowerShell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 400 Engine state is changed fr…<\/span><\/span><\/span><\/p>\n

This query retrieves all Windows PowerShell events. You can then pipe the results to downstream cmdlets for further processing.<\/span><\/span><\/p>\n

\n

James Wei\nSDE\nMSFT<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Introduction Windows Events can be extremely useful\u00a0for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process. The FilterXml Parameter The FilterXml parameter allows you\u00a0use a simple XML document to filter events quickly. You […]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2671","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell"],"acf":[],"blog_post_summary":"

Introduction Windows Events can be extremely useful\u00a0for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process. The FilterXml Parameter The FilterXml parameter allows you\u00a0use a simple XML document to filter events quickly. You […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/2671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=2671"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/2671\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=2671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=2671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=2671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}