{"id":7431,"date":"2015-03-07T00:01:00","date_gmt":"2015-03-07T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/03\/07\/weekend-scripter-avoid-powershell-scriptinguse-gui-tools\/"},"modified":"2019-02-18T10:30:22","modified_gmt":"2019-02-18T17:30:22","slug":"weekend-scripter-avoid-powershell-scriptinguse-gui-tools","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-avoid-powershell-scriptinguse-gui-tools\/","title":{"rendered":"Weekend Scripter: Avoid PowerShell Scripting—Use GUI Tools"},"content":{"rendered":"

Summary<\/b>: Microsoft Scripting Guy, Ed Wilson, talks about exporting queries from the event log tool.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. It has long been a truism (at least with things related to computers): powerful is opposite of simple. I can have a tool that is powerful, but with that power comes complexity. When that complexity is so complex as to render the tool ridiculously hard to use, the tool rapidly becomes useless.<\/p>\n

What is awesome is when a tool is extremely powerful and also very easy to use. Of course, this usually means that the tool makes lots of default choices for me. If those default choices are intelligent, I really don’t care. Microsoft Word is sort of like that. I mean, the default document template makes tons of choices. Usually, I do not care about the exact spacing between paragraphs, the default Tab stop, column width, or page length. Usually…<\/p>\n

Of course, when I have to modify those things, I know I am probably going to have to set aside all day.<\/p>\n

The Windows PowerShell cmdlet Get-WinEvent<\/b> is often perceived to be such a tool. It is way powerful—but it is also more complicated to use, than for example, the Get-EventLog<\/b> cmdlet. The problem with Get-EventLog<\/b> is that it only works for legacy event logs. For all the newer (new as in Windows Vista era—so not really all that new at all) types of logs, I need to use Get-WinEvent<\/b>. Because Get-WinEvent<\/b> also works with legacy event logs, I have completely quit using the Get-EventLog<\/b> cmdlet. This forces me to learn how to use the Get-WinEvent<\/b> cmdlet.<\/p>\n

One problem with the Get-WinEvent<\/b> cmdlet, is at first glance, it is hard to figure out how to filter the results. It is a truism, that for performance sake, I filter to the left of the pipeline character. So this means that I do not use Get-WinEvent<\/b> to return everything and then pipe it to the Where-Object<\/b>.<\/p>\n

This is especially true with some logs that return thousands of records. But how do I filter, for example, on an Event ID? Here is the syntax that shows the various parameter sets (ways of using the cmdlet):<\/p>\n

PS C:\\> Get-Command Get-WinEvent -Syntax<\/p>\n

 <\/p>\n

Get-WinEvent [[-LogName] <string[]>] [-MaxEvents <long>] [-ComputerName <string>] [-Credential<\/p>\n

<pscredential>] [-FilterXPath <string>] [-Force] [-Oldest] [<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-ListLog] <string[]> [-ComputerName <string>] [-Credential <pscredential>] [-Force]<\/p>\n

[<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-ListProvider] <string[]> [-ComputerName <string>] [-Credential <pscredential>]<\/p>\n

[<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-ProviderName] <string[]> [-MaxEvents <long>] [-ComputerName <string>] [-Credential<\/p>\n

<pscredential>] [-FilterXPath <string>] [-Force] [-Oldest] [<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-Path] <string[]> [-MaxEvents <long>] [-Credential <pscredential>] [-FilterXPath<\/p>\n

<string>] [-Oldest] [<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-FilterXml] <xml> [-MaxEvents <long>] [-ComputerName <string>] [-Credential<\/p>\n

<pscredential>] [-Oldest] [<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-FilterHashtable] <hashtable[]> [-MaxEvents <long>] [-ComputerName <string>]<\/p>\n

[-Credential <pscredential>] [-Force] [-Oldest] [<CommonParameters>]<\/p>\n

From this, there are basically three ways of filtering:<\/p>\n