Using Get-WinEvent –FilterXml to process Windows Events

Introduction

Windows Events can be extremely useful for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process.

The FilterXml Parameter

The FilterXml parameter allows you use a simple XML document to filter events quickly. You can use the “Create Custom View” and “Filter Current Log” features in Event Viewer to create a valid XML query. The exact query schema can be found here: http://go.microsoft.com/fwlink/?LinkId=143685.

An Example

In Event Viewer, select a log, and then click “Filter Current Log”…

Select the items to filter and then click the XML tab.

Now you can use the XML query in Windows PowerShell.

PS C:\Windows\system32> $filterXml = ‘<QueryList>

  <Query Id=”0″ Path=”Windows PowerShell”>

    <Select Path=”Windows PowerShell”>*[System[(Level=4 or Level=0)]]</Select>

  </Query>

</QueryList>’

PS C:\Windows\system32> Get-WinEvent –FilterXml $filterXml

TimeCreated                   ProviderName                                             Id Message

———–                   ————                                             — ——-

4/14/2011 10:48:01 AM         PowerShell                                              600 Provider “WSMan” is Starte…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Variable” is Sta…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Registry” is Sta…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Function” is Sta…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “FileSystem” is S…

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Environment” is …

4/14/2011 10:48:00 AM         PowerShell                                              600 Provider “Alias” is Starte…

4/14/2011 10:47:58 AM         PowerShell                                              400 Engine state is changed fr…

This query retrieves all Windows PowerShell events. You can then pipe the results to downstream cmdlets for further processing.

James Wei
SDE
MSFT