The Get-WinEvent cmdlet is a powerful tool in PowerShell used to retrieve event logs from Windows systems. Event logs are records of system, application, or security events, and they’re super useful for troubleshooting, monitoring, or auditing what’s happening on a machine.
Unlike the older Get-EventLog cmdlet, Get-WinEvent works with a wider range of logs, supports filtering with XML or hash tables, and can query remote machines.
See the below command, which displays a maximum of 3 events. -LogName is the parameter used to select the particular event log. -MaxEvents to specify the maximum number of events to return.
PS C:\PowerShell> Get-WinEvent -LogName "System" -MaxEvents 3 ProviderName: Microsoft-Windows-WindowsUpdateClient TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 04-03-2025 14:46:30 19 Information Installation Successful: Windows successfully installe... 04-03-2025 14:46:27 43 Information Installation Started: Windows has started installing t... ProviderName: Microsoft-Windows-Kernel-General TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 04-03-2025 14:46:23 16 Information The access history in hive \??\C:\ProgramData\Microsof...
Observe that by default, events are returned in newest-first order. To change this, we can use -Oldest parameter. It changes the return order to oldest-first order. For example, the below command displays the oldest 3 events from the Application log;
PS C:\PowerShell> Get-WinEvent -LogName "Application" -MaxEvents 3 -Oldest
[..] David