The Get-WinEvent cmdlet is a powerful tool in PowerShell used to retrieve event logs from Windows systems. Event logs are records of system, application, or security events, and they’re super useful for troubleshooting, monitoring, or auditing what’s happening on a machine.
Unlike the older Get-EventLog cmdlet, Get-WinEvent works with a wider range of logs, supports filtering with XML or hash tables, and can query remote machines.
See the below command, which displays a maximum of 3 events. -LogName is the parameter used to select the particular event log. -MaxEvents to specify the maximum number of events to return.
PS C:\PowerShell> Get-WinEvent -LogName "System" -MaxEvents 3 ProviderName: Microsoft-Windows-WindowsUpdateClient TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 04-03-2025 14:46:30 19 Information Installation Successful: Windows successfully installe... 04-03-2025 14:46:27 43 Information Installation Started: Windows has started installing t... ProviderName: Microsoft-Windows-Kernel-General TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 04-03-2025 14:46:23 16 Information The access history in hive \??\C:\ProgramData\Microsof...
Observe that by default, events are returned in newest-first order. To change this, we can use -Oldest parameter. It changes the return order to oldest-first order. For example, the below command displays the oldest 3 events from the Application log;
PS C:\PowerShell> Get-WinEvent -LogName "Application" -MaxEvents 3 -Oldest
Get-WinEvent supports more advanced filtering via -FilterHashtable parameter, which is useful especially when querying large event logs. This will optimize the filtering performance.
For example, the below command will display the Error events from the System log.
PS C:\PowerShell> Get-WinEvent -FilterHashtable @{LogName="System"; Level=2}
Another way of filtering events is using it’s -FilterXML parameter. We need to pass a structured XML query through this parameter to select events from one or more event logs.
Using the below command, we can display the list of Error events from the Application log.
PS C:\PowerShell> $xmlQuery='<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=2)]]</Select>
</Query>
</QueryList>'
PS C:\PowerShell> Get-WinEvent -FilterXml $xmlQuery
[..] David