Event Log Queries
Windows Event Logs record system, security, and application activity. They’re the first place to look when diagnosing errors, investigating security incidents, or auditing changes. Get-WinEvent is the modern cmdlet for querying them — it’s faster than the older Get-EventLog and supports more filtering options.
List Available Event Logs
Windows has hundreds of event logs, many of them application-specific. This lists all of them sorted by record count so the most active logs appear first.
Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsEnabled | Sort-Object RecordCount -Descending | Format-Table -AutoSizeQuery a Specific Log
Retrieves the most recent entries from a log. The three main built-in logs are System, Application, and Security.
Get-WinEvent -LogName "System" -MaxEvents 50 | Format-ListFilter by Event ID
Every event type has a unique ID. Filtering by ID is the most targeted way to find specific events. XPath filtering happens server-side, making it much faster than piping to Where-Object.
Get-WinEvent -LogName "Security" -FilterXPath "*[System[EventID=4624]]" -MaxEvents 20Common event IDs to know:
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4648 | Logon with explicit credentials |
| 4720 | User account created |
| 4740 | User account locked out |
| 7036 | Service started or stopped |
Filter by Time Range
-FilterHashtable is the recommended way to combine multiple filters. Filtering by time at the query level is significantly faster than retrieving all events and filtering afterwards.
$start = (Get-Date).AddHours(-24)
$end = Get-Date
Get-WinEvent -FilterHashtable @{
LogName = "System"
StartTime = $start
EndTime = $end
} | Format-Table TimeCreated, Id, Message -AutoSizeFilter by Level
Log levels let you focus on severity. Filtering for errors or critical events cuts through the noise of informational entries.
# Levels: 1=Critical, 2=Error, 3=Warning, 4=Information
Get-WinEvent -FilterHashtable @{
LogName = "Application"
Level = 2 # Error
} -MaxEvents 50 | Format-Table TimeCreated, ProviderName, Message -AutoSizeSearch Event Message Text
When you don’t know the exact event ID but know what the message contains, filter on the Message property. Note that this loads events into memory first, so combine it with a time or ID filter where possible to keep it fast.
Get-WinEvent -LogName "System" |
Where-Object { $_.Message -like "*disk*" } |
Select-Object TimeCreated, Id, Message |
Format-Table -AutoSizeExport Events to CSV
Useful for sharing with others or importing into Excel for further analysis.
Get-WinEvent -LogName "Security" -MaxEvents 500 |
Select-Object TimeCreated, Id, LevelDisplayName, Message |
Export-Csv -Path "C:\Reports\SecurityEvents.csv" -NoTypeInformationClear an Event Log
Removes all entries from a log. Typically done after exporting, or as part of routine maintenance.
Clear-EventLog -LogName "Application"[!WARNING] Clearing event logs is irreversible. Ensure logs are exported or forwarded to a SIEM before clearing.