Windows Tip Sheet

Put Some Power in Your Event Logs

Using the GUI to scan your event logs can take some time. Find it faster with a Get-EventLog cmdlet.

Managing event logs using the standard GUI management tools is often cumbersome, especially when you're trying to find specific information in a large log file. Fortunately, PowerShell is a champ at working with event logs using the Get-Eventlog cmdlet. The cmdlet has more features than I have space to cover in a such a short column, but let me show you how to use it to display a boot history for a given computer.



Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at [email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Typically when a computer system starts up, Event ID 6005 is recorded, indicating that the Event log service has started. By finding all instances of this event, you can get a pretty good idea when a server was started up. This isn’t a foolproof method, but I want to demonstrate something practical using the Get-Eventlog cmdlet.

Here’s the expression and a sampling of the output. Normally the expression would all be on one line. I’ve broken the expression up for formatting purposes:

PS C:\> get-eventlog -logname system |'
>> where {$_.eventid -eq 6005} |'
>> select -property message,timegenerated
Message                            TimeGenerated
-------                            -------------
The Event log service was started. 11/17/2006 10:08:33 AM
The Event log service was started. 11/17/2006 8:11:03 AM
The Event log service was started. 11/15/2006 10:49:24 AM
The Event log service was started. 11/14/2006 1:49:55 PM
The Event log service was started. 11/10/2006 3:54:37 PM

The expression asks the Get-Eventlog cmdlet to get all records of the system event log. The output is then filtered by the Where-Object cmdlet so that it returns records where the event ID is 6005. Finally, since I’m primarily interested in the time when the log was created, I pipe the result through the Select-Object cmdlet to display only the message and time generated properties. The resulting table indicates approximately all the times this server was started. I’m sure you can think of many ways to enhance or modify this expression to pull out other information from the event logs using PowerShell. I’ll be visiting this topic again in the future.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus
Most   Popular