Get-WinEvent

It’s essentially a command-line way to read what Event Viewer (the GUI app) shows you, but faster and scriptable.

It supersedes the older Get-EventLog cmdlet, which only worked with classic .evt logs.

Get-WinEvent handles both classic .evt and the modern .evtx format, plus ETW channels.

Core parameters

-ListLog <pattern>

Lists all available event logs. Example:

Get-WinEvent -ListLog *

• Get-WinEvent the cmdlet to query Windows Event Logs.
• -ListLog tells PowerShell: List all available logs instead of retrieving events.
• * → wildcard, meaning all logs.

Show me a list of all event logs on this computer.

-LogName <logname>

Queries events from a specific log channel. Examples: Security, System, Application, Microsoft-Windows-PowerShell/Operational.

Get-WinEvent -LogName Security

-FilterHashtable <hashtable>

Filters events before loading them, improving performance. Can filter by:

• LogName
• Path
• Event ID
• Start/End Time
• Provider name

Example:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625}

This example will only shows failed login events.

-FilterXPath <XPath query>

Filters events using XPath, an XML query language.

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4625]]"

-FilterXml <XML content>

Provides full XML query for filtering logs. Useful for exporting/importing complex queries between systems.

-Path <filepath>

Reads offline EVTX files instead of live logs.

Get-WinEvent -Path "C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\*.evtx"

-ComputerName <hostname>

Queries logs on a remote computer. Requires admin permissions and remote Event Log access.

Get-WinEvent -ComputerName SERVER01 -LogName Security