Using Powershell to Access Event-Log Details RRS feed

  • Question

  • Morning! I have been searching across the web for an answer but have yet to find one that solves my question. Is it possible to use Powershell (or some other mean) to check a certain value in an Event Log's details? Obviously, this can be done manually by growing through Event Viewer, but In this scenario, I won't have the ability to.

    Specifically, EventID:12. I want to check to see whether BootMode's value is a 0 or a 1. In total, I was hoping there would be some sort of script I could write to check the value BootMode under every EventID:12 as they come in. Kind of an odd question -- I know. I'd appreciate any assistance or resources given. Thanks you.

    • Moved by Bill_Stewart Monday, September 11, 2017 2:04 PM Abandoned
    Friday, June 30, 2017 2:41 PM

All replies

  • You can certainly use the Get-WinEvent cmdlet to query the System EventLog although I can't advise on your specific requirement to get the BootMode from Event ID 12.

    Something like this might help you get started:

    Get-WinEvent -LogName System | Where {$_.ID -Eq "12"}

    • Edited by Dai Webb Friday, June 30, 2017 2:57 PM
    Friday, June 30, 2017 2:55 PM
  • Give this a try, you might need to change it around to suit your circumstances and the exact event and log you want to check, below checks the application log for anything with ID of 12 where the message contains the phrase "BootMode: 0"

    You could also use the "-newest" parameter to search less results

    Get-EventLog application -InstanceId 12 | ?{$_.message -like "*BootMode: 0*"}

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Friday, June 30, 2017 2:57 PM
  • Thank you, I'll try this out. It's nearing Friday's end so I'll have time over the weekend to read up on the Get-WinEvent to then try it out Monday.
    Friday, June 30, 2017 3:07 PM
  • Save time and space.  Use Get-WinEvent correctly:

    Get-WinEvent -FiterHashTable @{Logname='Application';ID=12}

    help Get-WinEvent -Full

    You can also use "FilterXML" to query for exact values in the data.  Again, start with help then search for examples and blogs on how to use FilterXML.


    Friday, June 30, 2017 8:37 PM