0

I am trying to use PowerShell to get the results from the TaskScheduler events since yesterday. This is my code:

Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational  -MaxEvents 5 |
    Where-Object ($_.TimeCreated -gt [DateTime]::Today.AddDays(-1))
Format-List *

Notes:

  1. The -MaxEvents 5 is to limit output while I am developing.

  2. When I remove the Where-object the cmdlet returns a full list. This is expected since no filtering is applied. So the error must be in the way the filtering is being done.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Patient 0
  • 1
  • 1
  • 3
  • Your filter expression works, but your syntax is wrong. The filter expression must be in curly brackets, not parentheses: `... | Where-Object { ... } | ...` – Ansgar Wiechers Jan 26 '17 at 14:45

1 Answers1

1

You can use the FilterHashTable property of Get-WinEvent to filter, it will be faster than retrieving all the events and then filtering only those you want.

This retrieves all events in the last day from the System log as I don't have any logging for TaskScheduler.

$date = (Get-Date).AddDays(-1)
$events = Get-WinEvent -FilterHashTable @{ LogName = "System"; StartTime = $date;}
$events | Format-List

You can filter on pretty much any field in the event log - further info on this

henrycarteruk
  • 12,708
  • 2
  • 36
  • 40