Get-WinEvent is the modern, fast event-log cmdlet. Filter server-side with
-FilterHashtable — never pipe a whole log into Where-Object.
Last 50 System events
Get-WinEvent -LogName System -MaxEvents 50
Errors (level 2) in the last 24 hours
Get-WinEvent -FilterHashtable @{
LogName = 'System'
Level = 2
StartTime = (Get-Date).AddDays(-1)
} | Select-Object TimeCreated, Id, ProviderName, Message
A specific event ID
Get-WinEvent -FilterHashtable @{ LogName='System'; Id=6008 } -MaxEvents 20 # unexpected shutdowns
From a specific source/provider
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MSSQLSERVER' } -MaxEvents 50
Read a saved .evtx file
Get-WinEvent -Path C:\exports\System.evtx -MaxEvents 100
Why FilterHashtable: it filters inside the event-log service, so it’s dramatically faster than
Get-WinEvent -LogName System | Where-Object {...} (which pulls every record into memory first).
Level values: 1=Critical, 2=Error, 3=Warning, 4=Information. Reading the Security log needs an
elevated prompt.