Time range with Get-WinEvent

user1010 · Jan 2, 2024

Anyone know if it's possible to use a time range when using Get-WinEvent in powershell? It works with StartTime but not if I set EndTime.

Works:

Powershell:

Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; }

Error:

Powershell:

Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "November 26, 2023 14:01:00"

}

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{LogName='Application';StartTime='01/0 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

das10 · Jan 2, 2024

This is one way to get Events in a particular Log between two particular dateTimes:

eg:

Powershell:

Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="26-11-2023 14:00:00";EndTime="26-11-2023 14:00:01"} -ea 0}

ref: PS One-Liner: #2 Query all Events from all Event Logs between a specific time frame! - Blog: Ruud Borst

For further assistance, maybe @garlin or one of the other powershell experts can help.

garlin · Jan 2, 2024

Get-WinEvent's error reason was provided: No events were found that match the specified selection criteria.

Code:

Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "November 26, 2023 14:01:00" } | measure
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Count    : 0
Average  : 
Sum      : 
Maximum  : 
Minimum  : 
Property : 
Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "January 02, 2024 14:01:00" } | measure

Count    : 866
Average  : 
Sum      : 
Maximum  : 
Minimum  : 
Property :

@das10 is correct. This query requires -ErrorAction to make it safe from empty results.

Code:

Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "November 26, 2023 14:01:00" } -ErrorAction Ignore

user1010 · Jan 5, 2024

das10 said:
This is one way to get Events in a particular Log between two particular dateTimes:

eg:

Powershell:

Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="26-11-2023 14:00:00";EndTime="26-11-2023 14:00:01"} -ea 0}

ref: PS One-Liner: #2 Query all Events from all Event Logs between a specific time frame! - Blog: Ruud Borst

For further assistance, maybe @garlin or one of the other powershell experts can help.

Works fine. Not sure what the "%" do in this case and why you need to use Get-WinEvent two times. Thank you.

garlin · Jan 5, 2024

"%" is a shortcut for Foreach-Object

What @das10 is trying to accomplish, is a bit of query optimization. Due to their internal data structure, Event logs are notoriously slow for query times, especially if there are many previous events in the log.

The first Get-WinEvent narrows the search results by the Application. Since we're not searching for all three criteria (Application + begin + end), this pass goes quickly. With the first pass results, we can apply the more time consuming search of comparing two date ranges. While the Application is a simple integer, math with datetime values is more expensive.

Get-WinEvent -ListLog Application | Foreach-Object {
[previous results] filtered again by date range
}

user1010 · Jan 6, 2024

If I try a more newer date, I just got no output. Can you test as well to see if you got the same result.

Powershell:

Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="06-01-2024 05:00:00";EndTime="06-01-2024 08:00:00"} -ea 0}

This one seems to work better when changing dates and time.

Powershell:

$startDate = Get-Date "January 4, 2024 09:00:00"
$enddate = Get-Date "January 6, 2024 09:00:00"
Get-WinEvent -LogName System -MaxEvents 1000 | Where-Object {($_.TimeCreated.Date -le $endDate) -and ($_.TimeCreated.Date -ge $startDate)}

Filtering data on date in PowerShell

When working with large data sets, being able to effectively filter the data is essential. A common exercise where you might need filtering on date is when reading logs, and in this blog post I wil…

communary.net

das10 · Jan 6, 2024

Could you please confirm that when using a more newer date (script 1 in post #6), that in fact there are Application events between those times, but that they don't show in the script result?

Also, could you please confirm that the second script which seems to work better, does in fact filter the results between the "exact" times you have specified ?

This is what I have for the most recent results in the Application Log (between "06/01/2024 13:30:00" and "06/01/2024 13:40:00") using script 1 & a slightly modified version of your newer script 2.

Powershell:

# Script 1
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="06-01-2024 13:30:00";EndTime="06-01-2024 13:40:00" } -ea 0} | Out-GridView

Powershell:

# Script 2
$startDate = Get-Date "January 6, 2024 13:30:00"
$enddate   = Get-Date "January 6, 2024 13:40:00"
Get-WinEvent -LogName Application -MaxEvents 1000 | Where-Object {($_.TimeCreated -le $endDate) -and ($_.TimeCreated -ge $startDate)} -ErrorAction Ignore | Out-GridView

user1010 · Jan 6, 2024

I hope I follow.
If I try script 1 in post #6 there is no output in powershell but I can find events via the event viewer.

It seems that the second script actually post between those dates and times.

das10 · Jan 6, 2024

Yes, I see. It seems to have to do with the Date format used in the 1st script which is following a different Locale (UK) setting (ie. how the Date format is set in Windows Country/Date settings - so my Event Viewer shows dates in '06/01/2024 13:30:00' format whist yours is showing as '2024-01-06 13:30:00').

Hopefully, @garlin may be able to clarify matters further & whether you may be able to use your own date format
Year Month Day Time
instead of
Day Month Year Time

eg:

Powershell:

# Script 1
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="2024-01-06 13:30:00";EndTime="2024-01-06 13:40:00" } -ea 0} | Out-GridView

In the meantime, we'll wait for Garlin

garlin · Jan 6, 2024

2024-01-06 and "January 6, 2024" are unambiguous to Get-Date (or any implicit conversion to datetime format). Whereas 01-06-2024 depends on your regional date format.

das10 · Jan 6, 2024

Thanks Garlin. So, in the end it would be better to use the Get-Date method, then nobody would need to make adjustments to a posted script for their own Regional settings.

garlin · Jan 6, 2024

Switching to YYYY-MM-DD format makes it region-free.

This is the flip side of internationalization. While supporting regional choices is more friendly, it wreaks havoc on programming examples.
For example: takeown /r /d y (yes) doesn't work outside of English.
You can't specify "RemoteDesktop" in French when changing Defender Firewall rule groups ("Bureau à distance").

The problem is Windows doesn't allow multiple regional choices to work at the same time. So your poor readers are confused.

user1010 · Jan 6, 2024

I suspect it was something with the date. Thanks for clarify this.

This works as well.

Powershell:

$startDate = Get-Date "January 4, 2024 09:00:00"
$enddate = Get-Date "January 6, 2024 09:00:00"
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="$startdate";EndTime="$enddate"} -ea 0}

garlin · Jan 6, 2024

btw your use of Get-Date is redundant.
FilterHashTable defines the StartTime or EndTime keys as data type DateTime.

Key name	Value data type	Accepts wildcard characters?
LogName	<String[]>	Yes
ProviderName	<String[]>	Yes
Path	<String[]>	No
Keywords	<Long[]>	No
ID	<Int32[]>	No
Level	<Int32[]>	No
StartTime	<DateTime>	No
EndTime	<DateTime>	No
UserID	<SID>	No
Data	<String[]>	No
<named-data>	<String[]>	No

When you pass an expression to StartTime/EndTime, PS will implicitly cast it as a DateTime value (or fail, if the expression is not recognized).

Here's an example:

Code:

$startDate = Get-Date "January 4, 2024 09:00:00"
$endDate = [datetime] "January 4, 2024 09:00:00"

if ($startDate -eq $endDate) { "Same value" }

PS C:\Users\GARLIN\Downloads> .\Untitled6.ps1
Same value

This code would pass for improved readability.

Code:

$startDate = "January 4, 2024 09:00:00"
$enddate = "January 6, 2024 09:00:00"
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime=$startdate;EndTime=$enddate} -ea 0}