Time range with Get-WinEvent


user1010

user1010

Well-known member
Member
Local time
2:52 PM
Posts
167
OS
Windows 11
Anyone know if it's possible to use a time range when using Get-WinEvent in powershell? It works with StartTime but not if I set EndTime.

Works:
Powershell: 
Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; }

Error:
Powershell: 
Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "November 26, 2023 14:01:00"
}

Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{LogName='Application';StartTime='01/0 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
 

My Computer My Computer

At a glance

Windows 11Intel Core i7-13700Corsair VENGEANCE DDR5 32GBMSI GeForce RTX 5070 12G VENTUS 2X OC
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
CPU
Intel Core i7-13700
Motherboard
ASUS TUF GAMING B760-PLUS WIFI
Memory
Corsair VENGEANCE DDR5 32GB
Graphics Card(s)
MSI GeForce RTX 5070 12G VENTUS 2X OC
Monitor(s) Displays
Samsung LS32AG504
Hard Drives
Kingston Fury Renegade M.2 2TB SSD
PSU
Corsair RM850X 2021 / 850W / 80+ Gold
Browser
Chrome
Antivirus
Defender

My Computer My Computer

At a glance

Win 11 25H2intel i7-870032GbIntel iGPU
OS
Win 11 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
intel i7-8700
Motherboard
Asus Z370 TUF Gaming
Memory
32Gb
Graphics Card(s)
Intel iGPU
Sound Card
Realtek
Hard Drives
Samsung
PSU
Corsair
Cooling
Fans
Get-WinEvent's error reason was provided: No events were found that match the specified selection criteria.

Code: 
Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "November 26, 2023 14:01:00" } | measure
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
 
Count    : 0
Average  : 
Sum      : 
Maximum  : 
Minimum  : 
Property : 
Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "January 02, 2024 14:01:00" } | measure

Count    : 866
Average  : 
Sum      : 
Maximum  : 
Minimum  : 
Property :

@das10 is correct. This query requires -ErrorAction to make it safe from empty results.
Code: 
Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = Get-Date "November 26, 2023 14:00:00"; 'EndTime' = Get-Date "November 26, 2023 14:01:00" } -ErrorAction Ignore
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
das10 said:
This is one way to get Events in a particular Log between two particular dateTimes:

eg:
Powershell: 
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="26-11-2023 14:00:00";EndTime="26-11-2023 14:00:01"} -ea 0}

ref: PS One-Liner: #2 Query all Events from all Event Logs between a specific time frame! - Blog: Ruud Borst

For further assistance, maybe @garlin or one of the other powershell experts can help.
Click to expand...
Works fine. Not sure what the "%" do in this case and why you need to use Get-WinEvent two times. Thank you.
 

My Computer My Computer

At a glance

Windows 11Intel Core i7-13700Corsair VENGEANCE DDR5 32GBMSI GeForce RTX 5070 12G VENTUS 2X OC
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
CPU
Intel Core i7-13700
Motherboard
ASUS TUF GAMING B760-PLUS WIFI
Memory
Corsair VENGEANCE DDR5 32GB
Graphics Card(s)
MSI GeForce RTX 5070 12G VENTUS 2X OC
Monitor(s) Displays
Samsung LS32AG504
Hard Drives
Kingston Fury Renegade M.2 2TB SSD
PSU
Corsair RM850X 2021 / 850W / 80+ Gold
Browser
Chrome
Antivirus
Defender
"%" is a shortcut for Foreach-Object

What @das10 is trying to accomplish, is a bit of query optimization. Due to their internal data structure, Event logs are notoriously slow for query times, especially if there are many previous events in the log.

The first Get-WinEvent narrows the search results by the Application. Since we're not searching for all three criteria (Application + begin + end), this pass goes quickly. With the first pass results, we can apply the more time consuming search of comparing two date ranges. While the Application is a simple integer, math with datetime values is more expensive.

Get-WinEvent -ListLog Application | Foreach-Object {
[previous results] filtered again by date range
}
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
If I try a more newer date, I just got no output. Can you test as well to see if you got the same result.

Powershell: 
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="06-01-2024 05:00:00";EndTime="06-01-2024 08:00:00"} -ea 0}

This one seems to work better when changing dates and time.

Powershell: 
$startDate = Get-Date "January 4, 2024 09:00:00"
$enddate = Get-Date "January 6, 2024 09:00:00"
Get-WinEvent -LogName System -MaxEvents 1000 | Where-Object {($_.TimeCreated.Date -le $endDate) -and ($_.TimeCreated.Date -ge $startDate)}

communary.net

Filtering data on date in PowerShell

When working with large data sets, being able to effectively filter the data is essential. A common exercise where you might need filtering on date is when reading logs, and in this blog post I wil…
communary.net communary.net
 
Last edited:

My Computer My Computer

At a glance

Windows 11Intel Core i7-13700Corsair VENGEANCE DDR5 32GBMSI GeForce RTX 5070 12G VENTUS 2X OC
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
CPU
Intel Core i7-13700
Motherboard
ASUS TUF GAMING B760-PLUS WIFI
Memory
Corsair VENGEANCE DDR5 32GB
Graphics Card(s)
MSI GeForce RTX 5070 12G VENTUS 2X OC
Monitor(s) Displays
Samsung LS32AG504
Hard Drives
Kingston Fury Renegade M.2 2TB SSD
PSU
Corsair RM850X 2021 / 850W / 80+ Gold
Browser
Chrome
Antivirus
Defender
Could you please confirm that when using a more newer date (script 1 in post #6), that in fact there are Application events between those times, but that they don't show in the script result?

Also, could you please confirm that the second script which seems to work better, does in fact filter the results between the "exact" times you have specified ?

This is what I have for the most recent results in the Application Log (between "06/01/2024 13:30:00" and "06/01/2024 13:40:00") using script 1 & a slightly modified version of your newer script 2.

Powershell: 
# Script 1
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="06-01-2024 13:30:00";EndTime="06-01-2024 13:40:00" } -ea 0} | Out-GridView

Powershell: 
# Script 2
$startDate = Get-Date "January 6, 2024 13:30:00"
$enddate   = Get-Date "January 6, 2024 13:40:00"
Get-WinEvent -LogName Application -MaxEvents 1000 | Where-Object {($_.TimeCreated -le $endDate) -and ($_.TimeCreated -ge $startDate)} -ErrorAction Ignore | Out-GridView

Evt-A.png
 

My Computer My Computer

At a glance

Win 11 25H2intel i7-870032GbIntel iGPU
OS
Win 11 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
intel i7-8700
Motherboard
Asus Z370 TUF Gaming
Memory
32Gb
Graphics Card(s)
Intel iGPU
Sound Card
Realtek
Hard Drives
Samsung
PSU
Corsair
Cooling
Fans
I hope I follow.
If I try script 1 in post #6 there is no output in powershell but I can find events via the event viewer.

application-logs.png

It seems that the second script actually post between those dates and times.
ps-event2.png

ps-event1.png
 

My Computer My Computer

At a glance

Windows 11Intel Core i7-13700Corsair VENGEANCE DDR5 32GBMSI GeForce RTX 5070 12G VENTUS 2X OC
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
CPU
Intel Core i7-13700
Motherboard
ASUS TUF GAMING B760-PLUS WIFI
Memory
Corsair VENGEANCE DDR5 32GB
Graphics Card(s)
MSI GeForce RTX 5070 12G VENTUS 2X OC
Monitor(s) Displays
Samsung LS32AG504
Hard Drives
Kingston Fury Renegade M.2 2TB SSD
PSU
Corsair RM850X 2021 / 850W / 80+ Gold
Browser
Chrome
Antivirus
Defender
Yes, I see. It seems to have to do with the Date format used in the 1st script which is following a different Locale (UK) setting (ie. how the Date format is set in Windows Country/Date settings - so my Event Viewer shows dates in '06/01/2024 13:30:00' format whist yours is showing as '2024-01-06 13:30:00').

Hopefully, @garlin may be able to clarify matters further & whether you may be able to use your own date format
Year Month Day Time
instead of
Day Month Year Time

eg:
Powershell: 
# Script 1
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="2024-01-06 13:30:00";EndTime="2024-01-06 13:40:00" } -ea 0} | Out-GridView

In the meantime, we'll wait for Garlin
 

My Computer My Computer

At a glance

Win 11 25H2intel i7-870032GbIntel iGPU
OS
Win 11 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
intel i7-8700
Motherboard
Asus Z370 TUF Gaming
Memory
32Gb
Graphics Card(s)
Intel iGPU
Sound Card
Realtek
Hard Drives
Samsung
PSU
Corsair
Cooling
Fans
2024-01-06 and "January 6, 2024" are unambiguous to Get-Date (or any implicit conversion to datetime format). Whereas 01-06-2024 depends on your regional date format.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Thanks Garlin. So, in the end it would be better to use the Get-Date method, then nobody would need to make adjustments to a posted script for their own Regional settings.
 

My Computer My Computer

At a glance

Win 11 25H2intel i7-870032GbIntel iGPU
OS
Win 11 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
intel i7-8700
Motherboard
Asus Z370 TUF Gaming
Memory
32Gb
Graphics Card(s)
Intel iGPU
Sound Card
Realtek
Hard Drives
Samsung
PSU
Corsair
Cooling
Fans
Switching to YYYY-MM-DD format makes it region-free.

This is the flip side of internationalization. While supporting regional choices is more friendly, it wreaks havoc on programming examples.
For example: takeown /r /d y (yes) doesn't work outside of English.
You can't specify "RemoteDesktop" in French when changing Defender Firewall rule groups ("Bureau à distance").

The problem is Windows doesn't allow multiple regional choices to work at the same time. So your poor readers are confused.
 
Last edited:

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I suspect it was something with the date. Thanks for clarify this.

This works as well.
Powershell: 
$startDate = Get-Date "January 4, 2024 09:00:00"
$enddate = Get-Date "January 6, 2024 09:00:00"
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="$startdate";EndTime="$enddate"} -ea 0}
 

My Computer My Computer

At a glance

Windows 11Intel Core i7-13700Corsair VENGEANCE DDR5 32GBMSI GeForce RTX 5070 12G VENTUS 2X OC
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
CPU
Intel Core i7-13700
Motherboard
ASUS TUF GAMING B760-PLUS WIFI
Memory
Corsair VENGEANCE DDR5 32GB
Graphics Card(s)
MSI GeForce RTX 5070 12G VENTUS 2X OC
Monitor(s) Displays
Samsung LS32AG504
Hard Drives
Kingston Fury Renegade M.2 2TB SSD
PSU
Corsair RM850X 2021 / 850W / 80+ Gold
Browser
Chrome
Antivirus
Defender
btw your use of Get-Date is redundant.
FilterHashTable defines the StartTime or EndTime keys as data type DateTime.

Key nameValue data typeAccepts wildcard characters?
LogName<String[]>Yes
ProviderName<String[]>Yes
Path<String[]>No
Keywords<Long[]>No
ID<Int32[]>No
Level<Int32[]>No
StartTime<DateTime>No
EndTime<DateTime>No
UserID<SID>No
Data<String[]>No
<named-data><String[]>No

When you pass an expression to StartTime/EndTime, PS will implicitly cast it as a DateTime value (or fail, if the expression is not recognized).

Here's an example:
Code: 
$startDate = Get-Date "January 4, 2024 09:00:00"
$endDate = [datetime] "January 4, 2024 09:00:00"

if ($startDate -eq $endDate) { "Same value" }

PS C:\Users\GARLIN\Downloads> .\Untitled6.ps1
Same value

This code would pass for improved readability.
Code: 
$startDate = "January 4, 2024 09:00:00"
$enddate = "January 6, 2024 09:00:00"
Get-WinEvent -ListLog Application | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime=$startdate;EndTime=$enddate} -ea 0}
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom