Tips: Make Get-WinEvent cmdlet perform quicker

Posted on by

Although September was a busy month, I’d like to share a nice tips that makes Get-WinEvent cmdlet perform quicker.

First, start with the FilterHashTable parameter. It’s easier to write.

$HT = @{
 LogName = 'System';
 ProviderName = 'Service Control Manager' ;
 Id = 7040 ;
 Data = 'Windows Modules Installer' ;
 StartTime = (Get-Date).AddDays(-365) ;
}
Get-WinEvent -FilterHashtable $HT -MaxEvents 1

Now, capture the XML query from the Verbose stream.
To achieve that, I just add the Verbose switch to the previous command

Get-WinEvent -FilterHashtable $HT -Verbose -MaxEvents 1

get-winevent-perf-02

I copy/paste the XML query into a here-string and use it as input for the FilterXml parameter like this:

Get-WinEvent -FilterXml @'
<QueryList>
 <Query Id="0" Path="system">
  <Select Path="system">*
  [System/Provider[@Name='service control manager'] and
  (System/TimeCreated[@SystemTime&gt;='2014-09-06T10:20:22.000Z']) and 
  (EventData/Data='Windows Modules Installer') and
  (System/EventID=7040)]
  </Select>
 </Query>
</QueryList>
'@ -Verbose -MaxEvents 1

As you can see, when you use the FilterXml parameter, there isn’t any overhead where the hashtable is first converted to a XML query.
get-winevent-perf-04

The result is that the FilterXml will perform faster than the FilterHashTable parameter
get-winevent-perf-01

get-winevent-perf-03

… and you don’t have to figure out how to write the XML query 😀

1 thought on “Tips: Make Get-WinEvent cmdlet perform quicker

  1. Pingback: Dew Drop – September 30, 2015 (#2101) | Morning Dew

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.