In this article, we will see how to find error from Event Log in Windows using Powershell. When it comes to troubleshooting and finding error in Windows, it could be sometime cumbersome and quite time taking to look into sea of event logs using GUI window and find the exact root cause of the problem. In those cases, it would be more appropriate to use Windows Powershell commands and modules to filter the logs and find the root cause of the problem. To check error from Event logs, you can use a powerful powershell cmdlet called Get-EventLog. Here we will see how you can use this cmdlet to find different errors from Event Log in a simplistic way.
What is Get-EventLog
Get-EventLog is a cmdlet in PowerShell used for retrieving and displaying information from event logs in Windows. It's a part of PowerShell's capability to interact with the Windows event logging system, which is a key tool for system administrators for diagnostics and troubleshooting. It can access various classic event logs on a Windows system, such as the Application, System, or Security logs. It allows users to filter logs based on different criteria such as log name, event ID, entry type (Error, Warning, Information, etc.), and time frame. More on official website.
Common Parameters
- List: Display all the log entries.
- LogName: Specifies the log to access, such as 'System', 'Application', or 'Security'.
- EntryType: Filters entries based on their type, like Error, Warning, or Information.
- After and Before: Filter entries based on the date and time they were written.
- EventID: Filter entries based on the event ID.
- Newest: Limit the number of entries returned by specifying the most recent ones to retrieve.
How to find error from Event Log in Windows using Powershell
Also Read: [Solved]: "VirtualBox kernel modules do not match this version of VirtualBox"
Before checking error, it is important to first check the list of logs available in your system by using Get-EventLog -List command. The output should look something like below.
PS C:\> Get-EventLog -List Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480 0 OverwriteAsNeeded 39,076 Application 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 IntelAudioServiceLog 512 7 OverwriteOlder 0 Internet Explorer 512 7 OverwriteOlder 42 Kaspersky Event Log 20,480 0 OverwriteAsNeeded 0 Key Management Service 128 0 OverwriteAsNeeded 3,500 OAlerts 512 7 OverwriteOlder 3,405 OneApp_IGCC 20,480 0 OverwriteAsNeeded 31,824 Security 20,480 0 OverwriteAsNeeded 41,191 System 15,360 0 OverwriteAsNeeded 3,976 Windows PowerShell
From the above output, you can see a list of log available to check depending on the error you are facing. For example, if you are facing any system error then probably you would like to check the system logs by using Get-EventLog -LogName System -EntryType Error command as shown below.
PS C:\> Get-EventLog -LogName System -EntryType Error Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 179639 Dec 30 18:19 Error Microsoft-Windows... 98 The description for Event ID '98' in Source 'Microsoft-Windows-Ntfs' cannot be found. The local computer may not ha... 179583 Dec 30 13:29 Error Microsoft-Windows... 98 The description for Event ID '98' in Source 'Microsoft-Windows-Ntfs' cannot be found. The local computer may not ha... 179573 Dec 30 13:15 Error Microsoft-Windows... 98 The description for Event ID '98' in Source 'Microsoft-Windows-Ntfs' cannot be found. The local computer may not ha... 179532 Dec 30 09:40 Error Microsoft-Windows... 10317 Miniport Qualcomm QCA9377 802.11ac Wireless Adapter, {e90ba5b7-5926-4d9f-b09a-3ef5d7357b09}, had event 71 179531 Dec 30 09:40 Error Qcamain10x64 3221230474 Qualcomm QCA9377 802.11ac Wireless Adapter : Has determined that the network adapter is not functioning properly. 179143 Dec 26 21:10 Error Microsoft-Windows... 98 The description for Event ID '98' in Source 'Microsoft-Windows-Ntfs' cannot be found. The local computer may not ha... 179093 Dec 26 12:04 Error Microsoft-Windows... 98 The description for Event ID '98' in Source 'Microsoft-Windows-Ntfs' cannot be found. The local computer may not ha... 178516 Dec 22 10:14 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. 178515 Dec 22 10:14 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. 178514 Dec 22 10:14 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. 178513 Dec 22 10:14 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. 178512 Dec 22 10:14 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. 178511 Dec 22 10:14 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. 178404 Dec 21 16:08 Error MTConfig 3221553153 An attempt to configure the input mode of a multitouch device failed. ....................................................
Similarly, you can check other logs as well. You can also refine your logs by querying through specific known information. For example, if you are checking system logs and you know the instance id or event id of the error then you can query logs for that instance id. This can be understood by a simple example. Let's say you would like to check all the error with Instance ID 10317. In that case, you can query all the error using Get-EventLog -LogName System -EntryType Error -InstanceID 10317 command as shown below.
PS C:\> Get-EventLog -LogName System -EntryType Error -InstanceID 10317 Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 179532 Dec 30 09:40 Error Microsoft-Windows... 10317 Miniport Qualcomm QCA9377 802.11ac Wireless Adapter, {e90ba5b7-5926-4d9f-b09a-3ef5d7357b09}, had event 71 169394 Oct 17 20:33 Error Microsoft-Windows... 10317 Miniport Kaspersky VPN, {57f23036-bb5b-4477-aae2-29de0bec0a74}, had event 76 147457 May 31 22:00 Error Microsoft-Windows... 10317 Miniport Kaspersky VPN, {10485d20-ffd5-43e7-9f0e-608a432ab774}, had event 76 145477 May 17 21:42 Error Microsoft-Windows... 10317 Miniport Kaspersky VPN, {5002438d-5fac-4ac8-b879-c0cefab151a9}, had event 76 ..............................................................
From the above output, you may also notice that the Source messages are not completely visible and seems to be truncated. Many times, you might observe the same with Message object as well. When the output is too large, Window will truncate the complete message and then you will not able to visualize the complete line to troubleshoot the error. In that case, you can expand the object by querying specifically for that using Select-object command. For example, in our case Source rows are not completely visible so to check the complete line we are selecting the Source object by using Get-EventLog -LogName System -EntryType Error -InstanceID 10317 | Select-object Source command as shown below.
PS C:\> Get-EventLog -LogName System -EntryType Error -InstanceID 10317 | Select-object Source Source ------ Microsoft-Windows-NDIS Microsoft-Windows-NDIS Microsoft-Windows-NDIS Microsoft-Windows-NDIS
Also Read
Coming back to our topic of checking logs again, it is still possible that even after providing instance id or event id, output is quite long to go through and you very much want to further narrow down the result. In that case, you can also provide the start and end date to search from the event logs.
For example, here we are providing start date and time as 30th December, 2023 at 06:40 and end date as 30th December, 2023 at 09:50. Then we are searching error with Instance ID 10317 between given start and end date using Get-EventLog -LogName System -EntryType Error -InstanceID 10317 -After $startDate -Before $endDate command. You can see that we got the exact logs we are looking for on the output below.
PS C:\> $startDate = Get-Date "30/12/2023 06:40" PS C:\> $endDate = Get-Date "30/12/2023 09:50" PS C:\> Get-EventLog -LogName System -EntryType Error -InstanceID 10317 -After $startDate -Before $endDate Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 179532 Dec 30 09:40 Error Microsoft-Windows... 10317 Miniport Qualcomm QCA9377 802.11ac Wireless Adapter, {e90ba5b7-5926-4d9f-b09a-3ef5d7357b09}, had event 71
Sometimes, it is also possible that you don't know the instance id or event id of the error, just know the time window during which error occurs. In that case also, you can search all the error came between 30th December, 2023 at 06:40 and 30th December, 2023 at 09:50 using Get-EventLog -LogName System -EntryType Error -After $startDate -Before $endDate command as shown below after setting $startDate and $endDate.
PS C:\> $startDate = Get-Date "30/12/2023 06:40" PS C:\> $endDate = Get-Date "30/12/2023 09:50" PS C:\> Get-EventLog -LogName System -EntryType Error -After $startDate -Before $endDate Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 179532 Dec 30 09:40 Error Microsoft-Windows... 10317 Miniport Qualcomm QCA9377 802.11ac Wireless Adapter, {e90ba5b7-5926-4d9f-b09a-3ef5d7357b09}, had event 71 179531 Dec 30 09:40 Error Qcamain10x64 3221230474 Qualcomm QCA9377 802.11ac Wireless Adapter : Has determined that the network adapter is not functioning properly.