PowerShell WinEvent FilterHashtable wildcard

In PowerShell, you can use the FilterHashtable parameter of the Get-WinEvent cmdlet to filter events based on specific properties, including using wildcards. Here's an example of how you can use a wildcard in the FilterHashtable parameter:

powershellCopy code
$Filter = @{

    LogName = 'System'

    ProviderName = 'Microsoft-Windows-Winlogon'

    Id = 7001

    Message = '*service failed*'

}



$Events = Get-WinEvent -FilterHashtable $Filter

In the example above, we are retrieving events from the "System" log that have a provider name of "Microsoft-Windows-Winlogon", an event ID of 7001, and a message that contains the phrase "service failed". The * character is used as a wildcard to match any text before or after the specified phrase in the message.

You can modify the properties and values in the $Filter hashtable to suit your specific filtering requirements.