windowspowershellcommand-linecommandwevtutil

WEVTUtil Filter from a source


I have been trying to filter the Application log from WEVTUtil in order to view specific log. However, in filtering for event id 1036, there are two separate publishers. I want to be able to just get the events from MsiInstaller, but cannot for the life of me figure out how to and I can't seem to find anything on this.

wevtutil qe Application "/q:*[System [(EventID=1036)]] /f:text 

This is working for me, but it is not showing me the events from MsiInstaller alone. How should I go about this.


Solution

  • Found an answer to my own question after enough head scratching! This filters out all the queries that have conflicting sources (ie. not the one I wanted).

    wevtutil qe Application "/q:*[System [(EventID=1036)][Provider[@Name='MsiInstaller']]]" /f:text