WEVTUtil Filter from a source

Question

I have been trying to filter the Application log from WEVTUtil in order to view specific log. However, in filtering for event id 1036, there are two separate publishers. I want to be able to just get the events from MsiInstaller, but cannot for the life of me figure out how to and I can't seem to find anything on this.

wevtutil qe Application "/q:*[System [(EventID=1036)]] /f:text

This is working for me, but it is not showing me the events from MsiInstaller alone. How should I go about this.

score 1 · Answer 1 · answered May 30 '20 at 18:48

1

A PowerShell alternative is Get-WinEvent.

Example:

Get-WinEvent -FilterHashtable @{LogName="Application";ID=1033;ProviderName='MsiInstaller'}

You can set the log name and Event ID as necessary.

answered May 30 '20 at 18:48

Ash

3,030
3
15
33

score 1 · Accepted Answer · answered Jul 11 '20 at 01:23

Found an answer to my own question after enough head scratching! This filters out all the queries that have conflicting sources (ie. not the one I wanted).

wevtutil qe Application "/q:*[System [(EventID=1036)][Provider[@Name='MsiInstaller']]]" /f:text

WEVTUtil Filter from a source

2 Answers2