MicrosoftDocs · sdwheeler · Jan 6, 2026 · Jan 6, 2026 · Jan 6, 2026
@@ -556,23 +556,25 @@ $xmlQuery = @'
 <QueryList>
   <Query Id="0" Path="Windows PowerShell">
     <Select Path="System">*[System[(Level=3) and
-        TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]</Select>
+        TimeCreated[timediff(@SystemTime) >= 86400000]]]</Select>
   </Query>
 </QueryList>
 '@
 Get-WinEvent -FilterXML $xmlQuery
 
 # Using the FilterXPath parameter:
-$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]'
+$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) >= 86400000]]]'
 Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $XPath
 ```
 
 ### Example 17: Use FilterHashtable to get events from the Application log
 
 This example uses the **FilterHashtable** parameter to get events from the **Application** log. The
 hash table uses **key/value** pairs. For more information about the **FilterHashtable** parameter,
-see [Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
-For more information about hash tables, see [about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
+see
+[Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
+For more information about hash tables, see
+[about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
 
 ```powershell
 $Date = (Get-Date).AddDays(-2)
@@ -715,8 +717,9 @@ Help.
 
 Use an XML query to create a complex query that contains several XPath statements. The XML format
 also allows you to use a **Suppress XML** element that excludes events from the query. For more
-information about the XML schema for event log queries, see [Query Schema](/windows/win32/wes/queryschema-schema)
-and the XML Event Queries section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+information about the XML schema for event log queries, see
+[Query Schema](/windows/win32/wes/queryschema-schema) and the XML Event Queries section of
+[Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 ```yaml
 Type: System.Xml.XmlDocument
@@ -734,8 +737,9 @@ Accept wildcard characters: False
 
 Specifies an XPath query that this cmdlet select events from one or more logs.
 
-For more information about the XPath language, see [XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100))
-and the Selection Filters section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+For more information about the XPath language, see
+[XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100)) and the
+_Selection Filters_ section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 ```yaml
 Type: System.String
@@ -815,8 +819,8 @@ cmdlet.
 > [!NOTE]
 > PowerShell does not limit the amount of logs you can request. However, the `Get-WinEvent` cmdlet
 > queries the Windows API which has a limit of 256. This can make it difficult to filter through all
-> of your logs at one time. You can work around this by using a `foreach` loop to iterate through each
-> log like this: `Get-WinEvent -ListLog * | ForEach-Object{ Get-WinEvent -LogName $_.LogName }`
+> of your logs at one time. You can work around this by using a `foreach` loop to iterate through
+> each log like this: `Get-WinEvent -ListLog * | ForEach-Object{ Get-WinEvent -LogName $_.LogName }`
 
 ```yaml
 Type: System.String[]
@@ -913,7 +917,8 @@ Accept wildcard characters: True
 
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
 -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose,
--WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+-WarningAction, and -WarningVariable. For more information, see
+[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

@@ -558,23 +558,25 @@ $xmlQuery = @'
 <QueryList>
   <Query Id="0" Path="Windows PowerShell">
     <Select Path="System">*[System[(Level=3) and
-        TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]</Select>
+        TimeCreated[timediff(@SystemTime) >= 86400000]]]</Select>
   </Query>
 </QueryList>
 '@
 Get-WinEvent -FilterXML $xmlQuery
 
 # Using the FilterXPath parameter:
-$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]'
+$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) >= 86400000]]]'
 Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $XPath
 ```
 
 ### Example 17: Use FilterHashtable to get events from the Application log
 
 This example uses the **FilterHashtable** parameter to get events from the **Application** log. The
 hash table uses **key/value** pairs. For more information about the **FilterHashtable** parameter,
-see [Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
-For more information about hash tables, see [about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
+see
+[Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
+For more information about hash tables, see
+[about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
 
 ```powershell
 $Date = (Get-Date).AddDays(-2)
@@ -739,8 +741,9 @@ Help.
 
 Use an XML query to create a complex query that contains several XPath statements. The XML format
 also allows you to use a **Suppress XML** element that excludes events from the query. For more
-information about the XML schema for event log queries, see [Query Schema](/windows/win32/wes/queryschema-schema)
-and the XML Event Queries section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+information about the XML schema for event log queries, see
+[Query Schema](/windows/win32/wes/queryschema-schema) and the XML Event Queries section of
+[Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 You may also create a **Suppress** element using the **FilterHashtable** parameter.
 
@@ -760,8 +763,9 @@ Accept wildcard characters: False
 
 Specifies an XPath query that this cmdlet select events from one or more logs.
 
-For more information about the XPath language, see [XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100))
-and the Selection Filters section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+For more information about the XPath language, see
+[XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100)) and the
+_Selection Filters_ section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 ```yaml
 Type: System.String
@@ -841,8 +845,8 @@ cmdlet.
 > [!NOTE]
 > PowerShell does not limit the amount of logs you can request. However, the `Get-WinEvent` cmdlet
 > queries the Windows API which has a limit of 256. This can make it difficult to filter through all
-> of your logs at one time. You can work around this by using a `foreach` loop to iterate through each
-> log like this: `Get-WinEvent -ListLog * | ForEach-Object{ Get-WinEvent -LogName $_.LogName }`
+> of your logs at one time. You can work around this by using a `foreach` loop to iterate through
+> each log like this: `Get-WinEvent -ListLog * | ForEach-Object{ Get-WinEvent -LogName $_.LogName }`
 
 ```yaml
 Type: System.String[]
@@ -939,7 +943,8 @@ Accept wildcard characters: True
 
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
 -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose,
--WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+-WarningAction, and -WarningVariable. For more information, see
+[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

@@ -151,9 +151,9 @@ with the asterisk (`*`) wildcard to display each property.
 
 ### Example 3: Configure the classic Security log
 
-This command gets an **EventLogConfiguration** object that represents the classic **Security** log.
-The object is then used to configure settings for the log, such as max file size, file path, and
-whether the log is enabled.
+This command gets an **EventLogConfiguration** object that represents the classic **Security** log. The
+object is then used to configure settings for the log, such as max file size, file path, and whether the
+log is enabled.
 
 ```powershell
 $log = Get-WinEvent -ListLog Security
@@ -196,18 +196,17 @@ ProviderLatency                : 1000
 ProviderControlGuid            :
 ```
 
-The `Get-WinEvent` cmdlet uses the **ListLog** parameter to specify the **Security** log. The object
-is saved to a variable. The **MaximumSizeInBytes** property is set to 1 gigabyte on the object. The
+The `Get-WinEvent` cmdlet uses the **ListLog** parameter to specify the **Security** log. The object is
+saved to a variable. The **MaximumSizeInBytes** property is set to 1 gigabyte on the object. The
 **SaveChanges** method is called to push the change to the system inside of a try block to handle
-access violations. The `Get-WinEvent` cmdlet is called again on the **Security** log and piped to
-the `Format-List` cmdlet to verify that the **MaximumSizeInBytes** property has been saved on the
-machine.
+access violations. The `Get-WinEvent` cmdlet is called again on the **Security** log and piped to the
+`Format-List` cmdlet to verify that the **MaximumSizeInBytes** property has been saved on the machine.
 
 ### Example 4: Get event logs from a server
 
 This command only gets event logs on the local computer that contain events. It's possible for a
 log's **RecordCount** to be null or zero. The example uses the `$_` variable. For more information,
-see [about_Automatic_Variables](../Microsoft.PowerShell.Core/About/about_Automatic_Variables.md).
+see [about_Automatic_Variables](../Microsoft.PowerShell.Core/about/about_automatic_variables.md).
 
 ```powershell
 Get-WinEvent -ListLog * -ComputerName localhost | Where-Object { $_.RecordCount }
@@ -234,8 +233,7 @@ is a property of the object with a non-null value.
 
 This example gets objects that represent the **Application** event logs on three computers:
 Server01, Server02, and Server03. The `foreach` keyword is used because the **ComputerName**
-parameter accepts only one value. For more information, see
-[about_Foreach](../Microsoft.PowerShell.Core/About/about_Foreach.md).
+parameter accepts only one value. For more information, see [about_Foreach](../Microsoft.PowerShell.Core/about/about_Foreach.md).
 
 ```powershell
 $S = 'Server01', 'Server02', 'Server03'
@@ -347,8 +345,7 @@ This command lists the Event Ids that the **Microsoft-Windows-GroupPolicy** even
 along with the event description.
 
 ```powershell
-(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events |
-    Format-Table Id, Description
+(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
 ```
 
 ```Output
@@ -508,7 +505,7 @@ is required.
 
 ```powershell
 Get-WinEvent -Path 'C:\Tracing\TraceLog.etl' -Oldest |
-    Sort-Object -Property TimeCreated -Descending |
+  Sort-Object -Property TimeCreated -Descending |
     Select-Object -First 100
 ```
 
@@ -529,7 +526,7 @@ reading from an `.etl` file, but the **Oldest** parameter applies to each file.
 
 ```powershell
 Get-WinEvent -Path 'C:\Tracing\TraceLog.etl', 'C:\Test\Windows PowerShell.evtx' -Oldest |
-    Where-Object { $_.Id -eq '403' }
+  Where-Object { $_.Id -eq '403' }
 ```
 
 The `Get-WinEvent` cmdlet gets log information from the archived files. The **Path** parameter uses
@@ -561,24 +558,25 @@ $xmlQuery = @'
 <QueryList>
   <Query Id="0" Path="Windows PowerShell">
     <Select Path="System">*[System[(Level=3) and
-        TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]</Select>
+        TimeCreated[timediff(@SystemTime) >= 86400000]]]</Select>
   </Query>
 </QueryList>
 '@
 Get-WinEvent -FilterXML $xmlQuery
 
 # Using the FilterXPath parameter:
-$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]'
+$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) >= 86400000]]]'
 Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $XPath
 ```
 
 ### Example 17: Use FilterHashtable to get events from the Application log
 
 This example uses the **FilterHashtable** parameter to get events from the **Application** log. The
 hash table uses **key/value** pairs. For more information about the **FilterHashtable** parameter,
-see [Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable).
+see
+[Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
 For more information about hash tables, see
-[about_Hash_Tables](../Microsoft.PowerShell.Core/About/about_Hash_Tables.md).
+[about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
 
 ```powershell
 $Date = (Get-Date).AddDays(-2)
@@ -600,7 +598,7 @@ that occurred within the last week.
 ```powershell
 $StartTime = (Get-Date).AddDays(-7)
 Get-WinEvent -FilterHashtable @{
-  LogName='Application'
+  Logname='Application'
   ProviderName='Application Error'
   Data='iexplore.exe'
   StartTime=$StartTime
@@ -766,8 +764,8 @@ Accept wildcard characters: False
 Specifies an XPath query that this cmdlet select events from one or more logs.
 
 For more information about the XPath language, see
-[XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100))
-and the Selection Filters section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+[XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100)) and the
+_Selection Filters_ section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 ```yaml
 Type: System.String
@@ -987,13 +985,13 @@ Environment (Windows PE).
 
 ## RELATED LINKS
 
-[about_Automatic_Variables](../Microsoft.PowerShell.Core/About/about_Automatic_Variables.md)
+[about_Automatic_Variables](../Microsoft.PowerShell.Core/about/about_automatic_variables.md)
 
-[about_Foreach](../Microsoft.PowerShell.Core/About/about_Foreach.md)
+[about_Foreach](../Microsoft.PowerShell.Core/about/about_Foreach.md)
 
-[about_Hash_Tables](../Microsoft.PowerShell.Core/About/about_Hash_Tables.md)
+[about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md)
 
-[Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable)
+[Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable)
 
 [Format-Table](../Microsoft.PowerShell.Utility/Format-Table.md)
 

@@ -558,23 +558,25 @@ $xmlQuery = @'
 <QueryList>
   <Query Id="0" Path="Windows PowerShell">
     <Select Path="System">*[System[(Level=3) and
-        TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]</Select>
+        TimeCreated[timediff(@SystemTime) >= 86400000]]]</Select>
   </Query>
 </QueryList>
 '@
 Get-WinEvent -FilterXML $xmlQuery
 
 # Using the FilterXPath parameter:
-$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) &amp;lt;= 86400000]]]'
+$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) >= 86400000]]]'
 Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $XPath
 ```
 
 ### Example 17: Use FilterHashtable to get events from the Application log
 
 This example uses the **FilterHashtable** parameter to get events from the **Application** log. The
 hash table uses **key/value** pairs. For more information about the **FilterHashtable** parameter,
-see [Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
-For more information about hash tables, see [about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
+see
+[Creating Get-WinEvent queries with FilterHashtable](/powershell/scripting/samples/Creating-Get-WinEvent-queries-with-FilterHashtable).
+For more information about hash tables, see
+[about_Hash_Tables](../Microsoft.PowerShell.Core/about/about_hash_tables.md).
 
 ```powershell
 $Date = (Get-Date).AddDays(-2)
@@ -596,7 +598,7 @@ that occurred within the last week.
 ```powershell
 $StartTime = (Get-Date).AddDays(-7)
 Get-WinEvent -FilterHashtable @{
-  LogName='Application'
+  Logname='Application'
   ProviderName='Application Error'
   Data='iexplore.exe'
   StartTime=$StartTime
@@ -739,8 +741,9 @@ Help.
 
 Use an XML query to create a complex query that contains several XPath statements. The XML format
 also allows you to use a **Suppress XML** element that excludes events from the query. For more
-information about the XML schema for event log queries, see [Query Schema](/windows/win32/wes/queryschema-schema)
-and the XML Event Queries section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+information about the XML schema for event log queries, see
+[Query Schema](/windows/win32/wes/queryschema-schema) and the XML Event Queries section of
+[Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 You may also create a **Suppress** element using the **FilterHashtable** parameter.
 
@@ -760,8 +763,9 @@ Accept wildcard characters: False
 
 Specifies an XPath query that this cmdlet select events from one or more logs.
 
-For more information about the XPath language, see [XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100))
-and the Selection Filters section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
+For more information about the XPath language, see
+[XPath Reference](/previous-versions/dotnet/netframework-4.0/ms256115(v=vs.100)) and the
+_Selection Filters_ section of [Event Selection](/previous-versions/aa385231(v=vs.85)).
 
 ```yaml
 Type: System.String
@@ -841,8 +845,8 @@ cmdlet.
 > [!NOTE]
 > PowerShell does not limit the amount of logs you can request. However, the `Get-WinEvent` cmdlet
 > queries the Windows API which has a limit of 256. This can make it difficult to filter through all
-> of your logs at one time. You can work around this by using a `foreach` loop to iterate through each
-> log like this: `Get-WinEvent -ListLog * | ForEach-Object{ Get-WinEvent -LogName $_.LogName }`
+> of your logs at one time. You can work around this by using a `foreach` loop to iterate through
+> each log like this: `Get-WinEvent -ListLog * | ForEach-Object{ Get-WinEvent -LogName $_.LogName }`
 
 ```yaml
 Type: System.String[]
@@ -939,7 +943,8 @@ Accept wildcard characters: True
 
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
 -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose,
--WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+-WarningAction, and -WarningVariable. For more information, see
+[about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS