Alternatively to using text log files in scripts, you can write event information directly to the Event Viewer logs. In this article, we’ll look at how to write logs to the Windows Event Viewer from a PowerShell script or the command prompt.
To write information to the Windows event logs, use the Write-EventLog cmdlet. For example, to write an information event to the Application log:
Write-EventLog -LogName Application -Source "Application" -EntryType Information -EventID 1 -Message "PS1 Script started"
You can add a separate event source to an existing log:
New-EventLog -LogName Application -Source "MyScripts"
Now, you can write events with a custom source:
Write-EventLog -LogName Application -Source "MyScripts" -EntryType Warning –EventID 1 –Message "PS1 Script started"
Open the Event Viewer console (eventvwr.msc), expand the Application log, and check that a new event with your description has been added to the log.
Error, Information, FailureAudit, SuccessAudit, or Warning.To add an event to the log from a BAT/CMD script, use the eventcreate.exe command:
eventcreate /t information /l application /id 1 /d "BAT script started"
You can create a custom classic event log in Event Viewer using the New-EventLog command.
New-EventLog -LogName CustomPSLog -source 'MyScripts','PSScript','PSLogonScript','PSSchedScript'
If you are writing events to a custom log, you should first check in the script to see if the log already exists.
If ([System.Diagnostics.EventLog]::SourceExists('CustomPSLog') -eq $False) {
New-EventLog -LogName CustomPSLog -Source ...
}For a new classic event log to appear in the Event Viewer graphical console, you must send at least one event to it.
Write-EventLog -LogName CustomPSLog -Source MyScripts -EntryType Information -EventID 1 -Message "Test"
A new log will appear in the root of the Applications and Services Logs section. A new EVTX file will be created for the log file in the %SystemRoot%\System32\Winevt\Logs folder.
Use the Get-WinEvent cmdlet to find and filter events in Event Viewer logs:
Get-WinEvent -FilterHashtable @{logname='CustomPSLog';id=1}|ft TimeCreated,Id,Message | Select-Object -First 5
In the latest versions of PowerShell Core, the Write-EventLog cmdlet is not supported. If you try to run a command that contains it, you will get an error:
Write-EventLog: The term 'Write-EventLog' is not recognized as a name of a cmdlet, function, script file, or executable program.
In PowerShell Core 7.x, you should use New-WinEvent instead. However, to use it, you need to register a separate event provider, which can be complicated. In PowerShell Core scripts, it is much easier first to import the Microsoft.PowerShell.Management module by using the -UseWindowsPowerShell option. Then, you can use the Write-EventLog cmdlet in your PowerShell Core scripts:
Import-Module Microsoft.PowerShell.Management -UseWindowsPowerShell
Write-EventLog -LogName CustomPSLog1 -Source CustomPSLog -EntryType Information -EventID 1 -Message "Test2"
To use the Write-EventLog cmdlet to add logs to the Event Viewer, use the account that is a member of the local Administrators group. A non-admin user can only send events to custom Event Viewer logs created by an administrator.