Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Discussion

Copper Contributor

Mar 14, 2025

Solved

Get-EventLog bad instanceid

Hello all,

I have one problem with Get-EventLog. Filter -InstanceID not working.

In EventLog is InstanceID 7036 in Results form Het-EventLog is InstanceID 1073748860

It is a bug?

LainRobertson
Mar 20, 2025
Hi Feofan69,

It's not actually a bad id.

Behind the scenes, the value is actually a 32-bit integer, but Event Viewer only shows 16-bit integers for the "Event ID" column.

If you switch to the XML view within the event, you will see the high-order 16-bit word as the "Qualifier" attribute value.

Here's an example for "Event ID = 7040", which in Get-EventLog shows as InstanceId = 1073748864.

We can readily reconstruct the real 32-bit value from the two 16-bit values (qualifier and the element value):

Not every event has a "Qualifier" attribute, hence some InstanceID values look like the usual "smaller" values (since they only contain the lower-order 16-bit value).

Cheers,
Lain

Feofan69
Copper Contributor
Mar 20, 2025
Thank you. I need to use always for powershell queries only 32bit value?
- LainRobertson
  Silver Contributor
  Mar 22, 2025
  Hi Feofan69,
  
  If you use Get-EventLog then yes, you have to use the full value when using the -InstanceId parameter.
  
  However, there's a more powerful Event Log commandlet named Get-WinEvent, which despite being more complex to use, does allow you to specify just the 16-bit value you're accustomed to seeing in Event Viewer.
  
  Get-WinEvent (Microsoft.PowerShell.Diagnostics) - PowerShell | Microsoft Learn
  
  Example
  Get-WinEvent -LogName System -FilterXPath "*/*[EventID=7040]";
  
  Cheers,
  Lain
LainRobertson
Silver Contributor
Mar 20, 2025
Hi Feofan69,

It's not actually a bad id.

Behind the scenes, the value is actually a 32-bit integer, but Event Viewer only shows 16-bit integers for the "Event ID" column.

If you switch to the XML view within the event, you will see the high-order 16-bit word as the "Qualifier" attribute value.

Here's an example for "Event ID = 7040", which in Get-EventLog shows as InstanceId = 1073748864.

We can readily reconstruct the real 32-bit value from the two 16-bit values (qualifier and the element value):

Not every event has a "Qualifier" attribute, hence some InstanceID values look like the usual "smaller" values (since they only contain the lower-order 16-bit value).

Cheers,
Lain

Resources