PowerShell Script – Get Group Policy events by CorrelationID

Update: 22. August 2014: I have posted an updated version of the script here.

During his Group Policy: Notes from the Field – Tips, Tricks, and Troubleshooting session at TechEd Group Policy MVP Jeremy Moskowitz demonstrates how to filter the event log using the correlation ID. Now because I love using PowerShell I thought I create a function for that using Jeremy’s XMLquery.

function Get-GPEventByCorrelationID
   Get Group Policy Eventlog entries by Correlation ID
   This function retrieves Group Policy event log entries filtered by Correlation ID
   Get-GPEventByCorrelationID -CorrelationID A2A621EC-44B4-4C56-9BA3-169B88032EFD

   TimeCreated                     Id LevelDisplayName Message
   -----------                     -- ---------------- -------
   7/17/2014 3:00:27 PM          5117 Information      Group policy session completed successfully.

        # CorrelationID

        $Query = '*[System/Correlation/@ActivityID="{CorrelationID}"]'
        $FilterXML = $Query.Replace("CorrelationID",$CorrelationID)
        Get-WinEvent -FilterXml $FilterXML


Greetings form the sunny beaches at Sardinia.

3 Replies to “PowerShell Script – Get Group Policy events by CorrelationID”

  1. Didn’t work for me, was bombing out with the error
    Get-WinEvent : Cannot bind parameter ‘FilterXml’. Cannot convert value
    “*[System/Correlation/@ActivityID='{360003F2-5989-4938-986E-6F290508F803}’]” to type “System.Xml.XmlDocument”.

    So I’ve replaced the line #28 in the code above with:

    $Query = “*[System/Correlation/@ActivityID='{CorrelationID}’]”

    and it’s working Ok now.
    I’ve checked afterwards & it’s exactly the approach you do use in your Get-GPEventByCorrelationID function.

    Cheers, Michael.

  2. Sorry, the correct line #28 is:

    $Query = “*[System/Correlation/@ActivityID='{CorrelationID}’]”

  3. $Query = ” *[System/Correlation/@ActivityID='{CorrelationID}’] ”

    Ok, the comment publishing engine is removing the parts of the published code.

Leave a Reply