Skip navigation
PowerShell screenshot shows Where-Object cmdlet

How to Use the PowerShell Where-Object Cmdlet

The Where-Object cmdlet can greatly simplify your search for information on PowerShell. Here’s how to use the cmdlet.

Those new to PowerShell often find that PowerShell can display lots of useful information about the Windows operating system – so much information, in fact, that it can become overwhelming. The sheer amount of information can make it difficult to locate the data you are really interested in.

When that happens, you can use the Where-Object cmdlet to narrow down the results, making the information more easily digestible.

As an example, imagine that you have a problem with the Windows operating system. You suspect that a failed system service might relate to the issue. To find out, you could open an elevated PowerShell session, then use the Get-Service cmdlet to retrieve a list of the various system services (see Figure 1).

Brien PoseyPowerShell screens shows a long list of system services, retrieved via Get-Service cmdlet

Figure 1. The Get-Service cmdlet retrieves a list of system services.

As you can see, the Get-Service cmdlet returns information about all the system services. There are hundreds of services to sort through. Presumably, most of the services are working correctly, so it probably doesn’t make sense to manually examine every single service on the list.

In a situation like this, you could use the Where-Object cmdlet to narrow down list of systems services.

How to Use the Where-Object Cmdlet

To use the Where-Object cmdlet, we need to determine the best way to filter the information. If we suspected that a problem with Windows was tied to a service, we would most likely be interested in stopped services (since running services do not usually pose a problem).

You can filter the list of results to look for stopped services by entering this command:

Get-Service | Where-Object {$_.Status -eq ‘Stopped’}

This command examines the Status column for the list of services and only returns results with a status of Stopped. The $_.Status portion of the Where-Object cmdlet tells Windows we want to look at the Status column for the list of services (which is piped in by way of the Get-Service cmdlet). The -eq portion of the command is an operator. It tells PowerShell that we are looking for an equal condition. The specific condition that we are looking for is a state of stopped. So, we are literally looking for services with a status equal to Stopped. See the results in Figure 2.

Brien PoseyPowerShell screenshot shows list of system services that have stopped

Figure 2. The results list now includes only services that are stopped.

The results list contains a lot of stopped services. It’s completely normal for some system services to be stopped. Not every service must be running. As such, we need a way to further narrow down the list, zeroing in on services that might have a problem.

To do so, we can create a compound filter. A compound filter (at least in this case) is a Where-Object statement that looks at multiple criteria. For example, a service is most likely to be the source of a problem if it has a startup type of “Automatic” but a status of Stopped. It is normal for a small number of services to be stopped even if they are configured to start automatically. However, we can at least use these criteria to narrow down the list.

Here is what such a command might look like:

Get-Service | Where-Object{$_.StartType -eq ‘Automatic’ -and $_.Status -eq ‘Stopped’}

In other words, we are looking for services with a start type of Automatic and a status of Stopped. Incidentally, -eq and -and are not the only operators that can be used. Other options include -GT (greater than), -LT (less than), and -OR, just to name a few. See the results in Figure 3.

Brien PoseyPowerShell screenshot shows a shortened list of system services

Figure 3. The list of results is much shorter than before.

Conclusion

So, just how much did the Where-Object cmdlet help to narrow down the search results? See Figure 4 below. The full list of services included 309 results. Of those 309 services, 179 were stopped. However, only eight of the stopped services had a startup type of Automatic.

Brien PoseyPowerShell screenshot shows the list of system services has been reduced to eight items

Figure 4. The Where-Object cmdlet significantly reduced the number of search results.

In other words, by using the Where-Object cmdlet to filter the search results, we reduced the number of results from 309 to just eight.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish