How to Use the PowerShell Where-Object Cmdlet

The Where-Object cmdlet can greatly simplify your search for information on PowerShell. Here’s how to use the cmdlet.

Brien Posey

August 4, 2022

4 Min Read
PowerShell screenshot shows Where-Object cmdlet

Those new to PowerShell often find that PowerShell can display lots of useful information about the Windows operating system – so much information, in fact, that it can become overwhelming. The sheer amount of information can make it difficult to locate the data you are really interested in.

When that happens, you can use the Where-Object cmdlet to narrow down the results, making the information more easily digestible.

As an example, imagine that you have a problem with the Windows operating system. You suspect that a failed system service might relate to the issue. To find out, you could open an elevated PowerShell session, then use the Get-Service cmdlet to retrieve a list of the various system services (see Figure 1).

PowerShell screens shows a long list of system services, retrieved via Get-Service cmdlet

Where-Object 1

Figure 1. The Get-Service cmdlet retrieves a list of system services.

As you can see, the Get-Service cmdlet returns information about all the system services. There are hundreds of services to sort through. Presumably, most of the services are working correctly, so it probably doesn’t make sense to manually examine every single service on the list.

In a situation like this, you could use the Where-Object cmdlet to narrow down list of systems services.

How to Use the Where-Object Cmdlet

To use the Where-Object cmdlet, we need to determine the best way to filter the information. If we suspected that a problem with Windows was tied to a service, we would most likely be interested in stopped services (since running services do not usually pose a problem).

Related:3 Ways to Download a File in PowerShell

You can filter the list of results to look for stopped services by entering this command:

Get-Service | Where-Object {$_.Status -eq ‘Stopped’}

This command examines the Status column for the list of services and only returns results with a status of Stopped. The $_.Status portion of the Where-Object cmdlet tells Windows we want to look at the Status column for the list of services (which is piped in by way of the Get-Service cmdlet). The -eq portion of the command is an operator. It tells PowerShell that we are looking for an equal condition. The specific condition that we are looking for is a state of stopped. So, we are literally looking for services with a status equal to Stopped. See the results in Figure 2.

PowerShell screenshot shows list of system services that have stopped

Where-Object 2

Figure 2. The results list now includes only services that are stopped.

The results list contains a lot of stopped services. It’s completely normal for some system services to be stopped. Not every service must be running. As such, we need a way to further narrow down the list, zeroing in on services that might have a problem.

To do so, we can create a compound filter. A compound filter (at least in this case) is a Where-Object statement that looks at multiple criteria. For example, a service is most likely to be the source of a problem if it has a startup type of “Automatic” but a status of Stopped. It is normal for a small number of services to be stopped even if they are configured to start automatically. However, we can at least use these criteria to narrow down the list.

Here is what such a command might look like:

Get-Service | Where-Object{$_.StartType -eq ‘Automatic’ -and $_.Status -eq ‘Stopped’}

In other words, we are looking for services with a start type of Automatic and a status of Stopped. Incidentally, -eq and -and are not the only operators that can be used. Other options include -GT (greater than), -LT (less than), and -OR, just to name a few. See the results in Figure 3.

PowerShell screenshot shows a shortened list of system services

Where-Object 3_0

Figure 3. The list of results is much shorter than before.

Conclusion

So, just how much did the Where-Object cmdlet help to narrow down the search results? See Figure 4 below. The full list of services included 309 results. Of those 309 services, 179 were stopped. However, only eight of the stopped services had a startup type of Automatic.

PowerShell screenshot shows the list of system services has been reduced to eight items

Where-Object 4

Figure 4. The Where-Object cmdlet significantly reduced the number of search results.

In other words, by using the Where-Object cmdlet to filter the search results, we reduced the number of results from 309 to just eight.

About the Author(s)

Brien Posey

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

http://brienposey.com/

See more from Brien Posey
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read