Share via

Why does this PowerShell command give me so few for a count?

Falanga, Rod, DOH 1,020 Reputation points
2026-06-16T19:27:29.2433333+00:00

My PC has been experiencing BSODs for months. I've been wondering how many BSODs I get, so I searched for a PowerShell script which would count them for me. It does work, but I'm certain that its count is way low. I modified it slightly so that it would list the more recent 25 (it originally listed only the most recent 5). However, the total it reports is 139, which I think it consistent over today. It is almost 1:30 PM my time and according to the PowerShell script I have had 16 BSODs today. (My day isn't over, I'm sure I'll have more.) Given that this has been occurring for months, I would expect the number to be in the thousands, not the low hundreds. Does Windows Event viewer purge entries in the event log on some regular basis? What could be the cause of so few entries in the event log? Here is the PowerShell script:



<#
.SYNOPSIS
    Counts the number of BSOD (Blue Screen) events on a Windows system.
#>

try {
    # Define the event filter
    $filter = @{
        LogName   = 'System'
        Id        = 1001          # BugCheck event ID
        ProviderName = 'Microsoft-Windows-WER-SystemErrorReporting'
    }

    # Get all matching events
    $events = Get-WinEvent -FilterHashtable $filter -ErrorAction Stop

    # Count the events
    $count = $events.Count

    Write-Host "Total BSOD events found: $count" -ForegroundColor Cyan

    # Optional: Show the last 25 BSOD events with date and bugcheck code
    if ($count -gt 0) {
        Write-Host "`nLast 25 BSOD events:" -ForegroundColor Yellow
        $events |
            Sort-Object TimeCreated -Descending |
            Select-Object -First 25 TimeCreated, Id, Message |
            Format-Table -AutoSize
    }
}
catch {
    Write-Host "Error retrieving BSOD events: $($_.Exception.Message)" -ForegroundColor Red
}
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HLBui 7,000 Reputation points Independent Advisor
    2026-06-16T23:01:51.3766667+00:00

    Hi Falanga, Rod, DOH

    Those BSODs piling up can feel endless, and the script’s numbers don’t always match reality. The short answer is yes, Windows Event Viewer does purge logs over time. By default, the System log has a max size, and once it hits that, older entries get overwritten. That’s why you’re seeing a few hundred instead of thousands the log just doesn’t keep everything forever. If you want a longer history, you can bump up the log size in Event Viewer settings or set it to archive instead of overwrite. Another thing to note: not every crash gets logged if the system doesn’t fully write out the event before reboot, so the count can be off. Your PowerShell script is fine, but it’s only as good as the data available in the log. If you’re really trying to track BSOD frequency, you might want to use Reliability Monitor or even set up a scheduled export of the event logs so you don’t lose older entries.

    If everything is okay, don't forget to share your experience with the issue by "Accept answer". If you need more information, feel free to leave a message. We are happy to help!

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-16T19:27:58.99+00:00

    The script counts only specific events in the System log, so the total can be much lower than the number of BSODs actually experienced. Several factors can explain the low count:

    1. Filter is very narrow
      The script uses: 
         $filter = @{
       LogName      = 'System'
       Id           = 1001
       ProviderName = 'Microsoft-Windows-WER-SystemErrorReporting'
   }
      This returns only System log events with:
      • Event ID 1001, and
      • Provider Microsoft-Windows-WER-SystemErrorReporting.
      However, Windows can log BSOD-related information in different ways:
      • BugCheck / crash events may be logged by other providers or with other IDs.
      • Some crashes may not generate a WER SystemErrorReporting event at all (for example, if logging or WER is disabled or misconfigured).
      To see more events, the filter can be relaxed. For example, to get all ID 1001 events in the System log regardless of provider: 
         $filter = @{ LogName = 'System'; Id = 1001 }
   $events = Get-WinEvent -FilterHashtable $filter
    2. Event log size and retention
      The System log has a finite size and a retention policy. When it fills up, older entries are overwritten. Over months of frequent BSODs, older events will be purged, so only recent crashes remain. This is expected behavior when the log reaches its maximum size.
    3. Different event sources for reboots vs. bug checks
      Some reboots may be reflected only by other System events (for example, Kernel-General or EventLog events) rather than WER BugCheck events. For reboot history, other IDs are commonly used, such as 12, 13, 6005, and 6009 in the System log. For example, to review reboot-related events: 
         $filter = @{ LogName = 'System'; Id = 12,13,6005,6009 }
   Get-WinEvent -FilterHashtable $filter | Sort-Object TimeCreated
      These events show OS start/shutdown and Event Log service start, which can help correlate how often the system is restarting, even if a BugCheck event is missing.
    4. WER event availability depends on upgrade / configuration
      Some WER-related events (including certain 1001 events) are only present under specific conditions (for example, after upgrades or when WER is enabled and able to write to the Application/System logs). If WER is disabled, misconfigured, or fails, some BSODs will not produce the 1001 events the script is counting.
    5. Get-WinEvent returns only what is currently in the log
      Get-WinEvent reads the current contents of the specified log. If entries have already been overwritten or if the log was cleared at some point, those older BSOD events cannot be counted anymore.

    To get a more complete picture going forward:

    • Increase the System log size and ensure it is not being cleared.
    • Broaden the filters (for example, remove ProviderName, or include additional IDs/providers known to log bug checks on the system).
    • Optionally export logs periodically so older events are preserved before they are overwritten.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.