Using the Where-Object Cmdlet

Filtering Returned Data

The Where-Object cmdlet provides a way for you to filter data returned by other cmdlets. For example, by default the Get-Process cmdlet returns information about all the processes currently running on your computer. However, suppose you’re interested in only those processes using more than 200 handles. (We’re not sure why you’d be interested in that, but ….) To get back only that subset of processes, call Get-Process and then pipe the results through Where-Object:

Get-Process | Where-Object {$_.handles -gt 200}

Take careful note of the syntax. To begin, the where clause is enclosed within curly braces; in addition, the $_ notation is used to represent the default object (that is, the object being transferred across the pipeline). Last, but surely not least, notice the comparison operator being used to indicate greater than: it’s -gt as opposed to >. Windows PowerShell does not use the standard arithmetic comparison operators; instead, it uses operators such as these:

  • -lt -- Less than

  • -le -- Less than or equal to

  • -gt -- Greater than

  • -ge -- Greater than or equal to

  • -eq -- Equal to

  • -ne -- Not equal to

  • -like - Like; uses wildcards for pattern matching

In other words, if we were looking for processes where handles were greater than or equal to 200 we’d use this command:

Get-Process | Where-Object {$_.handles -ge 200}

You can also use the -and and -or parameters to create even-more finitely targeted datasets. For example, suppose you’d like to return all the instances of the svchost process that are using more than 200 handles. All you have to do is include both criterion in your where clause, separating the two by using -and:

Get-Process | Where-Object {$_.handles -gt 200 -and $_.name -eq "svchost"}

Likewise, suppose you wanted a list of all the process that are using more than 200 handles or that have the name svchost (in other words, all processes using more than 200 handles as well as all the svchost processes, regardless of the number of handles they might be using). In that case, use the -or parameter to join the two parts of your where clause:

Get-Process | Where-Object {$_.handles -gt 200 -or $_.name -eq "svchost"}

Here’s another example; this one (using the Get-ChildItem cmdlet) shows you only the files in the folder C:\Scripts that are larger than 100,000 bytes:

Get-ChildItem c:\scripts | Where-Object {$_.length -gt 100000}

And let’s not forget the -like operator. This command returns all of the files in C:\Scripts that include the string test in the file name. Note the use of the two asterisks as wildcard characters:

Get-ChildItem c:\scripts | Where-Object {$_.name -like "*test*"}

Here’s the kind of data you can expect to get back:

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          5/6/2006  10:24 PM      34198 test.csv
-a---         5/19/2006   9:11 AM       5918 test.htm
-a---         5/19/2006   8:16 AM      34226 test.log
-a---         5/19/2006   1:20 PM         65 test.ps1
-a---         5/20/2006   9:52 AM        150 test.psc1
-a---         5/20/2006   9:52 AM        150 test.psc1e.psc1
-a---         5/19/2006   1:27 PM        565 test.txt
-a---         4/17/2006   6:41 PM      24064 test.txt.doc
-a---         5/19/2006   1:45 PM       1971 test.vbs
-a---         5/17/2006   1:41 PM       9248 test.xls
-a---         5/19/2006   1:20 PM     628234 Test.xml
-a---          4/6/2006  10:26 PM        205 test_NODUPL.txt
Where-Object Aliases
  • where