Question:
I’m pulling and filtering System Event Log data using get-eventlog. What I’m finding is that get-event log is not able to correctly return the message associated with some entries. These entries appear normally in the event log viewer. E.g.
|
1 2 |
get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" } |
returns 8 entries, all of which have a message of the following form:
|
1 2 3 4 |
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z' |
If I filter the system event log for the same source, I can clearly see the fully formed message. e.g
|
1 2 |
The operating system started at system time 2015-06-13T08:33:32.359599800Z. |
I ran the following to see if any other providers were unable to return valid event messages:
|
1 2 3 4 5 6 7 8 9 |
get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" } | Group-Object -Property Source | Select-Object -Property Name Name ---- Microsoft-Windows-Kernel-General DCOM WinRM Microsoft-Windows-Iphlpsvc |
I checked in the event log viewer to find the corresponding entries for the DCOM, WinRM and Iphlpsvc sources and confirmed that the correct message was visible.
I’ve run the test scripts in a admin-level PowerShell console.
Any ideas?
EDIT: Further research has revealed that PsLogList also appears to suffer from the same problem, whereas WEVTUTIL does not.
EDIT: Following suggestion by Windos, I tried get-winevent. I had tried this previously and found that it would return no Message data at all. I tried again and found the same result. I then tried
|
1 2 |
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" |
which produced the following error
|
1 2 |
Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present. |
A little googling led me to ‘https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/‘ who had also experienced the same error message. He suggested this was due to regional settings. I’m in Australia, so my ‘format’ setting in Control Panel was ‘English (Australia)’. I changed this to ‘English (United States)’, launched a new PS console, confirmed with get-culture that I was now in the US and re-ran the get-winevent commands.
|
1 2 |
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message |
lo and behold …
|
1 2 3 4 5 6 7 8 9 10 11 |
Message ------- The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z. The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z. The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z. The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z. The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z. The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z. The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z. The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z. |
Sadly though – no change got get-eventlog
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message Message ------- The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m... The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m... The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m... The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m... The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m... The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ... The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ... The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m... |
Answer:
Not sure on the how or why, but it looks like if you opt for Get-WinEvent rather than Get-EventLog you’ll get the info you’re after.
It should be noted that when changing commands the ‘Source’ parameter is known as ‘ProviderName’ so your command becomes:
|
1 2 |
Get-WinEvent -LogName System | Where { $_.ProviderName -eq 'Microsoft-Windows-Kernel-General' } |