Forum Discussion
MicrosoftDiffering Get-WinEvent behavior
Given a single .etl, I'm encountering differing Get-WinEvent behavior depending on the machine/PS version I'm using for a single event.
I actually don't know much about this particular event, other than its ProviderID guid 68fdd900-4a3e-11d1-84f4-0000f80464e3, which led me to find: EventTraceEvent class - Win32 apps | Microsoft Docs.
The command used in the following examples, each ran on a separate machine:
Get-WinEvent -Path F:\example.etl -oldest -MaxEvents 1
Here's the assumed/expected behavior, as shown running the Get-WinEvent command on an older version:
Here's the PowerShell versioning information for this machine:
Here's the behavior when running the same Get-WinEvent command on a newer version (I'll attach this photo as I don't think this is quite visible):
Here's the PowerShell versioning information for this machine:
The closest instance I've found to this seems to be: Get-WinEvent fails to retrieve an event description with EventLogException · Issue #7664 · PowerShell/PowerShell · GitHub.
I'm not quite sure yet if this is truly a PowerShell problem. Let me know if I can provide any further details.
1 Reply
jaogdenApplying an exception handler to the Get-WinEvent call:
Exception: System.Diagnostics.Eventing.Reader.EventLogException: The system cannot find message text for message number 0x%1 in the message file for %2 at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode) at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtFormatMessageRenderName(EventLogHandle pmHandle, EventLogHandle eventHandle, EvtFormatMessageFlags flag) at System.Diagnostics.Eventing.Reader.ProviderMetadataCachedInformation.GetFormatDescription(String ProviderName, EventLogHandle eventHandle) at Microsoft.PowerShell.Commands.GetWinEventCommand.ReadEvents(EventLogReader readerObj) HResult: -2146233088