cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Differing Get-WinEvent behavior

jaogden
Microsoft

‎Jun 10 2021 04:21 PM

‎Jun 10 2021 04:21 PM

Differing Get-WinEvent behavior

Given a single .etl, I'm encountering differing Get-WinEvent behavior depending on the machine/PS version I'm using for a single event.

 

I actually don't know much about this particular event, other than its ProviderID guid 68fdd900-4a3e-11d1-84f4-0000f80464e3, which led me to find: EventTraceEvent class - Win32 apps | Microsoft Docs.

 

The command used in the following examples, each ran on a separate machine:

Get-WinEvent -Path F:\example.etl -oldest -MaxEvents 1

 

Here's the assumed/expected behavior, as shown running the Get-WinEvent command on an older version:

jaogden_1-1623365970049.png

Here's the PowerShell versioning information for this machine:

jaogden_2-1623366026799.png

 

 

Here's the behavior when running the same Get-WinEvent command on a newer version (I'll attach this photo as I don't think this is quite visible):

jaogden_3-1623366125821.png

Here's the PowerShell versioning information for this machine:

jaogden_4-1623366174507.png

 

The closest instance I've found to this seems to be: Get-WinEvent fails to retrieve an event description with EventLogException · Issue #7664 · PowerShel...

 

I'm not quite sure yet if this is truly a PowerShell problem. Let me know if I can provide any further details.

Preview file
84 KB
714 Views
0 Likes
1 Reply
Reply
1 Reply
jaogden

‎Jun 10 2021 04:44 PM

‎Jun 10 2021 04:44 PM

Re: Differing Get-WinEvent behavior

Applying an exception handler to the Get-WinEvent call:

Exception: System.Diagnostics.Eventing.Reader.EventLogException: The system cannot find message text for message number 0x%1 in the message file for %2
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtFormatMessageRenderName(EventLogHandle pmHandle, EventLogHandle eventHandle, EvtFormatMessageFlags flag)
   at System.Diagnostics.Eventing.Reader.ProviderMetadataCachedInformation.GetFormatDescription(String ProviderName, EventLogHandle eventHandle)
   at Microsoft.PowerShell.Commands.GetWinEventCommand.ReadEvents(EventLogReader readerObj)

HResult: -2146233088
0 Likes
Reply