Windows Events Command Line Utility (wevtutil) producing NUL values in text output.

Copper Contributor

I've noticed that Windows Server 2022, the wevtutil is adding NULs after some entries the text output; running the same utility from an instance of server 2019 doesn't.

 

Server 2022:

wevtutil qe Application "/q:*[System [(EventID=865)]]" /f:text /rd:true /c:1
Event[0]
  Log Name: Application
  Source: Microsoft-Windows-SoftwareRestrictionPolicies
  Date: 2022-02-21T08:12:27.5490000Z
  Event ID: 865
  Task: N/A
  Level: Warning ਍  Opcode: Info  ਍  Keyword: N/A
  User: S-1-5-21-1860657127-41187656-1928362250-12396
  User Name: <redacted>
  Computer: <redacted>
  Description:
Access to c:\Users\<redacted>\Desktop\calc.exe has been restricted by your Administrator by the default software restriction policy level. ਍

 

Server 2019:

 

wevtutil qe Application "/q:*[System [(EventID=865)]]" /f:text /rd:true /c:1
Event[0]:
  Log Name: Application
  Source: Microsoft-Windows-SoftwareRestrictionPolicies
  Date: 2022-02-21T08:12:27.549
  Event ID: 865
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-21-1860657127-41187656-1928362250-12396
  User Name: <redacted>
  Computer: <redacted>
  Description:
Access to c:\Users\<redacted>\Desktop\calc.exe has been restricted by your Administrator by the default software restriction policy level.

 

Any ideas other than just using the utility from a 2019 machine?

 

Thanks.

 

2 Replies
Any update to this or workaround? I am seeing this same problem on Server 2022 on both machines with fresh OS install and an upgrade from 2019 to Server2022. Seems like this is still happening in September of 2023.

I'm surprised this hasn't been reported more or fixed in the last year and a half since it is so easily reproducible.
Update: I was able to work around this by using the wevtutil.exe and the wevtutil.exe.mui in a en-US subfolder from a Server 2019 machine and put this on my Server 2022 that was having the issue. The older version of wevtutil works without inserting the NUL character into the text file.