Windows Events Command Line Utility (wevtutil) producing NUL values in text output.

%3CLINGO-SUB%20id%3D%22lingo-sub-3191782%22%20slang%3D%22en-US%22%3EWindows%20Events%20Command%20Line%20Utility%20(wevtutil)%20producing%20NUL%20values%20in%20text%20output.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3191782%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20noticed%20that%20Windows%20Server%202022%2C%20the%20wevtutil%20is%20adding%20NULs%20after%20some%20entries%20the%20text%20output%3B%20running%20the%20same%20utility%20from%20an%20instance%20of%20server%202019%20doesn't.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EServer%202022%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Ewevtutil%20qe%20Application%20%22%2Fq%3A*%5BSystem%20%5B(EventID%3D865)%5D%5D%22%20%2Ff%3Atext%20%2Frd%3Atrue%20%2Fc%3A1%0AEvent%5B0%5D%0A%20%20Log%20Name%3A%20Application%0A%20%20Source%3A%20Microsoft-Windows-SoftwareRestrictionPolicies%0A%20%20Date%3A%202022-02-21T08%3A12%3A27.5490000Z%0A%20%20Event%20ID%3A%20865%0A%20%20Task%3A%20N%2FA%0A%20%20Level%3A%20Warning%20%E0%A8%8D%20%20Opcode%3A%20Info%20%20%E0%A8%8D%20%20Keyword%3A%20N%2FA%0A%20%20User%3A%20S-1-5-21-1860657127-41187656-1928362250-12396%0A%20%20User%20Name%3A%20%3CREDACTED%3E%0A%20%20Computer%3A%20%3CREDACTED%3E%0A%20%20Description%3A%0AAccess%20to%20c%3A%5CUsers%5C%3CREDACTED%3E%5CDesktop%5Ccalc.exe%20has%20been%20restricted%20by%20your%20Administrator%20by%20the%20default%20software%20restriction%20policy%20level.%20%E0%A8%8D%3C%2FREDACTED%3E%3C%2FREDACTED%3E%3C%2FREDACTED%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EServer%202019%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3Ewevtutil%20qe%20Application%20%22%2Fq%3A*%5BSystem%20%5B(EventID%3D865)%5D%5D%22%20%2Ff%3Atext%20%2Frd%3Atrue%20%2Fc%3A1%0AEvent%5B0%5D%3A%0A%20%20Log%20Name%3A%20Application%0A%20%20Source%3A%20Microsoft-Windows-SoftwareRestrictionPolicies%0A%20%20Date%3A%202022-02-21T08%3A12%3A27.549%0A%20%20Event%20ID%3A%20865%0A%20%20Task%3A%20N%2FA%0A%20%20Level%3A%20Warning%0A%20%20Opcode%3A%20Info%0A%20%20Keyword%3A%20N%2FA%0A%20%20User%3A%20S-1-5-21-1860657127-41187656-1928362250-12396%0A%20%20User%20Name%3A%20%3CREDACTED%3E%0A%20%20Computer%3A%20%3CREDACTED%3E%0A%20%20Description%3A%0AAccess%20to%20c%3A%5CUsers%5C%3CREDACTED%3E%5CDesktop%5Ccalc.exe%20has%20been%20restricted%20by%20your%20Administrator%20by%20the%20default%20software%20restriction%20policy%20level.%3C%2FREDACTED%3E%3C%2FREDACTED%3E%3C%2FREDACTED%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20other%20than%20just%20using%20the%20utility%20from%20a%202019%20machine%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3191782%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

I've noticed that Windows Server 2022, the wevtutil is adding NULs after some entries the text output; running the same utility from an instance of server 2019 doesn't.

 

Server 2022:

wevtutil qe Application "/q:*[System [(EventID=865)]]" /f:text /rd:true /c:1
Event[0]
  Log Name: Application
  Source: Microsoft-Windows-SoftwareRestrictionPolicies
  Date: 2022-02-21T08:12:27.5490000Z
  Event ID: 865
  Task: N/A
  Level: Warning ਍  Opcode: Info  ਍  Keyword: N/A
  User: S-1-5-21-1860657127-41187656-1928362250-12396
  User Name: <redacted>
  Computer: <redacted>
  Description:
Access to c:\Users\<redacted>\Desktop\calc.exe has been restricted by your Administrator by the default software restriction policy level. ਍

 

Server 2019:

 

wevtutil qe Application "/q:*[System [(EventID=865)]]" /f:text /rd:true /c:1
Event[0]:
  Log Name: Application
  Source: Microsoft-Windows-SoftwareRestrictionPolicies
  Date: 2022-02-21T08:12:27.549
  Event ID: 865
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-21-1860657127-41187656-1928362250-12396
  User Name: <redacted>
  Computer: <redacted>
  Description:
Access to c:\Users\<redacted>\Desktop\calc.exe has been restricted by your Administrator by the default software restriction policy level.

 

Any ideas other than just using the utility from a 2019 machine?

 

Thanks.

 

0 Replies