Search code examples
powershellevent-log

Get-EventLog - Missing DLL

I am trying to create a basic script for our helpdesk agents which will allow them to view specific log files without having to open Event Viewer to save them time whilst on the phone.

However, I am having an issue with PowerShell where certain event ID's are not showing the actual event log message.

If I run the following:

Get-EventLog -ComputerName $env:COMPUTERNAME `
             -LogName System `
             -InstanceId 12 `
             -Source Microsoft-Windows-Kernel-General | 
    Select-Object -Property Message

I would expect to receive the message shown in the actual event log:

Event Log

Instead I get something along the lines of:

The description for Event ID '12' in Source
'Microsoft-Windows-Kernel-General' cannot be found.  The local
computer may not have the necessary registry information or message
DLL    files to display the message, or you may not have permission to
access them.  The following information is part of the event:'10',
'0', '15063', '726', '0', '0',                    
'2018-03-18T16:59:34.495252300Z'

I seen another thread about using Get-WinEvent unfortunately this is not possible in the environment I work in.

Solution

  • Read and follow documentation:

    Get-WinEvent

    Module: Microsoft.PowerShell.Diagnostics

    Gets events from event logs and event tracing log files on local and remote computers.

    Notes

    • This cmdlet is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell for backward compatibility.

    Get-WinEvent cmdlet allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries (the latter is used the following example):

    PS D:\PShell> Get-WinEvent -ComputerName $env:COMPUTERNAME `
        -FilterHashtable @{
            ProviderName = 'Microsoft-Windows-Kernel-General';
            Id           = '12';
            LogName      = 'System' } `
        -MaxEvents 3 | 
    Format-Table -Property  RecordId, Message


RecordId Message                                                               
-------- -------                                                               
   14103 The operating system started at system time ‎2018‎-‎04‎-‎25T06:13:0...
   13957 The operating system started at system time ‎2018‎-‎04‎-‎24T05:34:3...
   13826 The operating system started at system time ‎2018‎-‎04‎-‎22T07:49:0...

    See also related output from (obsolete) Get-EventLog:

    PS D:\PShell> Get-EventLog -ComputerName $env:COMPUTERNAME `
        -LogName System `
        -InstanceId 12 `
        -Source Microsoft-Windows-Kernel-General `
        -Newest 3 | 
    Select-Object -Property Index, Message


Index Message                                                                  
----- -------                                                                  
14103 The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-...
13957 The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-...
13826 The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-...