Author Posts

January 1, 2012 at 12:00 am

by surveyor at 2013-05-05 02:56:43

Hi,
when I try to get the messages from an eventlog with Get-WinEvent, I get allways nothing:
PS E:\> get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' | Select-Object -First 10

ProviderName: Microsoft-Windows-TaskScheduler

TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
05.05.2013 11:45:00 318
05.05.2013 11:45:00 318
05.05.2013 11:45:00 301
05.05.2013 11:40:00 314
05.05.2013 11:40:00 102
05.05.2013 11:40:00 201
05.05.2013 11:39:59 200
05.05.2013 11:39:59 129
05.05.2013 11:39:59 100
05.05.2013 11:39:59 319

Is there a possible way to get this messages from Get-WinEvent?

Filtering on messages work! But I can't get the messages:

PS E:\> get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' | Where-Object { $_.Message -notlike '*insta
nce of the "\Microsoft\*' } | Select-Object -First 10

ProviderName: Microsoft-Windows-TaskScheduler

TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
05.05.2013 11:50:00 314
05.05.2013 11:50:00 102
05.05.2013 11:50:00 201
05.05.2013 11:49:59 200
05.05.2013 11:49:59 129
05.05.2013 11:49:59 100
05.05.2013 11:49:59 319
05.05.2013 11:49:59 317
05.05.2013 11:49:59 310
05.05.2013 11:49:59 311

by surveyor at 2013-05-05 04:28:00

Google is the help. It's an error in .NET for other languages than "en-US". Since two years or longer.

Here you can find a workaround:
Get-WinEvent does not return the content of the Event Message in V3 CTP2

$GetFilteredLogs = {
$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' |
Where-Object { (@(100,102) -contains $_.Id) -and ($_.Message -notlike '*instance of the "\Microsoft\*') } |
Select-Object -First 10
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture
}

$FilteredLog = . $GetFilteredLogs
$FilteredLog

PS E:\> $GetFilteredLogs = {
>> $orgCulture = Get-Culture
>> [System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
>> get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' |
>> Where-Object { (@(100,102) -contains $_.Id) -and ($_.Message -notlike '*instance of the "\Microsoft\*') } |
>> Select-Object -First 10
>> [System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture
>> }
>>
PS E:\> $FilteredLog = . $GetFilteredLogs
PS E:\> $FilteredLog

ProviderName: Microsoft-Windows-TaskScheduler

TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
05.05.2013 13:20:00 102 Task Scheduler successfully finished "{E4CA7878-17CC-4315-B237-9...
05.05.2013 13:19:59 100 Task Scheduler started "{E4CA7878-17CC-4315-B237-98CB8934B180}" ...
05.05.2013 13:10:00 102 Task Scheduler successfully finished "{9B06BD1F-32C1-443F-B561-9...
05.05.2013 13:09:59 100 Task Scheduler started "{9B06BD1F-32C1-443F-B561-9906C60F3B88}" ...
05.05.2013 13:00:00 102 Task Scheduler successfully finished "{AA768489-C634-48F6-8A87-9...
05.05.2013 13:00:00 100 Task Scheduler started "{AA768489-C634-48F6-8A87-9757D8B6BB07}" ...
05.05.2013 12:50:00 102 Task Scheduler successfully finished "{4F90C801-2F85-4E60-8FCD-6...
05.05.2013 12:49:59 100 Task Scheduler started "{4F90C801-2F85-4E60-8FCD-6A6E8BBAD602}" ...
05.05.2013 12:40:00 102 Task Scheduler successfully finished "{A5A9BCF9-7536-488A-8D68-4...
05.05.2013 12:39:59 100 Task Scheduler started "{A5A9BCF9-7536-488A-8D68-4983BB755423}" ...

PS E:\>