Get-EventLog - Missing DLL

Question

I am trying to create a basic script for our helpdesk agents which will allow them to view specific log files without having to open Event Viewer to save them time whilst on the phone.

However, I am having an issue with PowerShell where certain event ID's are not showing the actual event log message.

If I run the following:

Get-EventLog -ComputerName $env:COMPUTERNAME `
             -LogName System `
             -InstanceId 12 `
             -Source Microsoft-Windows-Kernel-General | 
    Select-Object -Property Message

I would expect to receive the message shown in the actual event log:

Instead I get something along the lines of:

The description for Event ID '12' in Source
'Microsoft-Windows-Kernel-General' cannot be found.  The local
computer may not have the necessary registry information or message
DLL    files to display the message, or you may not have permission to
access them.  The following information is part of the event:'10',
'0', '15063', '726', '0', '0',                    
'2018-03-18T16:59:34.495252300Z'

I seen another thread about using Get-WinEvent unfortunately this is not possible in the environment I work in.

Are you looking at events from the same computer both times? — EBGreen, Apr 25 '18 at 13:44
I assume you want to pull the system startup time from the message. In which case, that data is still in the 'error' you get back. It is the last string in the message: `'2018-03-18T16:59:34.495252300Z'`. Not ideal, but you could just parse this string as you would the 'real' message. — boxdog, Apr 25 '18 at 13:57
What does 'this is not possible in the environment I work in' mean? Why is it not possible? — Bill_Stewart, Apr 25 '18 at 15:12

score 2 · Accepted Answer · answered Apr 25 '18 at 19:20

Read and follow documentation:

Get-WinEvent

Module: Microsoft.PowerShell.Diagnostics

Gets events from event logs and event tracing log files on local and remote computers.
…
Notes

This cmdlet is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell for backward compatibility.

Get-WinEvent cmdlet allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries (the latter is used the following example):

PS D:\PShell> Get-WinEvent -ComputerName $env:COMPUTERNAME `
        -FilterHashtable @{
            ProviderName = 'Microsoft-Windows-Kernel-General';
            Id           = '12';
            LogName      = 'System' } `
        -MaxEvents 3 | 
    Format-Table -Property  RecordId, Message


RecordId Message                                                               
-------- -------                                                               
   14103 The operating system started at system time ‎2018‎-‎04‎-‎25T06:13:0...
   13957 The operating system started at system time ‎2018‎-‎04‎-‎24T05:34:3...
   13826 The operating system started at system time ‎2018‎-‎04‎-‎22T07:49:0...

See also related output from (obsolete) Get-EventLog:

PS D:\PShell> Get-EventLog -ComputerName $env:COMPUTERNAME `
        -LogName System `
        -InstanceId 12 `
        -Source Microsoft-Windows-Kernel-General `
        -Newest 3 | 
    Select-Object -Property Index, Message


Index Message                                                                  
----- -------                                                                  
14103 The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-...
13957 The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-...
13826 The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-...

Thanks. For some reason when testing this yesterday I was getting an RPC error when trying on the localhost and I believed this was just the environment I am working in. Got it working today with a bit of tweaking from your code above. — ryanmaddock, Apr 26 '18 at 14:22

Get-EventLog - Missing DLL

1 Answers1

Get-WinEvent