3

I believe Get-WinEvent has a bug when it runs within a PSSession

As example, the code below fails to return any results

$evt = Invoke-command -ComputerName computerX -ScriptBlock {
    Get-WinEvent -FilterHashtable @{ logname = 'System'; id = (41,6005,6008,6009)  } -MaxEvents 100 -Verbose    
}

VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="system"><Select Path="system">*[(System/EventID=41 6005 6008 6009)]</Select></Query></QueryList>.
No events were found that match the specified selection criteria.
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
    + PSComputerName        : odc-sql-db-c01

However, the following code works as expected

$evt2 = Invoke-command -ComputerName computerX -ScriptBlock {
    $id = (41,6005,6008,6009)
    Get-WinEvent -FilterHashtable @{ logname = 'System'; id = $id  } -MaxEvents 100 -Verbose    
}

VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="system"><Select Path="system">*[((System/EventID=41) or (System/EventID=6005) or (System/EventID=6008) or (System/EventID
=6009))]</Select></Query></QueryList>.

When you compare both queries, you will notice that first one is wrong, i.e.

[(System/EventID=41 6005 6008 6009)]

should be

[((System/EventID=41) or (System/EventID=6005) or (System/EventID=6008) or (System/EventID=6009))]
Javier Martinez
  • 31
  • 1
  • 2
    Bug confirmed. Happens for me too, connecting to localhost at an elevated prompt. Also with start-job, but start-threadjob and foreach-object -parallel work ok. – js2010 Jun 01 '20 at 02:33

0 Answers0