Event Descriptions Missing From Get-EventLog but present in Get-WinEvent and Event Viewerget-eventlog issueThe previous system shutdown at xxxx was unexpectedExchange 2010 EVENT ID 1109, msexchange activesyncHow do I fix a custom Event Viewer Log that merges automatically with the Application log?Custom Event IDs Using NTEventLogAppenderGet-WinEvent only works on Vista+ as source and target?Event Log - MsiInstaller events' description cannot be found since last weekEventViewer Error “local computer may not have the necessary registry”Adding windows capabilities to Windows server core running in dockerHow to read nested event logs with Get-EventLog?
When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?
Which country benefited the most from UN Security Council vetoes?
Book with a girl whose grandma is a phoenix, cover depicts the emerald/green-eyed blonde girl
Codimension of non-flat locus
Do I have a twin with permutated remainders?
Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image?
"You are your self first supporter", a more proper way to say it
Approximately how much travel time was saved by the opening of the Suez Canal in 1869?
RSA: Danger of using p to create q
Convert two switches to a dual stack, and add outlet - possible here?
Are the number of citations and number of published articles the most important criteria for a tenure promotion?
Can a Cauchy sequence converge for one metric while not converging for another?
Arrow those variables!
Alternative to sending password over mail?
Is it inappropriate for a student to attend their mentor's dissertation defense?
Has there ever been an airliner design involving reducing generator load by installing solar panels?
tikz convert color string to hex value
What does it mean to describe someone as a butt steak?
LaTeX: Why are digits allowed in environments, but forbidden in commands?
Replacing matching entries in one column of a file by another column from a different file
Roll the carpet
What defenses are there against being summoned by the Gate spell?
What would happen to a modern skyscraper if it rains micro blackholes?
NMaximize is not converging to a solution
Event Descriptions Missing From Get-EventLog but present in Get-WinEvent and Event Viewer
get-eventlog issueThe previous system shutdown at xxxx was unexpectedExchange 2010 EVENT ID 1109, msexchange activesyncHow do I fix a custom Event Viewer Log that merges automatically with the Application log?Custom Event IDs Using NTEventLogAppenderGet-WinEvent only works on Vista+ as source and target?Event Log - MsiInstaller events' description cannot be found since last weekEventViewer Error “local computer may not have the necessary registry”Adding windows capabilities to Windows server core running in dockerHow to read nested event logs with Get-EventLog?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Many of the event descriptions for event log events are missing when I query them in powershell with Get-EventLog but they are present when I query them in powershell with Get-WinEvent or view them in the regular event viewer eventvwr.msc
Here's the output of Get-EventLog:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
11985 Apr 02 13:42 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11968 Apr 02 13:41 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
11732 Apr 02 09:41 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11714 Apr 02 09:40 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
10363 Mar 29 14:28 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
10346 Mar 29 14:28 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
Here's a full event:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power | select -first 1 | fl
Index : 11985
EntryType : Information
InstanceId : 172
Message : The description for Event ID '172' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local
computer may not have the necessary registry information or message DLL files to display the message, or you
may not have permission to access them. The following information is part of the event:'2', '6'
Category : (203)
CategoryNumber : 203
ReplacementStrings : 2, 6
Source : Microsoft-Windows-Kernel-Power
TimeGenerated : 2019-04-02 13:42:01
TimeWritten : 2019-04-02 13:42:01
UserName : NT AUTHORITYSYSTEM
Here's the output from Get-WinEvent:
PS C:WINDOWSsystem32> Get-WinEvent -LogName System -FilterXPath "<QueryList>
>> <Query Id='0' Path='System'>
>> <Select Path='System'>*[System[Provider[@Name='Microsoft-Windows-Kernel-Power']]]</Select>
>> </Query>
>> </QueryList>"
ProviderName: Microsoft-Windows-Kernel-Power
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2019-04-02 13:42:01 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 13:41:44 109 Information The kernel power manager has initiated a shutdown transition....
2019-04-02 09:41:08 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 09:40:51 109 Information The kernel power manager has initiated a shutdown transition....
2019-03-29 14:28:26 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-03-29 14:28:09 109 Information The kernel power manager has initiated a shutdown transition....
Get-WinEvent is able to render the message "Connectivity state in standby: Disconnected, Reason: NIC compliance" with no problems.
Here's the first event in event viewer with the message displayed properly as well:
The message suggests that the registry or event message dll file might be a problem but I've checked and they aren't:
PS U:> Get-ItemPropertyValue HKLM:SYSTEMCurrentControlSetServicesEventLogSystemMicrosoft-Windows-Kernel-Power -name EventMessageFile
C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
PS U:> test-path C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
True
PS U:> $handle = [System.IO.File]::OpenRead("C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll")
PS U:> $handle.CanRead
True
This shows that
- The source is configured in the registry
- The file exists
- I can read the file
This is not isolated to the Microsoft-Windows-Kernel-Power source. The same happens for lots of other event sources. But not all event sources. For example Get-EventLog renders the Microsoft-Windows-Winlogon source messages properly:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Winlogon | select -first 1 | ft
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
12100 Apr 02 13:58 Information Microsoft-Windows... 7001 User Logon Notification for Customer Experience Improvement P...
I've already restarted my machine multiple times and I ran the System File Checker and it reported no problems.
Version details:
PS U:> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.316
PSEdition Desktop
PSCompatibleVersions 1.0, 2.0, 3.0, 4.0...
BuildVersion 10.0.17763.316
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
powershell windows-event-log
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
add a comment |
Many of the event descriptions for event log events are missing when I query them in powershell with Get-EventLog but they are present when I query them in powershell with Get-WinEvent or view them in the regular event viewer eventvwr.msc
Here's the output of Get-EventLog:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
11985 Apr 02 13:42 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11968 Apr 02 13:41 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
11732 Apr 02 09:41 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11714 Apr 02 09:40 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
10363 Mar 29 14:28 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
10346 Mar 29 14:28 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
Here's a full event:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power | select -first 1 | fl
Index : 11985
EntryType : Information
InstanceId : 172
Message : The description for Event ID '172' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local
computer may not have the necessary registry information or message DLL files to display the message, or you
may not have permission to access them. The following information is part of the event:'2', '6'
Category : (203)
CategoryNumber : 203
ReplacementStrings : 2, 6
Source : Microsoft-Windows-Kernel-Power
TimeGenerated : 2019-04-02 13:42:01
TimeWritten : 2019-04-02 13:42:01
UserName : NT AUTHORITYSYSTEM
Here's the output from Get-WinEvent:
PS C:WINDOWSsystem32> Get-WinEvent -LogName System -FilterXPath "<QueryList>
>> <Query Id='0' Path='System'>
>> <Select Path='System'>*[System[Provider[@Name='Microsoft-Windows-Kernel-Power']]]</Select>
>> </Query>
>> </QueryList>"
ProviderName: Microsoft-Windows-Kernel-Power
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2019-04-02 13:42:01 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 13:41:44 109 Information The kernel power manager has initiated a shutdown transition....
2019-04-02 09:41:08 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 09:40:51 109 Information The kernel power manager has initiated a shutdown transition....
2019-03-29 14:28:26 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-03-29 14:28:09 109 Information The kernel power manager has initiated a shutdown transition....
Get-WinEvent is able to render the message "Connectivity state in standby: Disconnected, Reason: NIC compliance" with no problems.
Here's the first event in event viewer with the message displayed properly as well:
The message suggests that the registry or event message dll file might be a problem but I've checked and they aren't:
PS U:> Get-ItemPropertyValue HKLM:SYSTEMCurrentControlSetServicesEventLogSystemMicrosoft-Windows-Kernel-Power -name EventMessageFile
C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
PS U:> test-path C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
True
PS U:> $handle = [System.IO.File]::OpenRead("C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll")
PS U:> $handle.CanRead
True
This shows that
- The source is configured in the registry
- The file exists
- I can read the file
This is not isolated to the Microsoft-Windows-Kernel-Power source. The same happens for lots of other event sources. But not all event sources. For example Get-EventLog renders the Microsoft-Windows-Winlogon source messages properly:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Winlogon | select -first 1 | ft
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
12100 Apr 02 13:58 Information Microsoft-Windows... 7001 User Logon Notification for Customer Experience Improvement P...
I've already restarted my machine multiple times and I ran the System File Checker and it reported no problems.
Version details:
PS U:> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.316
PSEdition Desktop
PSCompatibleVersions 1.0, 2.0, 3.0, 4.0...
BuildVersion 10.0.17763.316
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
powershell windows-event-log
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
add a comment |
Many of the event descriptions for event log events are missing when I query them in powershell with Get-EventLog but they are present when I query them in powershell with Get-WinEvent or view them in the regular event viewer eventvwr.msc
Here's the output of Get-EventLog:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
11985 Apr 02 13:42 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11968 Apr 02 13:41 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
11732 Apr 02 09:41 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11714 Apr 02 09:40 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
10363 Mar 29 14:28 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
10346 Mar 29 14:28 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
Here's a full event:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power | select -first 1 | fl
Index : 11985
EntryType : Information
InstanceId : 172
Message : The description for Event ID '172' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local
computer may not have the necessary registry information or message DLL files to display the message, or you
may not have permission to access them. The following information is part of the event:'2', '6'
Category : (203)
CategoryNumber : 203
ReplacementStrings : 2, 6
Source : Microsoft-Windows-Kernel-Power
TimeGenerated : 2019-04-02 13:42:01
TimeWritten : 2019-04-02 13:42:01
UserName : NT AUTHORITYSYSTEM
Here's the output from Get-WinEvent:
PS C:WINDOWSsystem32> Get-WinEvent -LogName System -FilterXPath "<QueryList>
>> <Query Id='0' Path='System'>
>> <Select Path='System'>*[System[Provider[@Name='Microsoft-Windows-Kernel-Power']]]</Select>
>> </Query>
>> </QueryList>"
ProviderName: Microsoft-Windows-Kernel-Power
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2019-04-02 13:42:01 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 13:41:44 109 Information The kernel power manager has initiated a shutdown transition....
2019-04-02 09:41:08 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 09:40:51 109 Information The kernel power manager has initiated a shutdown transition....
2019-03-29 14:28:26 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-03-29 14:28:09 109 Information The kernel power manager has initiated a shutdown transition....
Get-WinEvent is able to render the message "Connectivity state in standby: Disconnected, Reason: NIC compliance" with no problems.
Here's the first event in event viewer with the message displayed properly as well:
The message suggests that the registry or event message dll file might be a problem but I've checked and they aren't:
PS U:> Get-ItemPropertyValue HKLM:SYSTEMCurrentControlSetServicesEventLogSystemMicrosoft-Windows-Kernel-Power -name EventMessageFile
C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
PS U:> test-path C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
True
PS U:> $handle = [System.IO.File]::OpenRead("C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll")
PS U:> $handle.CanRead
True
This shows that
- The source is configured in the registry
- The file exists
- I can read the file
This is not isolated to the Microsoft-Windows-Kernel-Power source. The same happens for lots of other event sources. But not all event sources. For example Get-EventLog renders the Microsoft-Windows-Winlogon source messages properly:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Winlogon | select -first 1 | ft
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
12100 Apr 02 13:58 Information Microsoft-Windows... 7001 User Logon Notification for Customer Experience Improvement P...
I've already restarted my machine multiple times and I ran the System File Checker and it reported no problems.
Version details:
PS U:> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.316
PSEdition Desktop
PSCompatibleVersions 1.0, 2.0, 3.0, 4.0...
BuildVersion 10.0.17763.316
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
powershell windows-event-log
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
Many of the event descriptions for event log events are missing when I query them in powershell with Get-EventLog but they are present when I query them in powershell with Get-WinEvent or view them in the regular event viewer eventvwr.msc
Here's the output of Get-EventLog:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
11985 Apr 02 13:42 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11968 Apr 02 13:41 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
11732 Apr 02 09:41 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
11714 Apr 02 09:40 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
10363 Mar 29 14:28 Information Microsoft-Windows... 172 The description for Event ID '172' in Source 'Microsoft-Windo...
10346 Mar 29 14:28 Information Microsoft-Windows... 109 The description for Event ID '109' in Source 'Microsoft-Windo...
Here's a full event:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Kernel-Power | select -first 1 | fl
Index : 11985
EntryType : Information
InstanceId : 172
Message : The description for Event ID '172' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local
computer may not have the necessary registry information or message DLL files to display the message, or you
may not have permission to access them. The following information is part of the event:'2', '6'
Category : (203)
CategoryNumber : 203
ReplacementStrings : 2, 6
Source : Microsoft-Windows-Kernel-Power
TimeGenerated : 2019-04-02 13:42:01
TimeWritten : 2019-04-02 13:42:01
UserName : NT AUTHORITYSYSTEM
Here's the output from Get-WinEvent:
PS C:WINDOWSsystem32> Get-WinEvent -LogName System -FilterXPath "<QueryList>
>> <Query Id='0' Path='System'>
>> <Select Path='System'>*[System[Provider[@Name='Microsoft-Windows-Kernel-Power']]]</Select>
>> </Query>
>> </QueryList>"
ProviderName: Microsoft-Windows-Kernel-Power
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2019-04-02 13:42:01 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 13:41:44 109 Information The kernel power manager has initiated a shutdown transition....
2019-04-02 09:41:08 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-04-02 09:40:51 109 Information The kernel power manager has initiated a shutdown transition....
2019-03-29 14:28:26 172 Information Connectivity state in standby: Disconnected, Reason: NIC compliance
2019-03-29 14:28:09 109 Information The kernel power manager has initiated a shutdown transition....
Get-WinEvent is able to render the message "Connectivity state in standby: Disconnected, Reason: NIC compliance" with no problems.
Here's the first event in event viewer with the message displayed properly as well:
The message suggests that the registry or event message dll file might be a problem but I've checked and they aren't:
PS U:> Get-ItemPropertyValue HKLM:SYSTEMCurrentControlSetServicesEventLogSystemMicrosoft-Windows-Kernel-Power -name EventMessageFile
C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
PS U:> test-path C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll
True
PS U:> $handle = [System.IO.File]::OpenRead("C:WINDOWSsystem32microsoft-windows-kernel-power-events.dll")
PS U:> $handle.CanRead
True
This shows that
- The source is configured in the registry
- The file exists
- I can read the file
This is not isolated to the Microsoft-Windows-Kernel-Power source. The same happens for lots of other event sources. But not all event sources. For example Get-EventLog renders the Microsoft-Windows-Winlogon source messages properly:
PS U:> Get-EventLog -LogName System -Source Microsoft-Windows-Winlogon | select -first 1 | ft
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
12100 Apr 02 13:58 Information Microsoft-Windows... 7001 User Logon Notification for Customer Experience Improvement P...
I've already restarted my machine multiple times and I ran the System File Checker and it reported no problems.
Version details:
PS U:> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.17763.316
PSEdition Desktop
PSCompatibleVersions 1.0, 2.0, 3.0, 4.0...
BuildVersion 10.0.17763.316
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
powershell windows-event-log
powershell windows-event-log
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
asked Apr 3 at 1:21
benrifkahbenrifkah
607513
607513
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I believe you are running into a limitation with the Get-EventLog cmdlet which has been superseded by the Get-WinEvent cmdlet. According to the official documentation:
PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
Although you are querying the System event log which should technically not be affected by this since it is a classic event log, those type of event log entries (that start with Microsoft-Windows-) only started appearing in Vista and later, so I'm pretty sure this is "by design".
I'm honestly not sure why you're not just using the Get-WinEvent cmdlet instead, since that one does work.
answered yesterday
Lucky LukeLucky Luke
1,211811
I did switch to usingGet-WinEventto get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic"Systemlog. Their documentation is missing an explanation that the*EventLogcmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.
– benrifkah
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961219%2fevent-descriptions-missing-from-get-eventlog-but-present-in-get-winevent-and-eve%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I believe you are running into a limitation with the Get-EventLog cmdlet which has been superseded by the Get-WinEvent cmdlet. According to the official documentation:
PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
Although you are querying the System event log which should technically not be affected by this since it is a classic event log, those type of event log entries (that start with Microsoft-Windows-) only started appearing in Vista and later, so I'm pretty sure this is "by design".
I'm honestly not sure why you're not just using the Get-WinEvent cmdlet instead, since that one does work.
answered yesterday
Lucky LukeLucky Luke
1,211811
I did switch to usingGet-WinEventto get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic"Systemlog. Their documentation is missing an explanation that the*EventLogcmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.
– benrifkah
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
add a comment |
I believe you are running into a limitation with the Get-EventLog cmdlet which has been superseded by the Get-WinEvent cmdlet. According to the official documentation:
PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
Although you are querying the System event log which should technically not be affected by this since it is a classic event log, those type of event log entries (that start with Microsoft-Windows-) only started appearing in Vista and later, so I'm pretty sure this is "by design".
I'm honestly not sure why you're not just using the Get-WinEvent cmdlet instead, since that one does work.
answered yesterday
Lucky LukeLucky Luke
1,211811
I did switch to usingGet-WinEventto get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic"Systemlog. Their documentation is missing an explanation that the*EventLogcmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.
– benrifkah
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
add a comment |
I believe you are running into a limitation with the Get-EventLog cmdlet which has been superseded by the Get-WinEvent cmdlet. According to the official documentation:
PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
Although you are querying the System event log which should technically not be affected by this since it is a classic event log, those type of event log entries (that start with Microsoft-Windows-) only started appearing in Vista and later, so I'm pretty sure this is "by design".
I'm honestly not sure why you're not just using the Get-WinEvent cmdlet instead, since that one does work.
answered yesterday
Lucky LukeLucky Luke
1,211811
I believe you are running into a limitation with the Get-EventLog cmdlet which has been superseded by the Get-WinEvent cmdlet. According to the official documentation:
PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
Although you are querying the System event log which should technically not be affected by this since it is a classic event log, those type of event log entries (that start with Microsoft-Windows-) only started appearing in Vista and later, so I'm pretty sure this is "by design".
I'm honestly not sure why you're not just using the Get-WinEvent cmdlet instead, since that one does work.
answered yesterday
Lucky LukeLucky Luke
1,211811
answered yesterday
Lucky LukeLucky Luke
1,211811
answered yesterday
Lucky LukeLucky Luke
1,211811
answered yesterday
Lucky LukeLucky Luke
1,211811
1,211811
I did switch to usingGet-WinEventto get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic"Systemlog. Their documentation is missing an explanation that the*EventLogcmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.
– benrifkah
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
add a comment |
I did switch to usingGet-WinEventto get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic"Systemlog. Their documentation is missing an explanation that the*EventLogcmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.
– benrifkah
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
I did switch to using
Get-WinEvent to get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic" System log. Their documentation is missing an explanation that the *EventLog cmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.– benrifkah
yesterday
I did switch to using
Get-WinEvent to get work done. Posted here because the Get-EventLog output didn't seem right since I was querying the "classic" System log. Their documentation is missing an explanation that the *EventLog cmdlets only work on "classic sources" in "classic" logs. And an explanation to expect missing descriptions for modern logs or sources.– benrifkah
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
Well, just another issue with Microsoft's documentation. If you have a github account then you can send them feedback.
– Lucky Luke
yesterday
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961219%2fevent-descriptions-missing-from-get-eventlog-but-present-in-get-winevent-and-eve%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
