Get-Winevent cmdlet caveats

I’ve had a KMS host server broken last week as it’s underlying hardware has been changed. I’ve quickly fixed it but I’ve encountered weird things when I wanted to filter eventlogs on client machines (Windows 7 with Office 2010).

First I’ve looked at Office 2010, I fired up the eventvwr to discover the provider name and did the following that worked perfectly fine:
getwinevent 01

Get-WinEvent -FilterHashtable @{logname="Application"; providername="Office Software Protection Platform Service"}

Then I wanted to have a look to Windows 7 activation, I did the same thing, I fired up the eventvwr to figure out the provider name:
getwinevent 02

Get-WinEvent -FilterHashtable @{logname="Application"; providername="Security-SPP"}

Note that I’m running on powershell V2 and I’ve got not 1 error but 3 errors 🙂
getwinevent 03

At this step, I couldn’t figure out which error was relevant and coherent. So I used Get-help and noticed that you can list provider names pretty easily, so I did:

(get-winevent -listlog Application).providernames | Select-String -Pattern "SPP"

I’ve got two results that proved that I shouldn’t have copied “Security SPP” I’ve found in the eventvwr.
Then I double checked with the following command:

Get-WinEvent -ListProvider * | Where { $_.Name -match "SPP" }

And it got better as I could at least differentiate between errors:
winevent 04

I flipped then back to the eventvwr on the XML view to get more details about the provider names.
getwinevent 05
getwinevent 06

To really make sure I was getting it right, I tested the following (see inline comments)

            
# Using a simple provider name such as the Office one works well            
Get-WinEvent -ProviderName "Office Software Protection Platform Service" -MaxEvents 5            
            
# However a simple command with a complex provider name doesn't work and worse returns an error            
Get-WinEvent -ProviderName "SPP"            
            
# Security-SPP is definitively  the wrong provider name. Now, I got only 1 error            
Get-WinEvent -ProviderName "Security-SPP"            
            
# No error returned but no events as well, strange...            
Get-WinEvent -ProviderName Microsoft-Windows-Security-SPP            
            
# Whereas the following returns events             
(get-winevent -listprovider Microsoft-Windows-Security-SPP).events

getwinevent 07

The example 14 in the help of the get-winevent cmdlet shows the various ways to filter events.
Filtering on the right is not an option as it’s performs too slowly. Now, we know that FilterHashtable is not an option for complex provider names.
So let’s use the XML way…


$xml = @"
<QueryList>
    <Query Id="0" Path="Application">
        <Select Path="Application">
            *[System[Provider[@Name ='Microsoft-Windows-Security-SPP']]]
        </Select>
    </Query>
</QueryList>
"@

Get-WinEvent -FilterXml $xml -MaxEvents 5

… which proves how to handle such caveats…to finally get it right… 😉

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s