Why does my Get-WinEvent command fail?

Posted on by

This morning I wanted to audit computers to assess whether the certificate revocation list has been updated or not as Microsoft published the following advisory: Security Advisory (2916652) Improperly Issued Digital Certificates Could Allow Spoofing

As stated in the FAQ, I just needed to check the Application log for event ID 4112

So, I quickly did

Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; ProviderName = "Microsoft-Windows-CAPI2" ; Id = 4112 } -MaxEvents 1 | Select -ExpandProperty Message

(same code as above but with splatting for a better readability)

$HT= @{ FilterHashtable =            
 @{            
    LogName = 'Application';            
    ProviderName = "Microsoft-Windows-CAPI2";            
    Id = 4112             
 }            
}            
Get-WinEvent @HT -MaxEvents 1 |            
Select -ExpandProperty Message

The above worked perfectly well on computers that had their $host current culture set to English-US or French.

But when I tried on computers that had another culture, it failed with the following message:
Get-WinEvent : Could not retrieve information about the Microsoft-Windows-CAPI2 provider. Error: The locale specific resource for the desired message is not present.

Get-WinEvent -ProviderName "Microsoft-Windows-CAPI2"

I got the same error with the following command:

Get-WinEvent -ProviderName "Microsoft-Windows-CAPI2"

But it partially worked with the following command. Notice that the Message property is empty

(Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; Id = 4112 } -MaxEvents 1)

My two workarounds in this case were:

$a = (Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; Id = 4112 } -MaxEvents 1)
'Successful auto update of disallowed certificate list with effective date: {0}' -f @(([xml]$a.ToXml()).Event.EventData.Data)[0]
'Successful auto update of disallowed certificate list with effective date: {0}' -f $a.Properties[0].Value


Having workarounds without understanding what’s going on under the hood was quite frustrating šŸ˜¦

I tried to list the MetaData associated with the provider with the following command (I used a tip I saw on this page):

(Get-WinEvent -ListProvider "Microsoft-Windows-CAPI2").Events

It worked on English-US or French culture but failed silently on the en-GB.

This time, I used the following MSDN page to create the System.Diagnostics.Eventing.Reader.ProviderMetadata object.

$ar = @(            
 "Microsoft-Windows-CAPI2",            
 $null,            
 ([System.Globalization.CultureInfo]'en-GB')            
)            
(New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ar).get_Events()            
            
$ar = @(            
 "Microsoft-Windows-CAPI2",            
 $null,            
 ([System.Globalization.CultureInfo]'en-US')            
)            
(New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ar).get_Events() |             
ft Id,Description -AutoSize

My Get-Winevent commnand failed because my user locale name ($host.CurrentCulture) is set to en-GB.

Advertisements

One thought on “Why does my Get-WinEvent command fail?

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s