This morning I wanted to audit computers to assess whether the certificate revocation list has been updated or not as Microsoft published the following advisory: Security Advisory (2916652) Improperly Issued Digital Certificates Could Allow Spoofing
As stated in the FAQ, I just needed to check the Application log for event ID 4112
So, I quickly did
Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; ProviderName = "Microsoft-Windows-CAPI2" ; Id = 4112 } -MaxEvents 1 | Select -ExpandProperty Message
(same code as above but with splatting for a better readability)
$HT= @{ FilterHashtable = @{ LogName = 'Application'; ProviderName = "Microsoft-Windows-CAPI2"; Id = 4112 } } Get-WinEvent @HT -MaxEvents 1 | Select -ExpandProperty Message
The above worked perfectly well on computers that had their $host current culture set to English-US or French.
But when I tried on computers that had another culture, it failed with the following message:
Get-WinEvent : Could not retrieve information about the Microsoft-Windows-CAPI2 provider. Error: The locale specific resource for the desired message is not present.
Get-WinEvent -ProviderName "Microsoft-Windows-CAPI2"
I got the same error with the following command:
Get-WinEvent -ProviderName "Microsoft-Windows-CAPI2"
But it partially worked with the following command. Notice that the Message property is empty
(Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; Id = 4112 } -MaxEvents 1)
My two workarounds in this case were:
$a = (Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; Id = 4112 } -MaxEvents 1) 'Successful auto update of disallowed certificate list with effective date: {0}' -f @(([xml]$a.ToXml()).Event.EventData.Data)[0] 'Successful auto update of disallowed certificate list with effective date: {0}' -f $a.Properties[0].Value
Having workarounds without understanding what’s going on under the hood was quite frustrating š¦
I tried to list the MetaData associated with the provider with the following command (I used a tip I saw on this page):
(Get-WinEvent -ListProvider "Microsoft-Windows-CAPI2").Events
It worked on English-US or French culture but failed silently on the en-GB.
This time, I used the following MSDN page to create the System.Diagnostics.Eventing.Reader.ProviderMetadata object.
$ar = @( "Microsoft-Windows-CAPI2", $null, ([System.Globalization.CultureInfo]'en-GB') ) (New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ar).get_Events() $ar = @( "Microsoft-Windows-CAPI2", $null, ([System.Globalization.CultureInfo]'en-US') ) (New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ar).get_Events() | ft Id,Description -AutoSize
My Get-Winevent commnand failed because my user locale name ($host.CurrentCulture) is set to en-GB.
this is a known “bug”, see
http://social.technet.microsoft.com/Forums/windowsserver/en-US/9deceae3-a631-464b-af86-13d50cf14ccf/getwinevent-not-returning-message-windows-8?forum=winserverpowershell