Don’t use Get-Eventlog anymore

  • Problem

When you type the following

Get-EventLog -Source Microsoft-Windows-Kernel-General -Newest 20 -LogName System -InstanceId 1 | Select -ExpandProperty Message 

You get

Possible detection of CVE: 2023-01-09T09:08:23.5000000Z
Additional Information: 2023-01-08T19:56:29.1492612Z
This Event is generated when an attempt to exploit a known vulnerability (2023-01-09T09:08:23.5000000Z) is detected.
This Event is raised by a User mode process.

It raises some questions and you may feel insecure and that you’ve a security incident 😦

  • Solution

False alarm !

 Get-Help Get-EventLog -Online

The help of the cmdlet clearly states the following:

Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. 

Source: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1

To view the real events’ message associated to the Kernel provider, you can

(Get-WinEvent -ListProvider 'Microsoft-Windows-Kernel-General').Events | ? Id -eq 1

To get the correct message, you need to use the Get-WinEvent cmdlet 🙂

Get-WinEvent -ProviderName 'Microsoft-Windows-Kernel-General' -MaxEvents 20 | ? Id -eq 1
Advertisement

2 thoughts on “Don’t use Get-Eventlog anymore

  1. Pingback: Dew Drop – January 24, 2023 (#3864) – Morning Dew by Alvin Ashcraft

  2. Pingback: What to Use Instead of Get-EventLog – Curated SQL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.