Discrepancy between Event Log taken from Powershell and with Event Log Viewer
-
Saturday, February 16, 2013 8:18 AM
Hi,
Domain Controller OS - Window Server 2008 R2
Please see the First PrintScreen attached (Powershell.png). with the help of Powershell command I am trying to check the event Log of my DC. Please note the Red Rectangle Colour Box. Failure Reason: %%2313 "
But the same log if i check from Event Viewer ( Second Print-Screen Attached - EventViewer.png ) the same Event ID, here it Clearly shows the "Failure Reason: Unknown user name or bad Password"
Why with Powershell the same event id shows Failure reason with some syntax and in Event Viewer log of windows, it display correct?
Thanks & Regards,
Param
www.paramgupta.blogspot.com
All Replies
-
Saturday, February 16, 2013 9:33 AM
I believe that PowerShell does not decode errors but the event viewer does.
The %% indicates that this is a string in the provider helper DLL. See the Event Logging documentation for more details on how this works.
This is by design.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Saturday, February 16, 2013 9:37 AM
-
Saturday, February 16, 2013 9:41 AM
Your IIS tried to logon a user and the name or password as incorrect. The audit message is explicit without the error message.
On Windows Vista and later you should use Get-WinEvent as it can read the extended event data more of the time. Be sure Net 3.5/4.0 are installed and fully patched.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Saturday, February 16, 2013 9:42 AM
- Marked As Answer by Param022012 Saturday, February 16, 2013 12:09 PM
.png)
