none
The maximum number of replacements has been reached,Microsoft.PowerShell.Commands.Get WinEvent Command

    Question

  • Any clues? I am changing how my script pulls events at the moment, but this just recently started happening. The following two lines of code generate this error.

    $Event307 = Get-WinEvent -LogName $LogName |Where-Object {$_.id -eq 307}
    $Event307 = Get-WinEvent -FilterHashtable @{LogName=$LogName; ID=307}


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Wednesday, April 11, 2012 5:08 PM

Answers

All replies

  • For clarity I started logging this event for the first time this morning at 10:11

    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Wednesday, April 11, 2012 5:24 PM
  • Your query doesn't look like it would cause the WMI "too costly" error but looking up the actual verbiage, the only thing I can find is an error code named:

    ERROR_EVT_MAX_INSERTS_REACHED

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms681384(v=vs.85).aspx

    you're not writing to this file are you?  and if so, is it configured to overwrite as needed? i see the snippet you posted isn't but the error doesn't seem to be thrown by the two lines there.  Btw, why are you running the same query in two different ways and assigning it to the same variable?  

    Thursday, April 12, 2012 12:53 AM
  • You have an event defined that is recursive.

    You are eventing and inserting on an event.  You need to tell us the rest of what you have done to create this infintite loop.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 4:49 AM
  • @thepip3r I am writing back to this log, but that's not where the error is thrown. The two different queries were just testing to see if there was too much coming in and maybe it was choking on that. They do exactly the same thing.

    @jvr These were run directly at the command-line outside of a script, I'm not entirely sure how it would be an infinite loop. Those were two seperate runs that returned the same result.

    I think I'd like to give you a bit of background, this is part of a print logging script. It monitors the operational print-service log for event 307. It pulls the relevant bits of data from that entry and writes it out to a csv daily. If an error is encountered it's written to the log, and that is actually working as that was how i found out about this problem.

    The original code looked something like this

            Try
            {
                $Event307 = Get-WinEvent -LogName $LogName |Where-Object {$_.id -eq 307}
    } Catch { $Message = $Error[0] Write-Warning $Message Write-EventLog -LogName $LogName -Source $ScriptName -EventID "101" -EntryType "Error" -Message $Message Break }

    The $Event307 variable was then parsed and tossed into a custom object and piped through out-csv to a file. It's not terribly complex, but it's flaw was that it pulled all of the events from the log. I think that is somehow the problem, I don't see how that's an infinite loop, but if it is i would please like clarification. This script was originally written almost a year ago, and since then i've changed how I pull log data. As a stop-gap before I just tacked on -ErrorAction SilentlyContinue to the end of the get-winevent and it started working again.

    The updated version gets the record id from the entry that triggered the script and the updated block looks like this.

            Try
            {
                $Event307 = Get-WinEvent -LogName $eventChannel -FilterXPath "<QueryList><Query Id='0' Path='$eventChannel'><Select Path='$eventChannel'>*[System[(EventRecordID=$eventRecordID)]]</Select></Query></QueryList>"
                $Event307XML = ([xml]$Event307.ToXml())
                }
            Catch
            {
                $Message = $Error[0]
                Write-Warning $Message
                Write-EventLog -LogName $LogName -Source $ScriptName -EventID "101" -EntryType "Error" -Message $Message 
                Break
                }
    

    The benefit of this is I'm pulling just one event, and querying for it specifically via the record id. The updated script went into testing yesterday and as of this morning there were no errors.

    I'm open to thoughts, or criticisms, or whatever. The full script can be found here http://gallery.technet.microsoft.com/New-PrintJob-2f43062f


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 3:16 PM
  • The event AS described means that teh numer of argumensts received in the event exceeds the number defined yet the message file.

    Inspect the replacement strings.  Check to see tif there are more strings than ther eare % bariables in teh message text.

    This can happen if you have a corrupt message file.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 4:43 PM
  • Yeah the only thing I've been able to find on ERROR_EVT_MAX_INSERTS_REACHED is what jrv was talking about:  malformed arguments querying the event log.  If I had to choose between the three methods you described, I'd use the hashtable:

    $Event307 = Get-WinEvent -FilterHashtable @{LogName=$LogName; ID=307}
    Btw... your Catch block will never fire as the code is written unless you're flipping the erroraction globally.  If you don't flip the erroraction globablly, you need to insert an "-ErrorAction Stop" into your Win-Event.
    Thursday, April 12, 2012 5:24 PM
  • In general it is bad practice to set teh global error. It is like using On Error Resume Next at teh beginning of every VBScript.  Every CmdLet has an ErrorAction parameter that will affect only that CmdLet.  Thisius th erecommended method.

    -Ea is the alias -ea 0,1,2,3,4

    -ev $myerror  is the variable.

    The hashtable cannot set all values.  If you need items in the data you will have to use -FilterXML.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 5:32 PM
  • I'm not sure that there is a corrupt message file, as the current script is working fine with no issue. Also, I think I've seen something like that before, doesn't EventViewer display message that have no file, with a header stating this thing can't be displayed because software isnt' installed, and then dumps the raw message?

    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 6:29 PM
  • @thepip3r good call I should set that and see if that message pops back up, but i rather doubt it will. Like i said when i ran the get-winevent with the where filter I received the above error in that stream.

    @jvr I use filterxpath and am able to return all the items i need. I usually don't set $erroractionprefernce, not saying I've never done that, I just don't do it that often. ;-)


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 6:33 PM
  • YOur descirption of what you are trying to do and teh error you are getting are a bit vague and ambiguous.

    The WInEvent command will not replace text bu can be coaxed to do so.  What you see in Event Viewer has nothing to do with teh eventlog API as you are uing it in PowerShell.  Don't mix apples and housepaint.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 7:02 PM
  • Funny, not trying to mix apples and housepaint...i'll have to remember that one ;-)

    I'm not replacing text with get-winevent...i'm literally pulling in event id 307 and from that grabbing the properties related to user/print job/size/pages and so on. I"m not sure i ever said i was replacing values. I did say that when an error occurs i write an event to the log and thepip3r noted that my catch wouldn't run since i forgot to add erroraction stop to the get-winevent cmdlet.


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 7:06 PM
  • I am not saying you are replacing text.  I am saying tehat WinEvent or the Eventlog API are doing it for you.  The calls can be coaxed to replace or not replace as reauired and you can request the raw event.

    The issue I was referring to is that the event entry has more strings that the message defines.  That will cause this error.  This can be casued by a damanged message file.  An out-of-date message file (happens when doing remote retrieval and can be dxed by copying message file from remote system). 

    This can aslo happen when someone spoofs teh provider which I havs seen some peopel trry to do thinking this was a convenient ways to get a free message file then they use the wrong number of strings.

    I suspect you have an out-of-date message file or a corrupt message file.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 7:11 PM
  • I was not aware of that. That makes me wonder then if perhaps a single event could potentially get corrupted in some fashion, as that seems the only way to explain the following output from the following command:

    Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Operational' |Where-Object {$_.id -eq307}
    
    4/11/2012 11:19:19 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 230, RISA-3D Demonstration Report Data owne...
    4/11/2012 11:19:12 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 229, RISA-3D Demonstration Graphic owned by...
    4/11/2012 11:19:12 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 228, RISA-3D Demonstration Graphic owned by...
    4/11/2012 11:18:28 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 227, Microsoft Word - HW14 owned by mdub12 ...
    Get-WinEvent : The maximum number of replacements has been reached
    At line:1 char:13
    + Get-WinEvent <<<<  -LogName 'Microsoft-Windows-PrintService/Operational' |Where-Object {$_.id -eq307}
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
        + FullyQualifiedErrorId : The maximum number of replacements has been reached,Microsoft.PowerShell.Commands.GetWinEventCommand
     
    4/11/2012 11:17:43 AM                                    Microsoft-Windows-PrintService                                                                                307 Cannot retrieve event message text.                    
    4/11/2012 11:17:33 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 224, Microsoft Word - HW #29 owned by izzy2...
    4/11/2012 11:17:29 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 225, RISA-3D Demonstration Report Data owne...
    4/11/2012 11:17:05 AM                                    Microsoft-Windows-PrintService                                                                                307 Document 223, C:\Users\a673a701\AppData\Local\Micros...
    

    Note that the error falls right in between events. I'm just showing a handful of events before and after the error. What could cause that to happen for a single instance of an event? As you can see there were several before and after, if something got corrupt i would tend to think events subsequent to the original would also be broken.


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 7:26 PM
  • It could be a corrupt event log.  Start by findoin g the event and looking at it with the event viewer.  Capture the XML if possible.  Inspect message template and count replacement strings.

    Purge event log and see if issue goes away.  If it doesn't suspect a bad print driver.

    Read the following as it may be the cause of your error.

    http://qa.social.technet.microsoft.com/Forums/en/ITCG/thread/a63039e9-9dd1-40c0-9ef6-3dcb8763743c

    Here is a full explanation and a tool that may fix the problem.  I would NOT run the tool.  It is not signed or protected and may be a target for trojans.

    http://www.pcmmc.com/error_evt_max_inserts_reached.php


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 7:55 PM
  • Interesting one thing I noted is the event listed above at 11:17:43 has a normal looking XML

    Log Name:      Microsoft-Windows-PrintService/Operational
    Source:        Microsoft-Windows-PrintService
    Date:          4/11/2012 11:17:43 AM
    Event ID:      307
    Task Category: Printing a document
    Level:         Information
    Keywords:      Classic Spooler Event,Document Print Job
    User:          HOME\a673a701
    Computer:      labps.soecs.ku.edu
    Description:
    Å
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-PrintService" Guid="{747EF6FD-E535-4D16-B510-42C90F6873A1}" />
        <EventID>307</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>26</Task>
        <Opcode>11</Opcode>
        <Keywords>0x4000000000000840</Keywords>
        <TimeCreated SystemTime="2012-04-11T16:17:43.633929400Z" />
        <EventRecordID>1370017</EventRecordID>
        <Correlation />
        <Execution ProcessID="380" ThreadID="2292" />
        <Channel>Microsoft-Windows-PrintService/Operational</Channel>
        <Computer>labps.soecs.ku.edu</Computer>
        <Security UserID="S-1-5-21-57989841-1078081533-682003330-221424" />
      </System>
      <UserData>
        <DocumentPrinted xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
          <Param1>226</Param1>
          <Param2>http://word-view.officeapps.live.com/wv/wordviewerframe.aspx?Fi=MemsYwiSfOUlRrzrv6u5RhKSqwNswgN1vUw4oQKn7BymC4EEFJ95HdRVJeWgOKVblzFKCe8H%2bIRhjcI4OKp4gRdmpbmDOlqme8%2fcgsUd43LU3jII%2fOPo%2ffJz9MVX5DeipYMBbxGhXm%2bc8%2fhrXwRpSwAmUSjLlDPWDNKetQHor1YNHAK9snA9ppMbER7ltfqYdokC9eLsZ7bDvg3908SqvjXKb6Wa%2fvPFue61Dk8MnTFE5HK0YvAPchWoVW8k2biueELK1JJG%2fT1U0%2f4i0JqJ0SUpxCZktb3QHR3wpvLNhzp5ud2ZXIGzdtVH9L9p1KnQZ69o1AYHzs%2fCSQWYDDOd7bHSq4lEQfkFswnI65n%2fdn8kxdFPVmPYRmSoRs36ox8h&amp;C=4__hm-bl153w-wshi&amp;ui=en-sa&amp;rs=en-sa&amp;su=01_3324e12c629219209edd3e7ab7d07a480ba64b59299a1f03e7db9375295c4ab6</Param2>
          <Param3>a673a701</Param3>
          <Param4>E1005-PC15</Param4>
          <Param5>e1005-laser</Param5>
          <Param6>e1005-p2.soecs.ku.edu</Param6>
          <Param7>257943</Param7>
          <Param8>1</Param8>
        </DocumentPrinted>
      </UserData>
    </Event>

    But viewing the event in the viewer not so much.

    Odd text in the description

    Also, thanks for the additional info, I liked the additional details in the second link, however I think I will refrain from downloading the 'fix'


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 9:38 PM
  • In the Technet article that you linked, the user was experiencing duplicate Params, I don't see that in my snippet. I will point out that the printer e1005-laser is a print pool, both printers are HP 9050's and use the HP LaserJet 9050 PCL 5e driver, version 61.74.561.43. They also output a literal ton of print jobs on a regular basis.

    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 9:41 PM
  • If hte same HP printers are alwys doing this then I would contact HP support.  They are usually very good at this.  I am pretty sure that teh driver dispatches its events directly for these events.  The XML looks good but be sure that the messages can handle 8 strings.  If iot only takes 7 then it will throw an error.

    You will need to extract the message fome the message file.  Ther is a utility for this.  Call HP they will know how to do this.  If you don't have an enterprise contract thn you may have to pay for the assistance.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 9:55 PM
  • Where are these message files located?


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Thursday, April 12, 2012 9:59 PM
  • Pointed at in the registry.  They can be anywhere.


    ¯\_(ツ)_/¯

    Thursday, April 12, 2012 10:02 PM
  • Ok, so after some searching this is what i have found, since I started this thread I have had 10 occurrences of this problem. The bulk of them are on the print server assigned to staff and faculty, and all of them on that print server attributed to one user and one printer. The printer is a konica-minolta 423 multifunction device. The other thing I note is that this user can print to the same device and not receive the error. The one thing that appears to be common between both instances is that in the example above, and what I found on my other server, is the documents were web-based documents, printed from users who may have enabled a different language pack on Windows.

    It's difficult for me to check that for sure and not entirely certain that aspect of it matters, I think it may be something with the document that they printed? is that possible? or perhaps encoding in the URL? When the driver attempts to render it as part of the message there are special characters or something that causes this issue, does that sound likely?

    I think I'd have to monitor this for an extended period of time before I'm able to see if it's more widespread than what it is. At the moment I see this on 2 user accounts out of ~3600. The printer ratio is a little better, it occurs on 2 printers out of ~40.


    Jeffrey S. Patton Assistant Director of IT School of Engineering Computing Services University of Kansas 1520 West 15th Street Lawrence, KS. 66045-7621 | http://patton-tech.com

    Friday, April 13, 2012 3:08 PM
  • You are grabbing at staws.  That is not how printing and eventing work.

    WHer eare you getting this error.  You are only getting it when you query the evenlog with PowerShell.  It is caused by a mismatch between the event log record and the message file on teh machine where you are running the query.

    You will need to contact Microsoft support for further assistance with this. This is not a scripting issue.

    I am sorry but this forum is not designed to support this kind of issue.  It does not have the resources and it is not part of the stated missions of the forum.  MIcrosoft support will help you fix this with one incidient fee.  They are very good at sticking with the issue until it is resolved.



    ¯\_(ツ)_/¯


    • Edited by jrv Friday, April 13, 2012 4:11 PM
    Friday, April 13, 2012 4:06 PM