none
Get-CimInstance not finding all Event Logs in Win32_NTLogEvent RRS feed

  • Question

  • Afternoon. I have setup my event log to have this (Microsoft-Windows-PrintService/Operational) enabled. I'm using Windows 8.1. The event is triggered in event viewer (EventID 821) when I print.

    When I run
    Get-CimInstance -ClassName Win32_NTLogEvent -Filter "(LogFile like 'Microsoft-Windows-PrintService/Operational')" I get nothing back.

    I have also tried Get-WmiObject -Class Win32_NTLogEvent -Filter "LogFile like 'Microsoft-Windows-PrintService/Operational'" and get nothing back.

    Get-WinEvent -LogName Microsoft-Windows-PrintService/Operational returns successfully.
    Is get-ciminstance not able to see this part of the Event Log?

    Any guidance/help appreciated.

    Thanks, Tim.

     
    Thursday, October 27, 2016 6:06 AM

Answers

All replies

  • The following command will get all event log file names available to WMI:

    Get-CimInstance Win32_NTEventLogFile


    \_(ツ)_/

    Thursday, October 27, 2016 6:31 AM
  • You must modify the registry to allow WMI access to extended logs:

    https://kc.mcafee.com/corporate/index?page=content&id=KB81367

    After you modify the registry you can do this:

    Get-CimInstance Win32_NTLogEvent -Filter 'LogFile="Microsoft-Windows-PrintService/Operational"'


    \_(ツ)_/

    • Marked as answer by Tim Haintz Thursday, October 27, 2016 9:15 AM
    Thursday, October 27, 2016 6:49 AM
  • THANK YOU jrv. I really appreciate your help. Worked exactly as mentioned.

    Regards, Tim.

    Thursday, October 27, 2016 9:15 AM
  • You really shouldn't use WMI for this.  It does not manage the data as well as Get-WinEvent.

    \_(ツ)_/

    Thursday, October 27, 2016 9:16 AM
  • Yeah, I need to setup an action when a print job occurs. I went down the path of:

    $print = new-object system.drawing.printing.printdocument register-objectevent -inputobject $print -eventname beginprint -sourceidentifier print.beginprint -Action { write-output "Event triggered" }

    But couldn't get the print event to trigger. Started down the path of using WMI to check the event log and found I couldn't see the event logs I needed. I will now try and get this event to trigger the action I'm looking for.

    Thanks again for your help.

    Thursday, October 27, 2016 9:36 AM
  • You have to do the complete print rendering to use the events in PowerShell.


    \_(ツ)_/

    Thursday, October 27, 2016 9:39 AM
  • Thanks for the replies jrv. Sorry, I'm not sure I understand. I googled 'complete print rendering PowerShell' and it didn't come back with anything that related to what I was looking for.

    Do you have a link that might point me in the right direction? 

    Thanks again.
    Thursday, October 27, 2016 9:44 AM
  • Here is a partial example showing how to hook up events.

    https://1drv.ms/u/s!AjiiPtIUqzK_hIwbtDP9qgIhgnoASw


    \_(ツ)_/

    • Proposed as answer by Rash Iglesias Thursday, October 27, 2016 9:50 AM
    Thursday, October 27, 2016 9:48 AM
  • Wow, thank you jrv. You have gone above and beyond. Will digest.

    Thank you again! Have a nice night/day.
    Thursday, October 27, 2016 9:50 AM
  • You should be marked as Professional Solution expert. I always follow the posts you answer and mostly they get the right answer what they came for. Good Job JRV



    Thursday, October 27, 2016 9:52 AM
  • You should be marked as Professional Solution expert.

    Sorry - I just have done too much coding for too long.

    The example works partly.  I couldn't find the one that was delivered.  This was just a test case that I used to learn the print API under PowerShell.  It mostly works but needs to be fixed as somehow I left it in a broken state.

    Maybe tomorrow I will fix it.


    \_(ツ)_/

    Thursday, October 27, 2016 9:55 AM
  • Good head

    I'm currently studying System Integration and young enough to study more sometimes learning some codings from your blog as well.

    Best of luck.

    Thursday, October 27, 2016 9:59 AM
  • Thank you.  Good luck with your studies.


    \_(ツ)_/

    Thursday, October 27, 2016 10:00 AM
  • I have modified my eventing now to trigger when an event log is generated. The code below is looking in 'Microsoft-Windows-PrintService/Operational' for Event ID 800 to be created. This is generated when a print job is kicked off in 2012R2 and Windows 10.

    $querystring = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Microsoft-Windows-PrintService/Operational' AND TargetInstance.Eventcode = '800'"
    
    Register-WmiEvent -Query $QueryString -SourceIdentifier "PrintLog"

    I haven't tried register-cimindicationevent as yet.

    Thanks again jrv.

    Regards, Tim.


    • Edited by Tim Haintz Sunday, November 6, 2016 7:16 AM
    Sunday, November 6, 2016 7:14 AM
  • jrv - Can you post the regkey to modify? Not all have access to McAfee KB
    Monday, February 25, 2019 10:43 PM
  • The key and instructions are posted on McAfee site and do not require special access. 

    \_(ツ)_/

    Monday, February 25, 2019 10:58 PM
  • jrv - I've tried link provided and searched on the McAfee site for the kb "KB81367". I have gone through all of the search results that link back to that kb and it still appears to be walled by the McAfee logon portal :[
    • Edited by Sub_Zerox Tuesday, February 26, 2019 3:55 AM typo
    • Proposed as answer by Sub_Zerox Tuesday, February 26, 2019 4:40 AM
    • Unproposed as answer by Sub_Zerox Tuesday, February 26, 2019 4:40 AM
    Tuesday, February 26, 2019 3:54 AM
  • "

    I know this is an old question, but to anyone stumbling across this, it IS actually possibly, you just need to add a registry key to the below location for the log you want to query ie. Microsoft-Windows-PrintService/Admin, or Microsoft-Windows-TaskScheduler/Operational in my case (both parts, with the slash) to the below location.

    Not great, but at least it's something.

    Credit to McAffee (a few results below on Google, but hopefully may stop some people giving up prematurely!)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\

    "

    Credit to "user112437" on stack

    You may also have to add these keys as follows (providing my examples for my use case you will have to tune for your own and these may not be applicable to you):

    NAME | TYPE | DATA <- This is just the template for below

    DisplayNameFile | REG_EXPAND_SZ | %SystemRoot%\system32\wevtapi.dll

    File | REG_SZ | %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx

    Primary Module | REG_SZ | Microsoft-Windows-SMBServer/Audit

    • Proposed as answer by Sub_Zerox Tuesday, February 26, 2019 4:51 AM
    Tuesday, February 26, 2019 4:51 AM
  • jrv - I've tried link provided and searched on the McAfee site for the kb "KB81367". I have gone through all of the search results that link back to that kb and it still appears to be walled by the McAfee logon portal :[

    Sorry.  I no longer use McAfee so I can't help you.  Any McAfee support customer cn use the link I posted to access thes KB.

    The article and issue are very old and likely no longer an issue.

    If you are having issues with McAfee please post in a McAfee forum or contact McAfee support.


    \_(ツ)_/

    Tuesday, February 26, 2019 5:16 AM