locked
Get-WinEvent remote successfully retrieves large number of events, then throws "The remote procedure call failed", then throws "The handle is invalid" RRS feed

  • Question

  • Trying to read Windows Event logs via Powershell 5.1 on Windows 10 (7GB memory) to Windows 2016 Server (4GB memory).

    This pulls a couple of hundred event messages, then fails. When running locally, runs through until the end without error.

    Does anyone know of any logs errors would be written too (ironically enough...)

    Thanks,

    Chris

    ps> Get-WinEvent -Credential $mySecureCreds -ComputerName WinFS-Chris -LogName Microsoft-Windows-SM
    BClient* -FilterXpath @"
    >> *[System[TimeCreated[@SystemTime>'2019-04-01T02:30:00'] and (Level=4)]]
    >> "@


       ProviderName: Microsoft-Windows-SMBClient

    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    4/1/2019 9:46:19 PM          30810 Information      Added a TCP/IP transport interface....
    4/1/2019 9:46:19 PM          30810 Information      Added a TCP/IP transport interface....

    ...

    4/1/2019 4:53:45 PM          30810 Information      Added a TCP/IP transport interface....
    Get-WinEvent : The remote procedure call failed
    At line:1 char:1
    + Get-WinEvent -Credential $mySecureCreds -ComputerName WinFS-Chris -Lo ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
        + FullyQualifiedErrorId : The remote procedure call failed,Microsoft.PowerShell.Commands.GetWinEventCommand

    4/1/2019 4:53:45 PM          30810 Information      Cannot retrieve event message text.
    Get-WinEvent : The handle is invalid
    At line:1 char:1
    + Get-WinEvent -Credential $mySecureCreds -ComputerName WinFS-Chris -Lo ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
        + FullyQualifiedErrorId : The handle is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand

    4/1/2019 4:53:45 PM          30810 Information      Cannot retrieve event message text.

    Tuesday, April 2, 2019 3:17 AM

All replies

  • Hi,

    Thanks for your question.

    Have you used the administrator credential of your target server to run the command? Get-WinEvent can only be run remotely by an administrator on the target server. Also, to get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access. Please check it.

    Best regards,

    Lee


    Just do it.

    Tuesday, April 2, 2019 6:48 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Monday, April 8, 2019 8:47 AM
  • There is also a log limit to go through not sure if this is your issue:

    http://www.powershellish.com/blog/2015-01-19-get-winevent-max-logs

    Monday, April 8, 2019 10:34 PM
  • Everybody is guessing and ignoring the obvious clues.  THe command is working UNTIL it gets an RPC error.

    First look up RPC and try to understand what it is.  After you fully understand then take another guess.  My bet is that you will get closer to the right answer.


    \_(ツ)_/

    Monday, April 8, 2019 11:09 PM