locked
EventID different from Event Viewer GUI vs command line RRS feed

  • Question

  • PS D:\test> Get-EventLog -LogName "Application"|Where-Object{$_.EventID -eq 16384}|sort -uniq

       Index Time          EntryType   Source                 InstanceID Message
       ----- ----          ---------   ------                 ---------- -------
        1082 May 25 03:19  Information Software Protecti...   1073758208 Successfully scheduled Software Protection service for re-start at 2117-04-30T17:19:52Z. Reason: Rul...

    then

    PS D:\test> Get-EventLog -LogName "Application" -InstanceId 16384|sort -uniq
    Get-EventLog : No matches found

    In Event Viewer GUI there is an entry with event ID 16384 in Log Application. But when I do where-object it gives an entry with event ID 1073758208. Furthermore, if I search for instanceID 16484 there is no match. What's going on here? THX


    • Edited by gunitinug Saturday, June 17, 2017 5:00 AM
    Saturday, June 17, 2017 5:00 AM

All replies

  • A little study of event log is required. 

    In modern Windows we prefer Get-WinEvent.  "GEt-EventLog is used for older versions of Windows like XP>

    An EventID and on InstanceID are not the same thing.

    help Get-WinEvent -full

    Get-WinEvent -FilterHashtable @{Logname='Application';ID=16384}

    There is no equivalent with Get-Eventlog.


    \_(ツ)_/

    Saturday, June 17, 2017 6:01 AM
  • PS D:\test> Get-WinEvent -FilterHashtable @{Logname='Application';ID=16384}|Where-Object{$_.providername -eq "security-spp"}|sort -uniq
    PS D:\test> Get-WinEvent -FilterHashtable @{Logname='Application';ID=16384}|Where-Object{$_.providername -eq "microsoft-windows-security-spp"}|sort -uniq


       ProviderName: Microsoft-Windows-Security-SPP

    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    25/05/2017 3:19:52 AM        16384 Information      Successfully scheduled Software Protection service for re-start at 2117-04-30T17:19:52Z. Reason: RulesEngine.

    In Event Viewer GUI, source for ID 16384 is Security-SPP. Is the source Security-SPP or Microsoft-Windows-Security-SPP?

    Saturday, June 17, 2017 8:23 AM
  • You need to spend some time learning how the event log works.  It cannot be guessed:

    Get-WinEvent -FilterHashtable @{Logname='Application';ID=16384} -max 1 | select *

    The "Source" is the "ProviderName" property.  The source in the EventVwr is derived from the application or service that logs the evnts.

    Here is a full SPP record:

    Log Name:      Application
    Source:        Microsoft-Windows-Security-SPP
    Date:          6/17/2017 4:23:05 AM
    Event ID:      16384
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      ALPHA
    Description:
    Successfully scheduled Software Protection service for re-start at 2117-05-24T08:23:05Z. Reason: RulesEngine.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
        <EventID Qualifiers="16384">16384</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-06-17T08:23:05.574349500Z" />
        <EventRecordID>252768</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>ALPHA</Computer>
        <Security />
      </System>
      <EventData>
        <Data>2117-05-24T08:23:05Z</Data>
        <Data>RulesEngine</Data>
      </EventData>
    </Event>

    The name visible in EV is chosen and set by the app when it registers.  It may of may not match any record data.  The current SPP is only available in the "Classic" logs but all new Security-SPP are in the new log format and listed in the new Windows logs.  This provider cannot be queried as a FilterHashTable.  They can be queried using "FilterXml" or "FilterXPath".


    \_(ツ)_/

    Saturday, June 17, 2017 8:43 AM
  • Sorry but you missed my question. Here I applied filter to the log saying list all source equals to security-spp. But it displays two different sources. At top it says Microsoft-Windows-Security-SPP and at the list it lists as Security-SPP. THX

    Saturday, June 17, 2017 9:24 AM
  • PS D:\test> Get-WinEvent -LogName 'Application' | Where-Object {$_.ProviderName -eq 'microsoft-windows-security-spp'} | sort -uniq


       ProviderName: Microsoft-Windows-Security-SPP

    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    19/05/2017 7:10:56 PM         1004 Information      The Software Protection service has successfully installed the license....


    PS D:\test> Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="microsoft-windows-security-spp"}
    Get-WinEvent : The specified providers do not write events to any of the specified logs.
    At line:1 char:1
    + Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName=" ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], Exception
        + FullyQualifiedErrorId : LogsAndProvidersDontOverlap,Microsoft.PowerShell.Commands.GetWinEventCommand

    Get-WinEvent : The parameter is incorrect
    At line:1 char:1
    + Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName=" ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
        + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand

    The second command doesn't work...

    Sunday, June 18, 2017 12:14 AM
  • The ProviderNsme for the EL do not work as you expect.  This Provider write only "classic" entries.

    Level:         Information
    Keywords:      Classic

    XML:
     <Keywords>0x80000000000000</Keywords>

    To reference this you must use FilterXml or FilterXPath.


    \_(ツ)_/

    Sunday, June 18, 2017 12:19 AM
  • PS D:\test> Get-WinEvent -LogName 'Application' | Where-Object {$_.ProviderName -eq 'microsoft-windows-security-spp'} | sort -uniq


       ProviderName: Microsoft-Windows-Security-SPP

    TimeCreated                     Id LevelDisplayName Message
    -----------                     -- ---------------- -------
    19/05/2017 7:10:56 PM         1004 Information      The Software Protection service has successfully installed the license....


    PS D:\test> Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="microsoft-windows-security-spp"}
    Get-WinEvent : The specified providers do not write events to any of the specified logs.
    At line:1 char:1
    + Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName=" ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], Exception
        + FullyQualifiedErrorId : LogsAndProvidersDontOverlap,Microsoft.PowerShell.Commands.GetWinEventCommand

    Get-WinEvent : The parameter is incorrect
    At line:1 char:1
    + Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName=" ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
        + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand

    The second command doesn't work...

    The ProviderName is the name that appears in the Source field in the Event Viewer. This is shown here:

    https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/03/use-filterhashtable-to-filter-event-log-with-powershell/

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 19, 2017 8:57 AM
  • PS C:\Users\CMY> get-winevent -logname 'application' | where-object {$_.providername -eq 'microsoft-windows-security-spp
    '} | %{$_.id} | sort -uniq
    900
    902
    903
    1003
    1004
    1033
    1034
    1066
    8230
    16384

    This is what I wanted to do... list all event IDs for security-spp. 

    NOTE: %{} is foreach-object and ?{} is where-object
    • Edited by gunitinug Thursday, June 22, 2017 1:11 AM
    • Proposed as answer by Hello_2018 Thursday, June 22, 2017 2:51 AM
    Thursday, June 22, 2017 12:12 AM
  • This is much faster and more complete:

    (Get-WinEvent -ListProvider 'microsoft-windows-security-spp').Events|select id


    \_(ツ)_/

    • Proposed as answer by Hello_2018 Thursday, June 22, 2017 2:51 AM
    Thursday, June 22, 2017 12:49 AM