How to get event message using Powershell?

2
votes
$FilterXML = '<QueryList>
                <Query Id="0" Path="System">
                    <Select Path="System">*[System[Provider[@Name="Service Control Manager"] and (Level=2)]]</Select>
                </Query>
             </QueryList>'
$Errors = Get-WinEvent -FilterXml $FilterXML
$Errors = $Errors | ?{ $_.ToXml().Contains("SomeService") }

Problem is that for every object, Message property is null. I can get some info using method .ToXml(), but I can't get message that you could see in windows event viewer under general tab.

If I use Get-EventLog cmdlet, the message property returns string about some error.

The description for Event ID '-1073734793' in Source 'Service Control Manager' cannot be found. The local computer may not have the necessary registry information or mess age DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'SomeService', '2', '0', '3', 'Run the configured recovery program'

2
powershellpowershell-2.0event-log

2 Answers

3
votes

Try something like this, which I believe is equivalent to what you were trying.

get-winevent -FilterHashtable  @{LogName="System";ProviderName="Service Control Manager";Level=2} | ?{$_.message -match "someservice"}

I suppose Get-WinEvent is able to read those that come as "error message":

I tried two equivalent commands. Got the expected message with Git-WinEvent and the "error" message that you got with Get-EvenLog:

get-eventlog -LogName System | ?{$_.eventid -eq 10016} | select message

enter image description here

get-winevent -LogName System  | ?{$_.id -eq 10016} | select message

enter image description here

1
votes

Can you get the message with WMI?

Get-WmiObject Win32_NTLogEvent -Filter "Logfile='system' AND SourceName='Service Control Manager' AND Message LIKE '%SomeService%'" | select Message