Get-EventLog - 某些事件日志源缺少有效消息

我正在使用 get-eventlog 提取和过滤系统事件日志数据。我发现 get-event log 无法正确返回与某些条目关联的消息。这些条目通常显示在事件日志查看器中。例如。

get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" }

返回 8 个条目，所有条目都有以下形式的消息：

The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  
The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  
The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z'

如果我过滤系统事件日志以查找相同的源，我可以清楚地看到完整的消息。例如

The operating system started at system time ‎2015‎-‎06‎-‎13T08:33:32.359599800Z.

我运行以下命令来查看是否有任何其他提供程序无法返回有效的事件消息：

get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" }  | Group-Object -Property Source | Select-Object -Property Name

Name
----
Microsoft-Windows-Kernel-General
DCOM
WinRM
Microsoft-Windows-Iphlpsvc

我在事件日志查看器中检查了 DCOM、WinRM 和 Iphlpsvc 源的相应条目，并确认可以看到正确的消息。

我已在管理员级 PowerShell 控制台中运行测试脚本。

有任何想法吗？

编辑：进一步的研究表明 PsLogList 似乎也遇到同样的问题，而 WEVTUTIL 则没有。

编辑：根据Windos的建议，我尝试了get-winevent。我之前尝试过这个，发现它根本不会返回任何 Message 数据。我又试了一次，发现了同样的结果。然后我尝试了

Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General"

这产生了以下错误

Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present.

一点谷歌搜索让我发现'https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/ https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/'谁也经历过同样的错误消息。他认为这是由于地区环境造成的。我在澳大利亚，因此控制面板中的“格式”设置为“英语（澳大利亚）”。我将其更改为“英语（美国）”，推出了新的 PS 控制台，并通过get-culture我现在在美国并重新运行了get-winevent命令。

Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message

你瞧……

Message
-------
The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z.
The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z.
The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z.
The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z.
The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z.
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z.
The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z.

可悲的是 - 没有改变get-eventlog

get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message

Message
-------
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer ...
The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer ...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...

不确定如何或为什么，但看起来如果你选择Get-WinEvent而不是Get-EventLog你会得到你想要的信息。

应该注意的是，当更改命令时，“Source”参数被称为“ProviderName”，因此您的命令将变为：

Get-WinEvent -LogName System | Where { $_.ProviderName -eq 'Microsoft-Windows-Kernel-General' }