Solved

How do I troubleshoot the Set-Strictmode Powershell command?

Posted on 2015-02-06
8
195 Views
Last Modified: 2015-02-06
Hi Expert,

Why does line 4, Get-WinEvent, fail when I add the 'Set-StrictMode -Version Latest' entry?
What is the best way to troubleshoot results from this setting?

Thank you. CuriousMAUser

Set-StrictMode -Version Latest
 $cred = Get-Credential Domain\admin
# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DC01 -Credential $cred -FilterHashTable @{Logname='Security';ID=4729}  

# Parse out the event message data
 ForEach ($Event in $Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
 
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
 
  # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force `
    -Name $eventXML.Event.EventData.Data[$i].name `
    -Value $eventXML.event.eventData.Data[$i].'#text'
 
  # View the results with your favorite output method
  $Events | Select-Object -property MemberName, ID, TargetUserName, TargetDomainName, TimeCreated, Message | export-csv C:\Scripts\WinEventID4729.csv

   }
}
0
Comment
Question by:CuriousMAUser
  • 4
  • 3
8 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
First step with PowerShell is always to read the error message. PS is verbose on failure.
Which PS release are you running?
0
 

Author Comment

by:CuriousMAUser
Comment Utility
Thank you, Qlemo.

Of course, I tried to repeat the process and was unable to repeat the error.

I started with
Set-StrictMode -Version 4 - ran the script successfully
Set-StrictMode -Version Latest - ran the script successfully

Hmmmm. The error did appear once, maybe I had a fat figure error and the syntax was incorrect. I'll keep testing and see what I find. If I can't repeat the error I'll close the ticket. Thank you for the quick response.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Just has been some kind of typo or other failure probably.
0
 

Author Comment

by:CuriousMAUser
Comment Utility
Hi Qlem,

A different script did create an error message:
System.Management.Automation.RuntimeException
The variable '$UserName' cannot be retrieved because it has not been set.
System.Management.Automation.RuntimeException
The variable '$UserName' cannot be retrieved because it has not been set.

The variable $UserName needs to be defined. Does that belong before the 'try' statement? Can you supply an example?
*********************************************************
Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

Set-StrictMode -Version Latest

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | forEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='Description';Expression={$psitem.Message}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | forEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='Description';Expression={$psitem.Message}},
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:CuriousMAUser
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for CuriousMAUser's comment #a40594680

for the following reason:

Hi Qlem,

Thank you for your response to the first question. Sorry I tried to slip in another. :-)

Enjoy the weekend. I'll work on the variable question myself. That was a lazy response.

Thank you. You've opened my eyes to what to ask.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
Doesn't matter if you put it inside or outside of the block.
I'm not certain I understand the meaning of $psitem, though.
And off course it is bad style to repeat the same code just changing the event ID.
0
 

Author Closing Comment

by:CuriousMAUser
Comment Utility
Good point, thx
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
$psitem is the same as $_
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now