llarava
asked on
Get-WinEvent -FilterHashtable - Message returns blank but a message/description is part of the event ID.
Trying to use Get-WinEvent to query for 1116 Event ID and find message/description. The Event ID's are being collected via GPO subscription on Microsoft Event Collector.
When I run Get-WinEvent to query for 1116 Event ID the Message/description is blank but when I check the XML of the event ID I can see a message/description. I need to be able to output the Message as part of the command.
Get-WinEvent -FilterHashtable @{logname="ForwardedEvents ";id=1116} -MaxEvents 1 | Select TimeCreated, Message
TimeCreated Message
----------- -------
12/17/2016 2:06:51 PM
but the XML of the event shows a message:
<Message>Microsoft Antimalware has detected malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=1 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: file:_icrosoft\Windows\Tem porary Internet Files\Content.IE5\HZANLCTP \eicar[1]. com Detection Origin: Internet Detection Type: Concrete Detection Source: Real-Time Protection User: s Name: C:\Program Files (x86)\Internet Explorer\iexplore.exe Signature Version: AV: 1.233.2750.0, AS: 1.233.2750.0, NIS: 116.72.0.0 Engine Version: AM: 1.1.13303.0, NIS: 2.1.12706.0</Message>
When I run Get-WinEvent to query for 1116 Event ID the Message/description is blank but when I check the XML of the event ID I can see a message/description. I need to be able to output the Message as part of the command.
Get-WinEvent -FilterHashtable @{logname="ForwardedEvents
TimeCreated Message
----------- -------
12/17/2016 2:06:51 PM
but the XML of the event shows a message:
<Message>Microsoft Antimalware has detected malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=1 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: file:_icrosoft\Windows\Tem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Only way for me to investigate would be if you supplied a sample .evtx file which included the events to examine.