I have a very odd problem I cant seem to get figured.
Here is a very simple script:
$XPath = "Event[System[EventID=4740]]"
Get-WinEvent -LogName 'Security' -FilterXPAth $XPath
If I execute this line by line from an Admin PowerShell, I have no issues.
As soon as I save this to a .PS1 and execute, I get the following error:
unable to perform an unauthorized operation
Any ideas on where I might look? I have checked all the registry and event log permissions and they seem to be normal. I also checked:
And it is set to FullLanguage. I am stumped. Thanks in advance for any help/suggestions.
Have you tried turning it off and on again?
Haha j/k. How are you executing your script?
Thanks Rob and Doug for the suggestions.
I wont have access to the systems until Monday.
Rob, I have already validated everything in the post you referred to EXCEPT for the -computerName parameter. I will check that Monday.
I was thinking maybe AppLocker or Device Guard might be the cause and somehow blocking PS1 access to the logs as that simple script fails as a PS1, but not direct from the command line.
Doug, I (far end user actually) was executing the script as such from a Command and PowerShell, failed in both:
PowerShell -ExecutionPolicy Bypass .\test.PS1
Again, thanks for the suggestions. I will post what I find on Monday. The system(s) are air gapped so I dont have direct access. There are actually two systems with the same behavior.
OK, I did find out the user is using -ComputerName. So, when you add that, it does fail. We checked just about every network setting I can think of, and also a reboot, and still no joy.
Using -ComputerName ,we tried the FQDN, $ENV:ComputerName, the Netbios name and the ip address, All failed in the same way.
Any ideas on what to check next?
IIRC each cmdlet that offered -Computername was implemented in their own remoting (many using DCOM) except of course Remoting commands. This is why the *-Service cmdlets no longer have -ComputerName in core. So my guess would be you can’t connect to event viewer remotely either?
Doug, we are going to try the remote connection tomorrow. BTW, I should have mentioned this earlier, the PowerShell version is 5.1.
Basically, the end user is running a very large Script that audits the systems, and it does support remote systems (using the ComputerName argument). The only Cmdlet that uses this argument is Get-WinEvent. Everything else is done via a CimSession.
I was hoping to solve this issue via remote, so I am hoping you are wrong on that
Is there any way to get Event Log data (easily) via a CimSession?
I had a look at the PowerShell source and the issue seems to be related to creating an EventLogSession. One thing I noticed in the source is they fall back to setting the computername to “localhost” if the ComputerName argument is not present. I did NOT try that in my testing with the user. I will try that tomorrow using:
And see if this works.
I did have them ping localhost and that worked.