PS1 blocked for reading event log?

I have a very odd problem I cant seem to get figured.

Here is a very simple script:

$XPath = "Event[System[EventID=4740]]"
Get-WinEvent -LogName 'Security' -FilterXPAth $XPath

If I execute this line by line from an Admin PowerShell, I have no issues.

As soon as I save this to a .PS1 and execute, I get the following error:

unable to perform an unauthorized operation

Any ideas on where I might look? I have checked all the registry and event log permissions and they seem to be normal. I also checked:

$ExecutionContext.SessionState.LanguageMode

And it is set to FullLanguage. I am stumped. Thanks in advance for any help/suggestions.

Have you tried turning it off and on again?

Haha j/k. How are you executing your script?

Google fu led me here:

user accounts - Why am I getting unauthorized errors with Powershell get-winevent? - Server Fault

Thanks Rob and Doug for the suggestions.

I wont have access to the systems until Monday.
Rob, I have already validated everything in the post you referred to EXCEPT for the -computerName parameter. I will check that Monday.

I was thinking maybe AppLocker or Device Guard might be the cause and somehow blocking PS1 access to the logs as that simple script fails as a PS1, but not direct from the command line.

Doug, I (far end user actually) was executing the script as such from a Command and PowerShell, failed in both:

PowerShell -ExecutionPolicy Bypass .\test.PS1

Again, thanks for the suggestions. I will post what I find on Monday. The system(s) are air gapped so I dont have direct access. There are actually two systems with the same behavior.

OK, I did find out the user is using -ComputerName. So, when you add that, it does fail. We checked just about every network setting I can think of, and also a reboot, and still no joy.

Using -ComputerName ,we tried the FQDN, $ENV:ComputerName, the Netbios name and the ip address, All failed in the same way.

Any ideas on what to check next?

IIRC each cmdlet that offered -Computername was implemented in their own remoting (many using DCOM) except of course Remoting commands. This is why the *-Service cmdlets no longer have -ComputerName in core. So my guess would be you can’t connect to event viewer remotely either?

Doug, we are going to try the remote connection tomorrow. BTW, I should have mentioned this earlier, the PowerShell version is 5.1.

Basically, the end user is running a very large Script that audits the systems, and it does support remote systems (using the ComputerName argument). The only Cmdlet that uses this argument is Get-WinEvent. Everything else is done via a CimSession.

I was hoping to solve this issue via remote, so I am hoping you are wrong on that :frowning:
Is there any way to get Event Log data (easily) via a CimSession?

I had a look at the PowerShell source and the issue seems to be related to creating an EventLogSession. One thing I noticed in the source is they fall back to setting the computername to “localhost” if the ComputerName argument is not present. I did NOT try that in my testing with the user. I will try that tomorrow using:

-ComputerName 'localhost'

And see if this works.

I did have them ping localhost and that worked.