PS Get-WinEvent throw 'The Handle is invalid'

Question

I have a list of hostnames from which I'd like to extract all AppLocker related eventlogs, especially the ones with level warning and/or error. I crafted this script:

$ComputersToCheck = Get-Content 'X:\ListWithTheNames.txt'
foreach($OneHost in $ComputersToCheck)
{
try
{
    $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ComputerName $OneHost -Credential $CredentialFromUser
    foreach ($SingelEvent in $EventCollection)
    {
        if($SingelEvent.LevelDisplayName -ne "Information")
        {
            $pathtosaveto = 'SomeFileName.txt'
            $ResultString += $SingelEvent | Select Message,MachineName,UserId | Export-Csv -Path $pathtosaveto -Append                
            }
        }
    }
catch 
{
    //handling exceptions
 }    
}

This works for a while, but after a certain ammount of time I got an error:

Get-WinEvent : The remote procedure call failed
At X:\FileName.ps1:22 char:28
+         $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : The remote procedure call failed,Microsoft.PowerShell.Commands.GetWinEventCommand

And right after the script start giving errors like this:

Get-WinEvent : The handle is invalid
At X:\FileName.ps1:22 char:28
+         $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : The handle is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand

My first thought was that it is related to the host the script try to reach, but the next in the list is the same type (Os, even the same model) as the previous.

I ran the script 3 times, and every time the output size was different (probably because not the same hosts were online with the same amount of logs). The script should run against more than 700 hosts, to which a special account is needed which I prompt by the Get-Credential, store in a variable and pass it the the Get-WinEvent as a parameter.

To be honest I stuck with this issue, not really sure what cause this and why.

If anyone has an idea please share with me :)

score 0 · Answer 1 · answered Mar 02 '16 at 22:53

0

Give this a try to attempt catching references to failed hosts and empty objects. You could write the exception received but I didn't include that in this to make the failedhosts file simple to read. Hope I got it right as I winged it and don't have a true case to test against.

$ComputersToCheck = Get-Content 'X:\ListWithTheNames.txt'
foreach($OneHost in $ComputersToCheck) {
try {
    $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ComputerName $OneHost -Credential $CredentialFromUser -ErrorAction Stop

    if($EventCollection) { 
        foreach ($SingelEvent in $EventCollection) {
            if($SingelEvent.LevelDisplayName -ne "Information") {
                $pathtosaveto = 'SomeFileName.txt'
                $ResultString += $SingelEvent | Select Message,MachineName,UserId | Export-Csv -Path $pathtosaveto -Append                
                }
            }
        } else {
            Out-File -InputObject $($OneHost + " Empty Event Collection") -FilePath "C:\FailedHosts.txt" -Append -Encoding ascii 
        }
    } 
catch {
    Out-File -InputObject $($OneHost + " Failed Connection") -FilePath "C:\FailedHosts.txt" -Append -Encoding ascii 
 }    
}

answered Mar 02 '16 at 22:53

ATek

815
2
8
20

Hi, unfortunately, it did not worked. However now I have a pretty list of offline hosts. That's something :) Nevertheless the issue still occurs. It seems to me pretty random, every time different amount of logs are generated, but maybe it isn't related. At the moment I'm blind and have no more idea. – SecThor Mar 04 '16 at 13:44
Did it throw an error or in what way did it not work? I presume when you say a pretty list of offline hosts that FailedHosts.txt file populated? I can only assume it was not an inclusive list of machines you ran against on the ListWithTheNames.txt file. I would try the `Get-WinEvent` query manually on some of the machines in the FailedList to see what the response is and we can wrap some logic around the variations of the results. – ATek Mar 04 '16 at 17:15
The first few ones are: `Get-WinEvent : The interface is unknown At A:\AppLocker_ExtractBlockedExes (2).ps1:9 char:28 + $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException + FullyQualifiedErrorId : The interface is unknown,Microsoft.PowerShell.Commands.GetWinEventCommand` – SecThor Mar 23 '16 at 08:24
Than the 99% of the rest are: `Get-WinEvent : The handle is invalid At A:\AppLocker_ExtractBlockedExes (2).ps1:9 char:28 + $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException + FullyQualifiedErrorId : The handle is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand` – SecThor Mar 23 '16 at 08:25

PS Get-WinEvent throw 'The Handle is invalid'

1 Answers1