0

I have defined some windows events which I register to event viewer with an event manifest file. But when I get the events from my provider by invoking powershell command

(Get-WinEvent -ListProvider MyProvider).Events

I noticed that the task values (System.Diagnostics.Eventing.Reader.EventTask) were parsed into a wrong data type. For example, the task value of an event is defined as 65534 in the event manifest file, but powershell parsed it to -2. Consequently, I cannot publish this windows event in powershell, i.e. when I invoke 

New-WinEvent -ProviderName MyProvider -Id MyEventId -Payload MyPayload

I get the following exception:

New-WinEvent : Non negative number is required. Parameter name: task + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-WinEvent], ArgumentOutOfRangeException + FullyQualifiedErrorId : System.ArgumentOutOfRangeException,Microsoft.PowerShell.Commands.NewWinEventCommand

Because the task associted with MyEventId is parsed to a negative number. Yet I have seen this windows event successfully logged in event viewer with the correct task value.

Is this a bug in powershell? Does anyone have a suggestion to get around this problem so that I can publish this windows event from powershell?

Edit:

According to EventLogRecord.Task, task value can be anything between 0 and 65519, so 65534 is not a valid task value anyway. But I have another task with value 65493, which lies apparently in the range, but it is still parsed to -43. The same exception mentioned above is thrown when I try to publish a windows event associated with this task.

Shuting
  • 1
  • 2
  • Can you show us how you register the events? – Theo Nov 20 '19 at 15:42
  • The registration is done by calling `wevtutil install-manifest` with manifest file constructed based on [EventManifest Schema](https://learn.microsoft.com/en-us/windows/win32/wes/eventmanifestschema-schema) as input – Shuting Nov 20 '19 at 15:59
  • 1
    What if you try the old fashion `Get-WinEvent -ListProvider MyProvider | Select-Object -Expand Events` rather than using property enumeration? – iRon Nov 20 '19 at 21:22
  • The result is exactly the same. Well, the biggest problem is rather not being able to publish the event than visualising the value. – Shuting Nov 21 '19 at 07:55
  • The point is that you will chock the pipeline if assign your stream or use parenthesis. You will need to create a stream from the start till the very end. using the Select-Object or `Get-WinEvent -ListProvider MyProvider | ForEach-Object Events | ...`. If you elaborate more on what you try to do at the "publishing" part (please, add to the question), I might be able to help you further (please, notify me @iRon in the comments otherwise I might miss any updates). – iRon Nov 21 '19 at 09:58
  • Btw. the **task value** issue unlikely related to **overflow** errors (in your title) but happens because the datatype is a `[Int16]`. `[BitConverter]::ToInt16([BitConverter]::GetBytes(654434), 0)` → `-2`. I think both issues can be resolved. I recommend you to update this question and create a new question. Than clearly separate the questions (title and the contents) between an **overflow issue** and a **data type issue**. Also see: https://stackoverflow.com/help/how-to-ask. – iRon Nov 21 '19 at 10:20
  • @iRon thanks for the feedback. I have updated the question. – Shuting Nov 21 '19 at 15:40
  • What happens when you try: `-Id (MyEventId -bAnd 0xFFFF)`? FYI: this will translate it to a positive number again, e.g.: `-43 -bAnd 0xFFFF` → `65493` – iRon Nov 21 '19 at 19:04
  • @iRon MyEvent ID is valid and has no problem. Each windows event is associated with a task defined in manifest file. The task value is what got parsed wrong and it cannot be used as input `New-Event`. – Shuting Nov 22 '19 at 09:04

0 Answers0