0
$EventLog = Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
$Date = Get-Date -Format yyyyMMdd

$Path = "C:\Users\aamouss\Desktop\SecurityLogs"

$EventLog.BackupEventlog("$Path\$env:COMPUTERNAME`_Security_$Date.evt")

Clear-EventLog -LogName Security

I'm running the above script but getting the below error.

You cannot call a method on a null-valued expression. At line:6 char:1 + $EventLog.BackupEventlog("$Path\$env:COMPUTERNAME`Security$Date.evt ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull

Lance U. Matthews
  • 15,725
  • 6
  • 48
  • 68
Moose
  • 1

1 Answers1

2

$EventLog is the only thing that could be $null in the line indicated by the error. If I try executing the command that initializes $EventLog, I see it doesn't return anything...

PS> Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
PS>

If I remove the -Filter from that Get-WmiObject command, here's the logs I see on my Windows 10 system as a standard user...

PS> Get-WmiObject Win32_NTEventlogFile

FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
15798272 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      27698
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
14749696 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           24168
15732736 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx               10470

...and as an elevated user...

PS> Get-WmiObject Win32_NTEventlogFile

FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
15798272 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      27698
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
20975616 Security               C:\WINDOWS\System32\Winevt\Logs\Security.evtx                         29714
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
14749696 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           24170
15732736 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx               10477

Notice that the Security log is only available when the cmdlet is run elevated. Therefore, if I run the original command as an elevated user, it is able to access the Security log...

PS> Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"

FileSize LogfileName Name                                          NumberOfRecords
-------- ----------- ----                                          ---------------
20975616 Security    C:\WINDOWS\System32\Winevt\Logs\Security.evtx           29723

From Event Logging Security...

The Security log is designed for use by the system. However, users can read and clear the Security log if they have been granted the SE_SECURITY_NAME privilege (the "manage auditing and security log" user right).

Lance U. Matthews
  • 15,725
  • 6
  • 48
  • 68