Get-EventLog is a highly popular cmdlet in Windows PowerShell. With just a few simple parameters, it reads event logs from the primary Windows event logs. However, this cmdlet is using techniques that are not just slow but also increasingly dangerous.
Get-EventLog has difficulty finding the correct event messages, so in the past, you often got back no meaningful message. Increasingly often, though, Get-EventLog returns completely unrelated wrong messages that have the potential for triggering false alarms. Like this one:
PS> Get-EventLog -Source Microsoft-Windows-Kernel-General -Newest 2 -LogName System -InstanceId 1 Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 551590 Jun 01 17:57 Information Microsoft-Windows-Kernel-General 1 Possible detection of CVE: 2023-06-01T15:57:15.025483... 551505 Mai 31 17:57 Information Microsoft-Windows-Kernel-General 1 Possible detection of CVE: 2023-05-31T15:57:13.842816...
A CVE detection is an indicator of a security problem or breach. You don’t want to be the person that beaks havoc when at the end, all is just a false alert. Any other tool returns back the appropriate event message, and so does the official replacement for Get-EventLog: Get-WinEvent:
PS> Get-WinEvent -FilterHashtable @{
ProviderName = 'Microsoft-Windows-Kernel-General'
LogName = 'System'
Id = 1
} -MaxEvents 2
ProviderName: Microsoft-Windows-Kernel-General
TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 01.06.2023 17:57:15 1 Information The system time has changed to 2023-06-01T15:57:15.025483100Z from 2023-06-01T1... 31.05.2023 17:57:13 1 Information The system time has changed to 2023-05-31T15:57:13.842816200Z from 2023-05-31T1...
Instead of a CVE detection and security problem, in reality, the system time was adjusted.
Never use Get-EventLog in your scripts anymore (unless you are 100% certain that the events you care about are not affected by the shortcomings), and instead get familiar with Get-WinEvent: it’s much faster, much more versatile, and can also read exported event files.