Why am I getting unauthorized errors with Powershell get-winevent?

I'm a domain admin equivalent, I've tried running in an elevated console (right-click> run as administrator), and I'm consistently getting errors when executing

get-winevent -logname application | where {$_.message -match "Faulting application"} | `
                                    select TimeCreated,message

I'll get three lines of result, then

Get-WinEvent : Attempted to perform an unauthorized operation.
At line:1 char:13 Get-WinEvent : Attempted to perform an unauthorized operation.
 + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
 + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

This seems to be a new development, haven't gotten those errors before.

It's consistent - if I run it with -computername from another server, the pattern still goes 3 OK lines, then X errors, then 5 OK lines, etc.


Does it happen with other Event Logs? For instance what if you run the following to view login events with specific event IDs?:

Get-WinEvent -FilterHashtable @{logname='security'; id=@(4624,4634,4672,4648)}

If that works there may be some items in the application event log that you don't have access to. In that case you would have to use something like Process Monitor to find out why your access is being denied.

You may get better results using the FilterHashtable parameter to pass the filter criteria to the Get-WinEvent cmdlet. See http://ss64.com/ps/get-winevent.html for examples.


I can run this with a non-administrative user on a locked-down system. Check your permissions and audit policies for event logs in GPO. You may have it set so ONLY auditors can see the logs. Good luck troubleshooting if that is the case.