Using Get-WinEvent without admin rights - getting error "Get-WinEvent : Attempted to perform an unauthorized operation." if FilterHashTable uses Providername RRS feed

  • Question

  • Hi 

    I've been trying to get Get-WinEvent to work without local admin permissions on remote servers.  I can get this to work with the non-admin user in the local "Event Log Readers" group on the remote server, mostly.  The problem I get is when using FilterHastTables with the Providername filter. This results in an error "Get-WinEvent : Attempted to perform an unauthorized operation."

    For example I can run:

    Get-WinEvent -ComputerName RemoteServer1 -FilterHashTable @{LogName = "Application"} | Where-Object -Property Message -Like "*SMS_WSUS_SYNC_MANAGER*" | Select -First 10

    And get the expected events returned and no errors. 

    But if I run this:

    Get-WinEvent -ComputerName RemoteServer1 -FilterHashTable @{LogName = "Application"; Providername='SMS Server'} | Where-Object -Property Message -Like "*SMS_WSUS_SYNC_MANAGER*" | Select -First 10

    I get no events returned and the error "Get-WinEvent : Attempted to perform an unauthorized operation." 

    Both work just find if I have local admin rights on the remote server. While the first one works the second one is much faster. 

    Is anybody able to explain to me why this happens and how it might be fixed for non-admin users?  

    • Moved by Bill_Stewart Wednesday, September 4, 2019 9:45 PM Abandoned
    Tuesday, May 7, 2019 10:30 AM

All replies

  • First use this method to limit the results:

    Get-WinEvent-MaxEvents 10 -ComputerName RemoteServer1 -FilterHashTable @{LogName = "Application"; Providername='SMS Server'}

    You likely need to be an admin on the SMS Server.


    • Edited by jrv Tuesday, May 7, 2019 11:22 AM
    Tuesday, May 7, 2019 11:22 AM
  • Thank you for reading my post. However, I don't think filtering results on the left would help me in this case. Although I agree filtering to the left is great for speed.  Wouldn't restricting the events returned by the filterhashtable cause a problem if it was the 11th event which included the description text to match the where-object filter on the message content?  Please ignore the  '| Select -First 10' as that's only there to help keep down the number of results on screen during testing.

    What I want to know is why do I need Admin rights to use the Providername in the hashtable filter? And how can I fix that for non-admin users.  I can read the event logs fine without admin rights if I don't do the secondary hashtablefilter using the Providername.  

    Also I've found you can run this with admin rights but not without:

    Get-WinEvent -ListProvider * -ComputerName RemoteServer1

    • Edited by Daflibble Tuesday, May 7, 2019 11:50 AM
    Tuesday, May 7, 2019 11:48 AM
  • The point I am making is that restricting the number of events at the end is not the same as using MaxEvents.  It can cause issues.

    Also you can do this:

    $filter = @{ 
        LogName = 'Application'
        Providername = 'SMS Server' 
        Data = 'SMS_WSUS_SYNC_MANAGER'
    Get-WinEvent -ComputerName RemoteServer1 -FilterHashTable $filter -MaxEvents 10 

    Which would be easier to manage and much faster. It also avoids tripping over bad records.

    If you still get an "unauthorized operation" error then you have issues with the remote server or a corrupt event log.


    Tuesday, May 7, 2019 11:56 AM
  • Thanks jrv

    Hhmmmmm well that helps, but creates new limitations for my real intended use due to lack of wildcard support in the FilterHashTable for the DATA values.  The example query I posted was just a quick example of the sort of thing I was doing which created the error.  But its good now I know  as I kinda glossed over the use of DATA in the filterhashtable  when reading the MS Doc on Get-WinEvent.  

    The ability to use wild cards with a second where-object filter makes it great for ad-hoc searching of event logs when you don't exactly know what you are looking for.   

    Really would love to know how to get round this permission issue with using the Providernames in the FilterHashTable.  

    Tuesday, May 7, 2019 2:38 PM
  • The filter will  match without a wildcard.

    To do this even better use an XPath query.  You can build it in the GUI and add it to the script.


    Tuesday, May 7, 2019 3:06 PM