Share via

Get-WinEvent - Cannot query provider Microsoft-Windows-Kerberos-Key-Distribution-Center

David Trevor 321 Reputation points
2022-11-30T11:54:26.117+00:00

In the screenshot below you can see the System event log. Evidently there is events that got written by the provider "Microsoft-Windows-Kerberos-Key-Distribution-Center"
265626-greenshot000424.png

When trying to query the System event log via Powershell for events written by that provider, I get an error message saying that this provider does not write to this log. Can someone explain this behavior to me and what query could I use instead to query those events? 

Get-WinEvent -FilterHashtable @{Logname='System'; ProviderName='Microsoft-Windows-Kerberos-Key-Distribution-Center'}  
  
Get-WinEvent : The specified providers do not write events to any of the specified logs.  
At line:1 char:1  
+ Get-WinEvent -FilterHashtable @{Logname='System'; ProviderName='Micro ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], Exception  
    + FullyQualifiedErrorId : LogsAndProvidersDontOverlap,Microsoft.PowerShell.Commands.GetWinEventCommand  
  
Get-WinEvent : The parameter is incorrect  
At line:1 char:1  
+ Get-WinEvent -FilterHashtable @{Logname='System'; ProviderName='Micro ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException  
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Stambaugh 5 Reputation points
    2023-04-13T13:14:51.6333333+00:00

    I had the same issue. Here's a workaround using the Where-Object:

    Get-WinEvent -FilterHashtable @{LogName='System'; Id=43,44} | Where-Object {$_.ProviderName -eq "Microsoft-Windows-Kerberos-Key-Distribution-Center"}
    1 person found this answer helpful.
  2. Limitless Technology 44,781 Reputation points
    2022-12-02T09:12:29.877+00:00

    Hi,

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    This article is an excerpt of the original blog post and explains how to use the Get-WinEvent cmdlet's FilterHashtable parameter to filter event logs. PowerShell's Get-WinEvent cmdlet is a powerful method to filter Windows event and diagnostic logs. Performance improves when a Get-WinEvent query uses the FilterHashtable parameter.

    https://learn.microsoft.com/en-us/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable

    ------------------------------------------------------------------------------------------------------------------------------

    If the answer is helpful kindly click "Accept as Answer" and up vote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.