I'm a domain admin equivalent, I've tried running in an elevated console (right-click> run as administrator), and I'm consistently getting errors when executing
get-winevent -logname application | where {$_.message -match "Faulting application"} | `
select TimeCreated,message
I'll get three lines of result, then
Get-WinEvent : Attempted to perform an unauthorized operation.
At line:1 char:13 Get-WinEvent : Attempted to perform an unauthorized operation.
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
+ FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand
This seems to be a new development, haven't gotten those errors before.
It's consistent – if I run it with -computername from another server, the pattern still goes 3 OK lines, then X errors, then 5 OK lines, etc.
To get to these settings, right-click on the PowerShell-Logo in the top-left of your terminal window, then select 'Properties' (at least that's one way to do it)
Best Answer
Does it happen with other Event Logs? For instance what if you run the following to view login events with specific event IDs?:
If that works there may be some items in the application event log that you don't have access to. In that case you would have to use something like Process Monitor to find out why your access is being denied.
You may get better results using the FilterHashtable parameter to pass the filter criteria to the Get-WinEvent cmdlet. See http://ss64.com/ps/get-winevent.html for examples.