powershell - 从 Invoke-Command 运行时，PowerShell Get-WinEvent 无法返回结果

问题描述

我相信 Get-WinEvent 在 PSSession 中运行时存在错误

例如，下面的代码无法返回任何结果

$evt = Invoke-command -ComputerName computerX -ScriptBlock {
    Get-WinEvent -FilterHashtable @{ logname = 'System'; id = (41,6005,6008,6009)  } -MaxEvents 100 -Verbose    
}

VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="system"><Select Path="system">*[(System/EventID=41 6005 6008 6009)]</Select></Query></QueryList>.
No events were found that match the specified selection criteria.
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
    + PSComputerName        : odc-sql-db-c01

但是，以下代码按预期工作

$evt2 = Invoke-command -ComputerName computerX -ScriptBlock {
    $id = (41,6005,6008,6009)
    Get-WinEvent -FilterHashtable @{ logname = 'System'; id = $id  } -MaxEvents 100 -Verbose    
}

VERBOSE: Constructed structured query:
<QueryList><Query Id="0" Path="system"><Select Path="system">*[((System/EventID=41) or (System/EventID=6005) or (System/EventID=6008) or (System/EventID
=6009))]</Select></Query></QueryList>.

当您比较两个查询时，您会注意到第一个是错误的，即

[(System/EventID=41 6005 6008 6009)] 

应该

[((System/EventID=41) or (System/EventID=6005) or (System/EventID=6008) or (System/EventID=6009))]

标签： powershellget-winevent