Troubleshooting “Unauthorized Operation” Errors in PowerShell Get-WinEvent for Application Log Access


5 views

Many Windows administrators report encountering intermittent "Unauthorized operation" errors when attempting to query Windows Event Logs using PowerShell's Get-WinEvent cmdlet, despite having Domain Admin privileges and running in an elevated session. The error pattern typically shows partial success before failing:

# Example of the failing command
Get-WinEvent -LogName Application | Where {$_.Message -match "Faulting application"} | 
    Select TimeCreated,Message

# Error output:
# Get-WinEvent : Attempted to perform an unauthorized operation.
# At line:1 char:13
# + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], UnauthorizedAccessException
# + FullyQualifiedErrorId : Attempted to perform an unauthorized operation.,Microsoft.PowerShell.Commands.GetWinEventCommand

This behavior typically stems from one or more of these underlying issues:

  • Event log corruption in specific event records
  • Permission inheritance problems with certain event log entries
  • Security descriptor corruption in the Windows Event Log service
  • Group Policy restrictions on event log access
  • Antivirus software interfering with event log operations

Here are several approaches that have resolved this issue for administrators:

Method 1: Using Alternative Credentials

# Create credential object
$cred = Get-Credential
Get-WinEvent -LogName Application -Credential $cred | 
    Where {$_.Message -match "Faulting application"} |
    Select TimeCreated,Message

Method 2: Clearing Event Log Cache

# Stop the Windows Event Log service
Stop-Service EventLog -Force

# Delete the cached log files (backup first!)
Remove-Item "$env:windir\System32\winevt\Logs\Archive-*.evtx" -Force

# Restart the service
Start-Service EventLog

Method 3: Using Wevtutil to Repair Logs

# Export and re-import the problematic log
wevtutil epl Application application_backup.evtx
wevtutil cl Application
wevtutil al application_backup.evtx

Method 4: Alternative Filtering Approach

# Use XML filtering which sometimes bypasses the permission issue
$filter = @'
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>
    <Suppress Path="Application">*[System[(EventID=1000)]]</Suppress>
  </Query>
</QueryList>
'@

Get-WinEvent -FilterXml $filter | Where {$_.Message -match "Faulting application"}

For persistent cases, enable detailed logging:

# Enable PowerShell module logging
$logParams = @{
    LogName = 'Microsoft-Windows-PowerShell/Operational'
    Value = 'Enabled'
}
Set-LocalPolicySetting -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging' @logParams

# Check security descriptor for the Application log
$log = Get-WinEvent -ListLog Application
$log.SecurityDescriptor
  • Regularly archive and clear large event logs
  • Implement proper log rotation policies
  • Verify Group Policy isn't restricting event log access
  • Keep Windows and PowerShell updated to latest versions

As a domain admin, you'd expect seamless access to event logs across your infrastructure. Yet PowerShell's Get-WinEvent cmdlet throws intermittent UnauthorizedAccessException errors even in elevated sessions. This pattern - a few successful entries followed by access denials - suggests something deeper than simple permission issues.

The Windows Event Log service implements strict security checks through SDDL (Security Descriptor Definition Language) on individual event channels. Even domain admins need explicit permissions for certain logs. The application log contains events from various sources with different security requirements:

# View log security descriptors
wevtutil gl security | findstr "channelAccess"
  • Protected Event Logging (PEL) configurations
  • Event Tracing for Windows (ETW) session conflicts
  • Channel-specific SDDL restrictions
  • Credential Guard blocking token access
  • Log corruption or service state issues

Option 1: Use alternative credential binding

$cred = Get-Credential
Invoke-Command -ComputerName targetServer -Credential $cred -ScriptBlock {
    Get-WinEvent -LogName Application -MaxEvents 50 | 
        Where-Object {$_.Message -match "Faulting application"}
}

Option 2: Adjust log security descriptors

# Temporary solution (reboot required)
wevtutil sl Application /ca:"O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"

This advanced script identifies exactly which events trigger access violations:

function Test-EventLogAccess {
    param(
        [string]$LogName = 'Application',
        [int]$SampleSize = 100
    )
    
    $events = Get-WinEvent -LogName $LogName -MaxEvents $SampleSize -ErrorAction SilentlyContinue
    $results = @()
    
    foreach ($event in $events) {
        try {
            $null = $event.ToXml()
            $access = $true
        } catch [System.UnauthorizedAccessException] {
            $access = $false
        }
        
        $results += [PSCustomObject]@{
            RecordId = $event.RecordId
            Provider = $event.ProviderName
            TimeCreated = $event.TimeCreated
            Accessible = $access
        }
    }
    
    $results | Format-Table -AutoSize
}

For large environments, consider these architectural approaches:

  • Deploy centralized event log collection (Azure Sentinel/Splunk)
  • Implement Just Enough Administration (JEA) endpoints
  • Configure Windows Event Forwarding (WEF)
  • Use Managed Service Accounts for automation