powershell: get-winevent has no message data?

Question

When I run the script below to retrieve log files, the get-winevent "message" field is blank, but has data if I run get-eventlog. Any ideas why?

#has message data 
Get-Eventlog -LogName application -Newest 10

 #date 10 days ago 
$EventStartDate = get-date("10 May 2012") 
$EventEndDate = get-date("11 May 2012") 
$EventLogNames = @("Application", "system")

#critea for winevent 
$EventCritea = @{logname = $EventLogNames; StartTime=$EventStartDate; EndTime=$EventEndDate}

#Retrieves the event log 
$RetreivedEvents = Get-WinEvent -computername localhost -FilterHashtable $EventCritea
$RetreivedEvents | fl id, logname, MachineName, Message, TimeCreated

Answer 1

What locale are you running under?

There is a .NET bug where the underlying .NET method (that Get-WinEvent uses) fails to populate localised fields (like Message) in some locales (like en-GB).

Fix is to switch to en-US for the command:

$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
# Perform Get-WinEvent
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture

Answer 2

I believe this is because the messages are hidden in a property value. To display all messages, pipe the get-winevent to the select statement with the following expressions:

@{Label='Messages';Expression={$_.properties.Value}}

If you wish to display a specific message, for instance Logon Process (In security logs), use the expression:

@{Label='Logon Process';Expression={$_.properties.Value[3]}}