This morning I wanted to audit computers to assess whether the certificate revocation list has been updated or not as Microsoft published the following advisory: Security Advisory (2916652) Improperly Issued Digital Certificates Could Allow Spoofing

As stated in the FAQ, I just needed to check the Application log for event ID 4112



So, I quickly did

Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; ProviderName = "Microsoft-Windows-CAPI2" ; Id = 4112 } -MaxEvents 1 | Select -ExpandProperty Message

(same code as above but with splatting for a better readability)

$HT = @{ FilterHashtable = @{ LogName = 'Application' ; ProviderName = "Microsoft-Windows-CAPI2" ; Id = 4112 } } Get-WinEvent @HT -MaxEvents 1 | Select -ExpandProperty Message

The above worked perfectly well on computers that had their $host current culture set to English-US or French.

But when I tried on computers that had another culture, it failed with the following message:

Get-WinEvent : Could not retrieve information about the Microsoft-Windows-CAPI2 provider. Error: The locale specific resource for the desired message is not present.

Get-WinEvent -ProviderName "Microsoft-Windows-CAPI2"

I got the same error with the following command:

Get-WinEvent -ProviderName "Microsoft-Windows-CAPI2"

But it partially worked with the following command. Notice that the Message property is empty

( Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; Id = 4112 } -MaxEvents 1 )

My two workarounds in this case were:

$a = (Get-WinEvent -FilterHashtable @{ LogName = 'Application' ; Id = 4112 } -MaxEvents 1) 'Successful auto update of disallowed certificate list with effective date: {0}' -f @(([xml]$a.ToXml()).Event.EventData.Data)[0] 'Successful auto update of disallowed certificate list with effective date: {0}' -f $a.Properties[0].Value



Having workarounds without understanding what’s going on under the hood was quite frustrating 😦

I tried to list the MetaData associated with the provider with the following command (I used a tip I saw on this page):

( Get-WinEvent -ListProvider "Microsoft-Windows-CAPI2" ) . Events

It worked on English-US or French culture but failed silently on the en-GB.

This time, I used the following MSDN page to create the System.Diagnostics.Eventing.Reader.ProviderMetadata object.

$ar = @( "Microsoft-Windows-CAPI2" , $null , ( [System.Globalization.CultureInfo] 'en-GB' ) ) ( New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ar ) . get_Events ( ) $ar = @( "Microsoft-Windows-CAPI2" , $null , ( [System.Globalization.CultureInfo] 'en-US' ) ) ( New-Object System.Diagnostics.Eventing.Reader.ProviderMetadata -ArgumentList $ar ) . get_Events ( ) | ft Id , Description -AutoSize

My Get-Winevent commnand failed because my user locale name ( $host . CurrentCulture ) is set to en-GB.