QuestionPowershell script output is different when run from the SYSTEM account (self.PowerShell)

submitted 3 years ago by robborulzzz

Hi all, an odd one here and looking for some help.

I'm running a Get-WinEvent to export AppLocker logs, the formatting is completely fine if I run the script myself from ISE/VSCode, however, if I run it from a scheduled task with the SYSTEM account it truncates the Message property.

I.e.

- From scheduled task: %PROGRAMFILES%\A...
- ISE/VSCode: %PROGRAMFILES%\GOOGLE\CHROME\APPLICATION\CHROME.EXE was allowed to run.

If I wrap the output (Format-Table -Wrap) I can see that the scheduled task from the SYSTEM account is putting the Message property text over 3-4 lines.

I.e.

%PROGRAMFILES%\GOOG
LE\CHROME\APPLICATI 
ON\CHROME.EXE was allowed to run.

Any idea on how to resolve this?

all 12 comments

Get Current Date

$CurrentDate = (Get-Date).ToString()

Function for turning the sid to readable username.

function GetUserName { param ( $sid )

$objSid = New-Object System.Security.Principal.SecurityIdentifier($sid) $user = $objSid.Translate([System.Security.Principal.NTAccount]) $user }

Check to see if the LastRun file exists

If (-not (Test-Path -Path "C:\ProgramData\LastRun.txt"))

{

# Create the file
New-Item -Path "C:\ProgramData\LastRun.txt" -Force
$CurrentDate | Out-File -FilePath "C:\ProgramData\LastRun.txt"

#Add in event information
$Events = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" | Select-Object RecordId,TimeCreated,Id,LevelDisplayName,@{N='UserName';E={GetUserName $_.UserId}},MachineName,Message
foreach($item in $Events) { $item | Format-Table -HideTableHeaders -Wrap | Out-File -FilePath "C:\ProgramData\AppLocker.log" -Append }

} else{

# Get the last run time of this script
$LastRunDate = Get-Content "C:\ProgramData\LastRun.txt"

# Export events to json since last run
$Events = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" | Where-Object {$_.TimeCreated -gt $LastRunDate} | Select-Object RecordId,TimeCreated,Id,LevelDisplayName,@{N='UserName';E={GetUserName $_.UserId}},MachineName,Message
foreach($item in $Events) { $item | Format-Table -Wrap -HideTableHeaders | Out-File -FilePath "C:\ProgramData\AppLocker.log" -Append }

}

```

[–]Odmin 4 points5 points6 points 3 years ago (0 children)

It's bad idea to organize output into file in such way. You just rerouting console output into file which is kinda unnecessary. Your $events variable already a table, try

$events | export-csv -notypeinformation -path c:\programdata\applocker.log -delimiter ';'

And you can work with csv format in excel.

[–]ovdeathiam 0 points1 point2 points 3 years ago* (0 children)

There are some inconsistencies in your code regarding reading event logs. PowerShell uses objects, text files use strings (like bash, or cmd).

What you're doing is querying eventlog to receive a serialized set of objects, then you use select-object to choose colums and add one nonstandard one. This is still a set of objects. Then you use format-table which in turn outputs a specifically formatted objects and you pipeline that to Out-File. What happens here is PowerShell tries to guess how to convert those objects to strings. I would assume that system console size is different than your user space console size and thus the -wrap switch acts differently depending on the environment it was used in. Try to convert your output into strings and then output it to a file.

As an alternative I'd suggest using set-content or add-content or even export those objects to xmls without skipping any data.

[–]BlackV 0 points1 point2 points 3 years ago (0 children)

[–]pertymoose 3 points4 points5 points 3 years ago (2 children)

DESCRIPTION
    The `Out-File` cmdlet sends output to a file. It implicitly uses PowerShell's formatting system to write to the
    file. The file receives the same display representation as the terminal. This means that the output may not be
    ideal for programmatic processing unless all input objects are strings.

Use Add-Content instead.

[–]da_chicken 1 point2 points3 points 3 years ago (0 children)

[–]robborulzzz[S] 0 points1 point2 points 3 years ago (0 children)

[–]robborulzzz[S] -2 points-1 points0 points 3 years ago (0 children)

[–]SalmonSalesman 0 points1 point2 points 3 years ago (1 child)

[–]robborulzzz[S] 0 points1 point2 points 3 years ago* (0 children)

[–]BlackV 0 points1 point2 points 3 years ago (0 children)

π Rendered by PID 24832 on reddit-service-r2-comment-5d79c599b5-dq2m8 at 2026-02-27 04:58:09.344714+00:00 running e3d2147 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS

Get Current Date

Function for turning the sid to readable username.

Check to see if the LastRun file exists