Message is incorrectly blank when you query Win32_NTLogEvent WMI objects in Windows 10

Applies to: Windows 10


When you query Win32_NTLogEvent Windows Management Instrumentation (WMI) objects on a Windows 10-based computer, you notice the Message variable of the returned data is blank. However, the message in the associated event log entry is not blank when you view it in Event Viewer or by using the Get-EventLog cmdlet.

For example, to find the events objects that are affected by this issue, you run the following cmdlet in Windows PowerShell:

Get-WmiObject Win32_NTLogEvent -Filter "Logfile='Application'" | where {$_.Message -eq $null}

The object that has the issue may be displayed as the following:

Then, you run the following cmdlet to display the associated event:

Get-EventLog -LogName Application -Index 37386 | fl

This cmdlet shows the following results:


This behavior is by design. The WMI provider, NTEVT, decodes events differently than EventViewer or Get-EventLog do. Therefore, the messages that cannot be decoded are returned blank.