T0pCyber
Bug: Date format handling issue in Search-UnifiedAuditLog for non-US region settings
Your Question
Getting following error. Is this a bug or do I enter the date wrong? I am on a systm with Windows 10 22H2 $PSVersionTable.PSVersion Major Minor Build Revision
5 1 19041 5486
I am starting Hawk with: Start-HawkTenantInvestigation -StartDate '04/13/2025' -EndDate '04/28/2025' -FilePath 'C:\hawk'
The script runs through, but I get the following error about 5 times:
[2025-04-28 11:41:43Z] - [ACTION] - Running Unified Audit Log Search Write-ErrorMessage : Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "04/28/2025" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '04/28/2025' was not recognized as a valid DateTime." In C:\Users\REDACTED\AppData\Local\Temp\tmpEXO_4n2p3r50.eqc\tmpEXO_4n2p3r50.eqc.psm1:1189 Zeichen:13
-
Write-ErrorMessage $ErrorObject -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : NotSpecified: (:) [Search-UnifiedAuditLog], ParameterTransformationException
- FullyQualifiedErrorId : [Server=GV0P278MB0115,RequestId=ddf22520-04b0-ab95-6e9a-7dfe0ba26288,TimeStamp=Mon, 28 A pr 2025 11:42:10 GMT],Write-ErrorMessage
[2025-04-28 11:41:43Z] - [INFO] - Unified Audit log returned no results.
I tried several ways to enter the date string. Either I have the error above if using US date string format, or the program does not start because I formated the date string wrongly.
We looked into your issue with Start-HawkTenantInvestigation, and the root cause appears to be the following: the Hawk module is trying to pass date strings to Exchange Online in a format it can't process, specifically on systems with non-US regional settings.
We will look to implement some additional flexibility into Hawk to ensure this doesn't happen to users in the future. In the mean time, try these possible fixes and let us know if any work:
Option 1: Use DateTime objects
$startDate = Get-Date "4/13/2025"
$endDate = Get-Date "4/28/2025"
Start-HawkTenantInvestigation -StartDate $startDate -EndDate $endDate -FilePath 'C:\hawk'
Option 2: Use year-month-day format
Start-HawkTenantInvestigation -StartDate '2025-04-13' -EndDate '2025-04-28' -FilePath 'C:\hawk'
Option 3: Set your PowerShell to use US regional settings temporarily
[System.Threading.Thread]::CurrentThread.CurrentCulture = [System.Globalization.CultureInfo]::GetCultureInfo('en-US')
Start-HawkTenantInvestigation -StartDate '04/13/2025' -EndDate '04/28/2025' -FilePath 'C:\hawk'
You could optionally add the line first line in option 3 to your PowerShell profile to ensure your settings remain as a US regional setting.
This is an initial assumption, so please let us know if any of those suggested fixes work for you and we will look to implement a more permanent solution.
Thanks for the quick response.
I tried all 3 options and unfortunately still get the same error.
I've tried the solution with the regional setting, but it does not seem to hold.. When executing on Powershell, I get this.. I would have assumed that after the last line, I would get en-US ?
PS C:\Users\REDACTED> [System.Threading.Thread]::CurrentThread.CurrentCulture
LCID Name DisplayName
---- ---- -----------
2055 de-CH Deutsch (Schweiz)
PS C:\Users\REDACTED> [System.Globalization.CultureInfo]::GetCultureInfo('en-US')
LCID Name DisplayName
---- ---- -----------
1033 en-US Englisch (USA)
PS C:\Users\REDACTED> [System.Threading.Thread]::CurrentThread.CurrentCulture = [System.Globalization.CultureInfo]::GetCultureInfo('en-US')
PS C:\Users\REDACTED> [System.Threading.Thread]::CurrentThread.CurrentCulture
LCID Name DisplayName
---- ---- -----------
2055 de-CH Deutsch (Schweiz)
Dan
Dan,
Hmm.. we will need to take deeper look into this. The only other thing I can immediatley offer trying is to run Hawk using PowerShell core (version 7+), as it has improved internationalization support. Thank you for bringing this to our attention. Please let us know if you try PowerShell core and how that works out for you.
hello @jonnybottles , Thanks for your advice.
I am testing now with PowerShell 7.5.0.
PS C:\> $psVersionTable.PSVersion
Major Minor Patch PreReleaseLabel BuildLabel
----- ----- ----- --------------- ----------
7 5 0
Running from here, still produces errors, although they look slightly different:
PS C:\> $endDate = Get-Date "28.4.2025"
PS C:\> $startDate = Get-Date "13.4.2025"
PS C:\> Start-HawkTenantInvestigation -StartDate $startDate -EndDate $endDate -FilePath 'C:\hawk'
[...]
[2025-04-29 09:12:08Z] - [ACTION] - Running Unified Audit Log Search
Search-UnifiedAuditLog: Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "04/28/2025" to type
"Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '04/28/2025' was not recognized as a valid DateTime."
[2025-04-29 09:12:08Z] - [INFO] - Unified Audit log returned no results.
[2025-04-29 09:12:08Z] - [INFO] - Get-HawkTenantEDiscoveryLog completed successfully
[2025-04-29 09:12:08Z] - [ACTION] - No eDiscovery Logs found
[2025-04-29 09:12:08Z] - [INFO] - Completed collection of eDiscovery logs from Exchange Online.
[2025-04-29 09:12:08Z] - [ACTION] - Running Get-HawkTenantAdminInboxRuleCreation.
[2025-04-29 09:12:09Z] - [ACTION] - Initiating collection of admin inbox rule creation events from the UAL.
[2025-04-29 09:12:09Z] - [ACTION] - Running Unified Audit Log Search
Search-UnifiedAuditLog: Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "04/28/2025" to type
"Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '04/28/2025' was not recognized as a valid DateTime."
[2025-04-29 09:12:09Z] - [INFO] - Unified Audit log returned no results.
Now running with the change of region:
PS C:\> [System.Threading.Thread]::CurrentThread.CurrentCulture = [System.Globalization.CultureInfo]::GetCultureInfo('en-US')
PS C:\> Start-HawkTenantInvestigation -StartDate '04/13/2025' -EndDate '04/28/2025' -FilePath 'C:\hawk'
[2025-04-29 09:16:56Z] - [INFO] - Valid Hawk Object already exists no actions will be taken.
[2025-04-29 09:16:56Z] - [ACTION] - Starting Tenant Investigation.
[...]
[2025-04-29 09:17:00Z] - [ACTION] - Running Unified Audit Log Search
Search-UnifiedAuditLog: Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "04/28/2025" to type
"Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '04/28/2025' was not recognized as a valid DateTime."
[2025-04-29 09:17:00Z] - [INFO] - Unified Audit log returned no results.
[2025-04-29 09:17:00Z] - [INFO] - Get-HawkTenantEDiscoveryLog completed successfully
[2025-04-29 09:17:00Z] - [ACTION] - No eDiscovery Logs found
[2025-04-29 09:17:00Z] - [INFO] - Completed collection of eDiscovery logs from Exchange Online.
[2025-04-29 09:17:00Z] - [ACTION] - Running Get-HawkTenantAdminInboxRuleCreation.
[2025-04-29 09:17:00Z] - [ACTION] - Initiating collection of admin inbox rule creation events from the UAL.
[2025-04-29 09:17:00Z] - [ACTION] - Running Unified Audit Log Search
Search-UnifiedAuditLog: Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "04/28/2025" to type
"Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String '04/28/2025' was not recognized as a valid DateTime."
[2025-04-29 09:17:01Z] - [INFO] - Unified Audit log returned no results.
[...]
Dan
Dan,
Thank you for all of the detailed information logs. This is definitely an edge case we haven't seen befoe, but something we will definitely fix. If you end up finding a workaround, please let us know. We will keep this issue open and hopefully have a resolution in the near future.