I'm looking to get a list of users who have logged onto a machine and when, and and am working with the following PowerShell example:
Get-EventLog security -source microsoft-windows-security-auditing |
where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'username')} |
select -property timegenerated, replacementstrings
Which is returning:
TimeGenerated ReplacementStrings
------------- ------------------
14/08/2019 08:50:34 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
14/08/2019 08:50:34 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
14/08/2019 07:45:08 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
replacementstrings[5] is the username, which I want to include instead of the whole array.
But the following does not work:
PS C:\> Get-EventLog security -source microsoft-windows-security-auditing |
where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'user')} |
select -property timegenerated, replacementstrings[5]
TimeGenerated replacementstrings[5]
------------- ---------------------
14/08/2019 08:50:34
14/08/2019 08:50:34
14/08/2019 07:45:08
It comes out blank.
I've had a bit of a play with the -ExpandProperty, but the output here is not what I'm looking for, and I seem to lose access to the TimeGenerated property:
PS C:\> Get-EventLog security -source microsoft-windows-security-auditing |
where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'gary-smith')} |
select -property timegenerated -ExpandProperty replacementstrings |
format-table
S-1-5-18
TT01022$
DOMAIN
0x3e7
S-1-5-21-2072319296-1284187727-59193277-2383
user
DOMAIN
0x1eef92935
2
User32
Negotiate
TT01022
{00000000-0000-0000-0000-000000000000}
-
-
0
0xbd4
C:\Windows\System32\svchost.exe
127.0.0.1
0
%%1833
-
-
-
%%1843
0x1eef927e1
%%1843
S-1-5-18
TT01022$
DOMAIN
0x3e7
...
I'm simply looking for the output to be:
TimeGenerated User
------------- ---------------------
14/08/2019 08:50:34 user
14/08/2019 08:50:34 user
14/08/2019 07:45:08 user
I will be changing the filter to find multiple users, so want the user to be displayed rather than taking it from the input/filter itself.
So, the code that eventually produced the output I was looking for was:
Get-EventLog Security -Source microsoft-windows-security-auditing |
Where {($_.instanceID -eq 4624) -AND ($_.replacementstrings[5] -LIKE "*user*")} |
Select-Object -Property TimeGenerated, @{ Name = 'User'; Expression = { $_.replacementstrings[5] }} |
Format-Table @{Name='Time Generated';Width=20;Expression={$_.TimeGenerated}},@{Name='User';Width=40;Expression={$_.User}}
This is using a calculated property (thanks @Lee_Dailey for helping with this) and is formatting the output.
:)