Search code examples
powershellpowershell-4.0

When a list of objects is retruned from Get-EventLog that itself contains an array of strings, how do I access the array elements?

I'm looking to get a list of users who have logged onto a machine and when, and and am working with the following PowerShell example:

Get-EventLog security -source microsoft-windows-security-auditing  |
    where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'username')} |
    select -property timegenerated, replacementstrings

Which is returning:

TimeGenerated       ReplacementStrings                           
-------------       ------------------                           
14/08/2019 08:50:34 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
14/08/2019 08:50:34 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}
14/08/2019 07:45:08 {S-1-5-18, TT01022$, DOMAIN, 0x3e7...}

replacementstrings[5] is the username, which I want to include instead of the whole array.

But the following does not work:

PS C:\> Get-EventLog security -source microsoft-windows-security-auditing  |
    where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'user')} |
    select -property timegenerated, replacementstrings[5]

TimeGenerated       replacementstrings[5]
-------------       ---------------------
14/08/2019 08:50:34                      
14/08/2019 08:50:34                      
14/08/2019 07:45:08

It comes out blank.

I've had a bit of a play with the -ExpandProperty, but the output here is not what I'm looking for, and I seem to lose access to the TimeGenerated property:

PS C:\> Get-EventLog security -source microsoft-windows-security-auditing  |
    where {($_.instanceID -eq 4624) -and ($_.replacementstrings[5] -eq 'gary-smith')} |
    select -property timegenerated -ExpandProperty replacementstrings |
    format-table

S-1-5-18
TT01022$
DOMAIN
0x3e7
S-1-5-21-2072319296-1284187727-59193277-2383
user
DOMAIN
0x1eef92935
2
User32 
Negotiate
TT01022
{00000000-0000-0000-0000-000000000000}
-
-
0
0xbd4
C:\Windows\System32\svchost.exe
127.0.0.1
0
%%1833
-
-
-
%%1843
0x1eef927e1
%%1843
S-1-5-18
TT01022$
DOMAIN
0x3e7
...

I'm simply looking for the output to be:

TimeGenerated       User
-------------       ---------------------
14/08/2019 08:50:34 user
14/08/2019 08:50:34 user
14/08/2019 07:45:08 user

I will be changing the filter to find multiple users, so want the user to be displayed rather than taking it from the input/filter itself.

Solution

  • So, the code that eventually produced the output I was looking for was:

    Get-EventLog Security -Source microsoft-windows-security-auditing  |
    Where {($_.instanceID -eq 4624) -AND ($_.replacementstrings[5] -LIKE "*user*")} |
    Select-Object -Property TimeGenerated, @{ Name = 'User'; Expression = {  $_.replacementstrings[5] }} |
    Format-Table @{Name='Time Generated';Width=20;Expression={$_.TimeGenerated}},@{Name='User';Width=40;Expression={$_.User}}

    This is using a calculated property (thanks @Lee_Dailey for helping with this) and is formatting the output.

    :)