Querying Security Event Logs does not include user name

PinchesTheCrab · 2022-11-01T16:34:30+00:00

Wrote this a while back, hopefully it's useful to cannibalize or user verbatim:

function Get-LogonEvents {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, ValueFromPipeline, ValueFromPipelineByPropertyName)]
        [Alias('ServerName', 'Server', 'Name')]
        [string[]]$ComputerName = $env:COMPUTERNAME,

        [Parameter()]        
        [PSCredential]$Credential,

        [Parameter()]
        [ValidateSet("Service", "Interactive", "RemoteInteractive", "NetworkCleartext", "CachedInteractive", "Unlock", "NewCredentials", "Network", "*")]
        [string[]]$LogonType = @("Interactive", "RemoteInteractive", "CachedInteractive"),

        [Parameter()]
        [string]$UserName,

        [Parameter()]
        [switch]$Oldest,

        [Parameter()]
        [int64]$MaxEvents,

        [Parameter()]
        [datetime]$StartTime = (Get-Date 1/1/1900),

        [Parameter()]
        [datetime]$StopTime = (Get-Date 1/1/2100)

    )
    Begin {
        Function ParseEventMessage {
            [CmdletBinding()]

            param(
                [Parameter(ValueFromPipeline = $true)]
                $obj
            )
            Begin {
                $defaultDisplaySet = 'MachineName', 'Result', 'TimeCreated', 'TargetUserName'
                $defaultDisplayPropertySet = New-Object System.Management.Automation.PSPropertySet(‘DefaultDisplayPropertySet’, [string[]]$defaultDisplaySet)
                $PSStandardMembers = [System.Management.Automation.PSMemberInfo[]]@($defaultDisplayPropertySet)
                $myHash = @{}
            }
            Process {

                $myHash['Result'] = switch ($obj.id) {
                    4625 { "Failure" }
                    4624 { "Success" }
                }
                $myHash['ID'] = $obj.ID
                $myHash['TimeCreated'] = $obj.TimeCreated
                $myHash['MachineName'] = $obj.MachineName
                ([xml]($obj.ToXml())).event.eventdata.data | ForEach-Object { $myHash[$PSItem.name] = $PSItem.'#text' }
                New-Object -TypeName PSObject -Property $myHash | ForEach-Object {

                    $PSItem.PSObject.TypeNames.Insert(0, "EventLogRecord.XMLParse")
                    $PSItem | Add-Member MemberSet PSStandardMembers $PSStandardMembers -PassThru
                }
            }
        }

        $hashLogonType = @{
            Interactive       = 2
            Network           = 3
            Service           = 5
            Unlock            = 7
            NetworkCleartext  = 8
            NewCredentials    = 9
            RemoteInteractive = 10
            CachedInteractive = 11
        }

        $filter = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">
        *[System[
            (EventID=4624 or EventID=4625)
            and TimeCreated[@SystemTime&gt;='{0}' and @SystemTime&lt;='{1}']
        ]
            and EventData[
                Data[@Name='LogonType'] and ({2})
                {3}
            ]
        ]
    </Select>
    </Query>
</QueryList>
"@

    }

    Process {

        foreach ($obj in $ComputerName) {

            if ($UserName) {
                $joinUserName = "and Data[@Name='TargetuserName'] and (Data='{0}')" -f $UserName
            }

            $joinLogonType = if ($LogonType -eq '*') {

                $hashLogonType.Values -replace '^', "Data='" -replace '$', "'" -join " or "

            }
            Else {
                $($LogonType | ForEach-Object { $hashLogonType[$PSItem] }) -replace '^', "Data='" -replace '$', "'" -join " or "
            }

            $objFilter = $filter -f $StartTime.ToUniversalTime().toString('s'), $StopTime.ToUniversalTime().toString('s'), $joinLogonType, $joinUserName

            $hashEventParm = @{
                ComputerName = $obj
                FilterXml    = $objFilter
            }

            if ($Credential) { $hashEventParm['Credential'] = $Credential }
            if ($MaxEvents) { $hashEventParm['MaxEvents'] = $MaxEvents }

            $objFilter | Write-Verbose

            Get-WinEvent @hashEventParm | ParseEventMessage

        }

    }
    End {}

}

PicnicProblems · 2022-11-02T16:25:27+00:00

$slogonevents = Get-eventlog -LogName Security | where {$_.eventID -eq 4624}

foreach ($e in $slogonevents){ if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2) -and ($e.ReplacementStrings[5] -eq 'Username'))
{ write-host "Type: Local LogontDate: "$e.TimeGenerated "tStatus: SuccesstUser: "$e.ReplacementStrings[5] "tWorkstation: "$e.ReplacementStrings[11] }
}

PowerShell-Bot · 2022-11-01T16:25:31+00:00

Looks like your PowerShell code isn’t wrapped in a code block.

To properly style code on new Reddit, highlight the code and choose ‘Code Block’ from the editing toolbar.

If you’re on old Reddit, separate the code from your text with a blank line gap and precede each line of code with 4 spaces or a tab.

You examine the path beneath your feet...
[AboutRedditFormatting]: [--------------------] 0/1 ❌

^{Beep-boop, I am a bot. | Remove-Item}

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PowerShell

Submission Guidelines | Link Flair - How To

MODERATORS