Monday, May 12, 2014

Extracting Strings from Event Records #1

With event records in the old formmat obtained by using PowerShell Get-EventLog we can extract the strings as an array.

Example #1: 

PS C:\scripts> Get-EventLog -LogName Security -InstanceId 4634 -Newest 1|
>>Select -expand ReplacementStrings
S-1-5-7
ANONYMOUS LOGON
NT AUTHORITY
0xac30fba
3

Notice there are 5 strings.  They are an array.  We can use them in a formatted query like this:

Example #2: 

PS C:\scripts> Get-EventLog -LogName Security -InstanceId 4634 -Newest 1|
>> Select @{N='AccountSID';E={$_.ReplacementStrings[0]}}
>>

AccountSID
----------
S-1-5-21-2768830276-2144858717-3390379511-1000

Or more:

Example #3: 

PS C:\scripts> Get-EventLog -LogName Security -InstanceId 4634 -Newest 1|
>>    Select @{N='AccountSID';E={$_.ReplacementStrings[0]}},
>>           @{N='Domain';E={$_.ReplacementStrings[1]}}
>>

AccountSID                                                  Domain
----------                                                  ------
S-1-5-7                                                     ANONYMOUS LOGON

It is really that simple.