With event records in the old formmat obtained by using PowerShell Get-EventLog we can extract the strings as an array.
Example #1:
PS C:\scripts> Get-EventLog -LogName Security -InstanceId 4634 -Newest 1|
>>Select -expand ReplacementStrings
S-1-5-7
ANONYMOUS LOGON
NT AUTHORITY
0xac30fba
3
Notice there are 5 strings. They are an array. We can use them in a formatted query like this:
Example #2:
PS C:\scripts> Get-EventLog -LogName Security -InstanceId 4634 -Newest 1|
>> Select @{N='AccountSID';E={$_.ReplacementStrings[0]}}
>>
AccountSID
----------
S-1-5-21-2768830276-2144858717-3390379511-1000
Or more:
Example #3:
PS C:\scripts> Get-EventLog -LogName Security -InstanceId 4634 -Newest 1|
>> Select @{N='AccountSID';E={$_.ReplacementStrings[0]}},
>> @{N='Domain';E={$_.ReplacementStrings[1]}}
>>
AccountSID Domain
---------- ------
S-1-5-7 ANONYMOUS LOGON
It is really that simple.
