none
Extract Windows eventID 4624 and 4634 using powershell RRS feed

  • Question

  • Hi,

    i'm trying to extract EVENTID 4624 and 4634 for a specific user. I've been searching over the web, and let's say i'm not a powershell expert, so i'm learning while searching for the answer.

    I got a script which i've modified to my need, here's what it look like. 

    So here's what happen:

    When running the first 3 line it work fine, however when running the whole script, nothing happen. Not sure if it's because it going after my 256 000 Security logs, but i do not receive the output CSV file. I got no error neither

    $User = "USER"
    $ADUsers = Get-ADUser $User | select -expand sid | select -expand value
    $Events = Get-WinEvent -LogName Security -filterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624 or EventID=4634)]]" | select TimeCreated,Message
    $Results = Foreach ($Event in $Events) {
      Foreach ($ADUser in $ADUsers) {
        If ($Event.Message -match $ADUser) {
          $Result = "" | Select User,Domain,SID,LogEvent,TimeCreated
          $Result.TimeCreated = $Event.TimeCreated
          $Result.SID = $ADUser
          $Messages = $Event.Message -split "`n"
          If ($Messages[0] -match "on") {
            $Result.LogEvent = "Logon"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          } Else {
            $Result.LogEvent = "Logoff"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          }
          $Result
        }
      }
    }
    $Results | Export-CSV c:\ManagerLogEvents.csv -notype
    Wednesday, December 18, 2019 8:27 PM

All replies

  • Hi,

    i'm trying to extract EVENTID 4624 and 4634 for a specific user. I've been searching over the web, and let's say i'm not a powershell expert, so i'm learning while searching for the answer.

    I got a script which i've modified to my need, here's what it look like. 

    So here's what happen:

    When running the first 3 line it work fine, however when running the whole script, nothing happen. Not sure if it's because it going after my 256 000 Security logs, but i do not receive the output CSV file. I got no error neither

    $User = "USER"
    $ADUsers = Get-ADUser $User | select -expand sid | select -expand value
    $Events = Get-WinEvent -LogName Security -filterXpath "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624 or EventID=4634)]]" | select TimeCreated,Message
    $Results = Foreach ($Event in $Events) {
      Foreach ($ADUser in $ADUsers) {
        If ($Event.Message -match $ADUser) {
          $Result = "" | Select User,Domain,SID,LogEvent,TimeCreated
          $Result.TimeCreated = $Event.TimeCreated
          $Result.SID = $ADUser
          $Messages = $Event.Message -split "`n"
          If ($Messages[0] -match "on") {
            $Result.LogEvent = "Logon"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          } Else {
            $Result.LogEvent = "Logoff"
            for ($i = 1;$i -lt $Messages.Count;$i++) {
              If ($Messages[$i] -match $Manager) {
                $Result.User = ($Messages[$i + 1] -split ":")[1].trim(" ")
                $Result.Domain = ($Messages[$i + 2] -split ":")[1].trim(" ")
                Break
              }
            }
          }
          $Result
        }
      }
    }
    $Results | Export-CSV c:\ManagerLogEvents.csv -notype


    Wednesday, December 18, 2019 7:53 PM
  • Please fix you post a edit it to post the code correctly using the code posting tool provided.,

    Your code is mostly unnecessary.  Start with this to learn how to use events correctly:

    $user = 'samaccountname'
    $sid = (Get-ADUser $user).SID.Value 
    Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624,4634;Data=$sid} -Max 10 | 
        select ID,TaskDisplayName,TimeCreated


    \_(ツ)_/



    • Edited by jrv Wednesday, December 18, 2019 8:19 PM
    Wednesday, December 18, 2019 8:18 PM
  • A much more powerful and flexible way to do this is with an XML query,

    $query = @'
    <QueryList>
        <Query Id='0' Path='Security'>
            <Select Path='Security'>
                *[System[EventID='4624' or EventID='4634']
                    and(
                        EventData[Data[@Name='TargetUserName']='{0}']
                        and
                        EventData[Data[@Name='LogonType']='3']
                    )
                ] 
            </Select>
        </Query>
    </QueryList>
    '@
    $user = 'jsmith'
    $filterXml = $query -f $user
    Get-WinEvent -FilterXml $filterXml | select ID,TaskDisplayName,TimeCreated


    Here is the clean Xml using the Xml display type:

    <QueryList>
        <Query Id='0' Path='Security'>
            <Select Path='Security'>
                *[System[EventID='4624' or EventID='4634']
                    and(
                        EventData[Data[@Name='TargetUserName']='{0}']
                        and
                        EventData[Data[@Name='LogonType']='3']
                    )
                ] 
            </Select>
        </Query>
    </QueryList>



    \_(ツ)_/










    • Edited by jrv Wednesday, December 18, 2019 9:31 PM
    • Marked as answer by Madorezz Thursday, December 19, 2019 2:39 PM
    Wednesday, December 18, 2019 9:05 PM
  • DUPLICATE POST - https://social.technet.microsoft.com/Forums/en-US/e70b1c8b-0248-4736-9d10-fcec4af8ce8b/extract-windows-event-4624-and-4634-log-using-powershell?forum=ITCG

    Please do not create duplicate posts as they are not helpful to those answering and those looking for answers.


    \_(ツ)_/

    Wednesday, December 18, 2019 9:39 PM
  • Well i coudlnt edit the other one because it was mark as not legit or something like that, so i created a new one. We can trash this one then. Sorry
    • Edited by Madorezz Thursday, December 19, 2019 2:34 PM Text added
    Thursday, December 19, 2019 2:32 PM
  • A much more powerful and flexible way to do this is with an XML query,

    $query = @'
    <QueryList>
        <Query Id='0' Path='Security'>
            <Select Path='Security'>
                *[System[EventID='4624' or EventID='4634']
                    and(
                        EventData[Data[@Name='TargetUserName']='{0}']
                        and
                        EventData[Data[@Name='LogonType']='3']
                    )
                ] 
            </Select>
        </Query>
    </QueryList>
    '@
    $user = 'jsmith'
    $filterXml = $query -f $user
    Get-WinEvent -FilterXml $filterXml | select ID,TaskDisplayName,TimeCreated


    Here is the clean Xml using the Xml display type:

    <QueryList>
        <Query Id='0' Path='Security'>
            <Select Path='Security'>
                *[System[EventID='4624' or EventID='4634']
                    and(
                        EventData[Data[@Name='TargetUserName']='{0}']
                        and
                        EventData[Data[@Name='LogonType']='3']
                    )
                ] 
            </Select>
        </Query>
    </QueryList>



    \_(ツ)_/










    jeez thats great, work like a charm... I will take example at this and try to learn it the right way. Thanks a lot guys !! 
    Thursday, December 19, 2019 2:39 PM
  • Thx for the answer, like i said, still learning PS, so i'll take note of this.

    Thank you, it is working now


    Thursday, December 19, 2019 2:41 PM