Author Posts

August 13, 2016 at 3:02 am

$log = Get-Eventlog -LogName Security -before $endDate 
$4 = $log | Select-Object -first 1

$4 generates

PS C:\> $4

Index Time EntryType Source InstanceID Message
—– —- ——— —— ———- ——-
41419 Aug 12 19:34 SuccessA... Microsoft-Windows... 4672 Special privileges assigned to new logon....

I want the text after 4672 "Special privileges assigned to new logon...."

When I attempt to use this method

$4.ReplacementStrings[0,1,2,3,4,5,6,7,8,9,10]

S-1-5-18
SYSTEM
NT AUTHORITY
0x3e7
SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

The line of text I would like is missing.
BUT
Below when I use this I see the text I want.

$4.Message

Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

I will guess I am missing some basic simple thing that I am over looking. I have spent quite a bit of time trying to figure this out help would be greatly appreciated.
Ultimately this code will compile into a HTML document and I have a column called "Description" and that short text would be ideal.

August 13, 2016 at 3:41 am

Hi Ernesto,

Please see if below works for you.

-Daniel

August 13, 2016 at 6:01 am

Yup that works.
Thank you for the help!