Author Posts

June 5, 2018 at 4:29 pm

So I run this on my domain controller, looking for events where users where disabled, searching archived event logs.

Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\*Security*";id= @($EventLogonIDs);StartTime="
5/31/2018";EndTime="6/01/2018"} | Export-Clixml c:\Users\bv1462_admin\Desktop\result4725.xml

When I get the results, the message text is similar to this:

A user account was disabled._x000D__x000A__x000D__x000A_Subject:_x000D__x000A__x0009_Security ID:_x0009__x0009_S-1-5-21-2112958924-2060150323-4283506686-11897_x000D__x000A__x0009_Account Name:_x0009__x0009_admin_x000D__x000A__x0009_Account Domain:_x0009__x0009_BV_x000D__x000A__x0009_Logon ID:_x0009__x0009_0x21ec96cb_x000D__x000A__x000D__x000A_Target Account:_x000D__x000A__x0009_Security ID:_x0009__x0009_S-1-5-21-2112958924-2060150323-4283506686-1958_x000D__x000A__x0009_Account Name:_x0009__x0009_at008_x000D__x000A__x0009_Account Domain:_x0009__x0009_

Any thoughts on why and how I can make it readable? I tried to just export as CSV, but then I do not get the entire message body. no matter what I try

Thanks

June 6, 2018 at 1:03 am

When I export to csv I can get the entire message property, I just had to expand the cell. If you want to make a "readable" report I would stick with out-file or export-csv. The Export-CLIxml is a way of converting an object to XML and storing it in a file so that PS can rebuild the objects from the file in a different session. It's not necessarily meant to be "readable". When I import the .xml file PS recreates the object perfectly. I read something regarding export-CLIxml defaulting to UTF-16, however forcing the encoding to UTF-8 didn't yield any different result for me. Maybe someone else who is more knowledgeable about XML can chime in and offer a better explanation.

Get-WinEvent -FilterHashtable @{Path="C:\windows\system32\winevt\Logs\*Security*";ID='4670';StartTime="5/31/2018";EndTime="6/01/2018"} | select -First 1 | Export-Csv -Path C:\Users\user\Desktop\result4725.csv -NoTypeInformation -Force

June 8, 2018 at 3:55 pm

Thank you for the response. I do not know why xml was so weird, but the csv was able to get me what I needed. I was expanding out so I did not see it, but when I expanded the cell down, it was there