Author Posts

May 10, 2017 at 6:52 pm

Trying grab user names from 4740 event ID
First off thanks for the help and like other people on here I'm green as grass to Powershell.

What I'm trying to do should be real simple one liner. But i'm banging my head to get it to work. The short of it is I'm using Get-Winevent to pull the 4740 events out of the security log and just display the time created event and target username. I can get the events and time created with no problem. there is plenty of examples on that. The problem I'm having is getting the Username. Just about all the examples I found also filter by username which is not what I want. I want all 4740 events from all users.

Here is the code:

Get-WinEvent -LogName Security -FilterXPath "*/System/EventID=4740 and */System/TimeCreated and */EventData/Data[@Name='TargetUserName']" | Select-Object -Property TimeCreated, TargetUserName 

I know it is wrong duh 😉 but I'm hoping well be kind enough to at least point me in the right direction. I don't mind fishing for my dinner.