Trying grab user names from 4740 event ID

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Daniel Krebs Daniel Krebs 2 months, 1 week ago.

  • Author
    Posts
  • #70504
    Profile photo of Greg
    Greg
    Participant

    Trying grab user names from 4740 event ID
    First off thanks for the help and like other people on here I'm green as grass to Powershell.

    What I'm trying to do should be real simple one liner. But i'm banging my head to get it to work. The short of it is I'm using Get-Winevent to pull the 4740 events out of the security log and just display the time created event and target username. I can get the events and time created with no problem. there is plenty of examples on that. The problem I'm having is getting the Username. Just about all the examples I found also filter by username which is not what I want. I want all 4740 events from all users.

    Here is the code:

    Get-WinEvent -LogName Security -FilterXPath "*/System/EventID=4740 and */System/TimeCreated and */EventData/Data[@Name='TargetUserName']" | Select-Object -Property TimeCreated, TargetUserName 

    I know it is wrong duh 😉 but I'm hoping well be kind enough to at least point me in the right direction. I don't mind fishing for my dinner.

  • #70510
    Profile photo of Daniel Krebs
    Daniel Krebs
    Moderator

    Hi Greg,

    I think the following blog post might be able to help.

    – Daniel

You must be logged in to reply to this topic.