![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 38%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,329 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
The bit of code you submitted simply doesn't work. Also, a logon eventid is 4624.
You can try something like this:
Get-WinEvent -FilterHashtable @{LogName = 'Security'; ID = 4624 } |
ForEach-Object {
$t = $_.properties[8].value # type of logon
if ($t -eq 2 -OR # interactive logon
$t -eq 7) { # unlock (Note: There are many more logon types)
$sid = $_.properties[0].value
$rid = [int64]($sid.Value.Split("-")[-1])
if ( $rid -lt 0x400) {
# it's a well-known sid -- if you want to skip these
# otherwise, interactive logons will have a profile
$p = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$sid" -Name ProfileImagePath
$p.Split("\")[-1] # just get the user name
}
else {
try {
(Get-LocalUser -SID $sid -ErrorAction Stop).name
}
catch {
try {
(Get-ADUser -Identity $sid -ErrorAction Stop).name
}
catch {
Write-Host "Could not find user for SID: $sid"
}
}
}
}
}