Powershell Get-Winevent to filter logon& logoff event to the specified user

Steven Song 1 Reputation point
2023-09-14T14:05:24.3033333+00:00

Powershell Get-Winevent to filter logon& logoff event to the specified users

I did execute the command below:

Get-winevent -Path | Where-Object {$_.EventID -eq 4264} |

but I need guide to help filter the specified users.

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,032 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rich Matheisen 44,621 Reputation points
    2023-09-14T18:47:13.8+00:00

    The bit of code you submitted simply doesn't work. Also, a logon eventid is 4624.

    You can try something like this:

    Get-WinEvent -FilterHashtable @{LogName = 'Security'; ID = 4624 } | 
        ForEach-Object {
            $t = $_.properties[8].value         # type of logon
            if ($t -eq 2 -OR                    # interactive logon
                $t -eq 7) {                     # unlock (Note: There are many more logon types)
                    $sid = $_.properties[0].value
                    $rid = [int64]($sid.Value.Split("-")[-1])
                    if ( $rid -lt 0x400) {
                        # it's a well-known sid -- if you want to skip these
                        # otherwise, interactive logons will have a profile
                        $p = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$sid" -Name ProfileImagePath
                        $p.Split("\")[-1]       # just get the user name
                    }
                    else {
                        try {
                        (Get-LocalUser -SID $sid -ErrorAction Stop).name
                        }
                        catch {
                            try {
                            (Get-ADUser -Identity $sid -ErrorAction Stop).name
                            }
                            catch {
                                Write-Host "Could not find user for SID: $sid"
                            }
                        }
                    }
            }
        }
    
    0 comments No comments