Get username from Get-WinEvent

Question

Get username from Get-WinEvent

I am trying to find the user who uninstalled the program on the server. This uses the script and the result. From the Event Viewer I can see the user, but it seems that Get-WinEvent returns a UserId, but not a Username. Is there a way to return the username for event 1034 from Get-WinEvent?

Get-WinEvent -FilterHashtable @{LogName='Application'; Id=1034} -MaxEvents 1 | format-list

 TimeCreated : 6/17/2013 1:41:27 PM ProviderName : MsiInstaller Id : 1034 Message : Windows Installer removed the product. Product Name: PAL. Product Version: 2.3.2. Product Language: 1033. Manufacturer: PAL. Removal success or error status: 0.

+4

windows powershell

Afr Jun 17 '13 at 19:31

source share

1 answer

Neolisk · Accepted Answer · 2013-06-17T19:44:16+0000

Using .NET SecurityIdentifier as described here .

 Get-WinEvent -MaxEvents 1000 | foreach { $sid = $_.userid; if($sid -eq $null) { return; } $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid); $objUser = $objSID.Translate([System.Security.Principal.NTAccount]); Write-Host $objUser.Value; }

For nonzero user IDs, I was able to successfully identify user names.

Get username from Get-WinEvent

More articles: