PowerShell- Get Usernames from Windows Security Log

calendar Jul 14, 2020 · 1 min read · microsoft powershell windows  ·
Share on: linkedin copy

This snippet takes the export of the Windows Security log and returns a list of user ids from within it.

Exporting the Logs

  1. Open Event Viewer in Windows, select the Security Log and choose Save All Events As.... - save the file as a Comma Delimited CSV.

  1. Open the exported file in Notepad and add ,Description to the end of the first line (PowerShell won’t import the description field otherwise)

PowerShell Manipulation

1$events=Import-CSV securitylog.csv
2$result= foreach ($event in $events) {
3(((($event.Description) -Split "`r`n" |
4Where-Object {$_ -like '*Account Name:*'}) -Split ":")[1]).trim() }
5$result | Sort-Object Unique

The result is a list of the Account Names found in the file. See GitHub for further info and updates.