Power Shell Replacement String Variables

(Last Updated On: 2018-09-27)

In a previous Post I mentioned that certain data from the event log can be found Replacement String.
See the Article : Track User Logon Events with Power Shell
But for every event there must surely be different replacement strings for different events.

So Below is the code I wrote to get any events Replacement String with as much explanation as I can give.

The Code Explanation

#Get-Security Events
#Here you can Modify the code for a specific instance ID

$Event = Get-EventLog Security -Newest 1
#We need to loop through the events to get every event selected Replacement String Values

forEach($EV in $Event)
{
#An array always starts with 0 so we need to start at -1 to that we can add 1 and start with 0
$C = -1
#Count how many Members the Current Event has
#This actually only gets the number of string available

$Count = $EV | Get-Member | Measure-Object –Line
$Count = $Count.Lines
#Output each Replacement String with the Detail

Do
{
#Increment the Count Variable
$C ++
#Get the Members Name
$EVMemberName = $EV | Get-Member | Select -Index ($C) | select name
$EVMemberName = $EVMemberName.Name
#Get the Members Data
$EVO = $EV | Select @{Name=”Data”;Expression={ $_.ReplacementStrings[$C] }}
$Evo = $EVO.Data
#Create a Variable to output the data
$Outfile = New-Object PSObject
#Add each member into the out put file
$Outfile | Add-Member Name $EVMemberName
$Outfile | Add-Member Data $Evo
#Write to desired Location
Write-Output $Outfile
}Until ($C -eq $Count)
}

This code can be copied and Paste into PowerShell to work immediately.

Hope this is helpful.

Fluk3 Out

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *