Menu
I am trying to find a user who uninstalled a program on the Server. Here's the script I am using and the result. From Event Viewer, I am able to see the User but looks like the Get-WinEvent returns UserId but no Username. Is there a way to return Username for event 1034 from Get-WinEvent?
Get-WinEvent -FilterHashtable @{LogName='Application'; Id=1034} -MaxEvents 1 | format-list
TimeCreated : 6/17/2013 1:41:27 PM
ProviderName : MsiInstaller
Id : 1034
Message : Windows Installer removed the product. Product Name: PAL. Product Version: 2.3.2. Product Language:
1033. Manufacturer: PAL. Removal success or error status: 0.
639
Using .NET's SecurityIdentifier, as described here.
Get-WinEvent -MaxEvents 1000 | foreach {
$sid = $_.userid;
if($sid -eq $null) { return; }
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
Write-Host $objUser.Value;
}
For non-null user IDs, I was able to successfully identify user names.
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
