Forum Discussion

seanslater's avatar
seanslater
Copper Contributor
Oct 16, 2021

Strange PowerShell Behavior Audit Logs

I see one other post here about strange behavior in PowerShell. But it's for a different issue. I also was not able to find anyone else with this exact problem after searching for 20ish minutes.

As such i'm going to post here and see if it's replicable by someone else. I am using PowerShell 7.

 

I am tasked with creating a log of number of users who have logged into lab computers. I have my script working pretty well:

 

$computername = <list of computernames>
$time = (Get-Date) - (New-TimeSpan -Day 30)
$filter = @{
	LogName='Security'
	ID=4624
	StartTime=$time
	LogonProcessName='User32'
}

# this will need to be ForEach'd for final
$event = Get-WinEvent -ComputerName $computername -FilterHashtable $filter
$event.Count

 

 

Note, LogonProcessName (from the documentation here) is set to look for "User32". This will return no results. Neither will "Advapi". Only "Kerberos" will return results. Attempting to use SuppressHashFilter with the two other types i see present in the logs will not work as the aforementioned Advapi is used and is not searchable either. This is also the same behavior for my local machine as it is for remote machines. I can search other "named-data" event fields without issue.

 

Looking at events manually in XML, i can see that the LogonProcessName variable is "User32" clear, plain, and simple. Here is an example event in XML format using ToXml() -> event.EventData.data:

 

Name                      #text
----                      -----
SubjectUserSid            S-1-5-18
SubjectUserName           OIIR-LB4-######$
SubjectDomainName         UTA
SubjectLogonId            0x3e7
TargetUserSid             S-1-5-21-<user id for this user>
TargetUserName            username
TargetDomainName          UTA
TargetLogonId             0x########
LogonType                 2
LogonProcessName          User32
AuthenticationPackageName Negotiate
WorkstationName           OIIR-LB4-######
LogonGuid                 {hexnumbershere}
TransmittedServices       -
LmPackageName             -
KeyLength                 0
ProcessId                 0x5e0
ProcessName               C:\Windows\System32\svchost.exe
IpAddress                 127.0.0.1
IpPort                    0
ImpersonationLevel        %%####
RestrictedAdminMode       -
TargetOutboundUserName    -
TargetOutboundDomainName  -
VirtualAccount            %%####
TargetLinkedLogonId       0x0
ElevatedToken             %%####

 

 

Every other data value seems to work, so it is possible for me to calculate the total number of logons, the total number of system/dwm/admin logins and subtract the two to get the total standard user logons as i can specify the TargetUserName.

But this seems unnecessarily complex for something where LogonProcessName='User32' would suffice.

Is anyone else seeing this behavior? I know there might be a better way in PowerShell to find this as i am a novice in PS.

  • seanslater's avatar
    seanslater
    Copper Contributor
    An update: Appears there is a lot of strange behavior with events in general. I ended up just converting it to XML and was able to filter it / export results without issue.

Resources