1

I'm a PowerShell newbie trying to write a simple script to look up the number of times a specific user has logged into a workstation, and export that information in a useful way to a CSV file so it can be easily manipulated. The CSV file only really needs to contain the time of login and the username mentioned in the "Message" section of the Security log entry.

My problem is it seems I can either get a CSV file with a truncated "Message" no containing the username, or I get all the information I want printed to host instead of exporting to CSV. I'm sure the solution is probably very basic, but like I said I'm a newbie.

In the code posted here I get everything I need printed to host, but I can't seem to get it into a CSV file. Any help would be appreciated.

New-Item -Name "UserLoginHistory" -Path C:\ -ItemType Directory -Force | Out-Null
$UserName = Read-Host -Prompt 'Which user are you searching for?'
$a =Get-EventLog -LogName Security -Message "*$UserName*" | Where-Object {$_.EventID -eq 4624} 
foreach($item in $a)
{
        $timeLog = $item.TimeGenerated
     $item = $item.Message.Split(":")

     $subject = $item[3].split()
     #$subject[2]
     $NewLogin = $item[14].split()
     #$NewLogin[2]
     $WorkstationName = $item[26].split()
     #$WorkstationName[1]
     $SourceNetworkAddress = $item[27].split()
     #$SourceNetworkAddress[1]


    "Time: $timeLog Subject: $($subject[2]) NewLogin: $($NewLogin[2]) WorkstationName $($WorkstationName[1]) SourceNetworkAddress $($SourceNetworkAddress[1])"

}
 Export-Csv -Path C:\UserLoginHistory\LoginHistory.csv
Improve this question
3
  • 1
    first, you are not sending anything to the Export-CSV cmdlet. [grin] ///// second, you are not creating an object to send to the above cmdlet. ///// third, your code produces lots and lots of red error text about the $WorkstationName & $SourceNetworkAddress lines on my win7,ps5.1 system. ///// forth, the $Subject and $NewLogin lines are producing - and 0x0 instead of what you want them to be. ///// does that code actually work on your system? Commented May 8, 2019 at 21:33
  • Don't reuse the variable $item of the foreach inside the {scrript block} for other purposes. Commented May 8, 2019 at 21:52
  • That's strange, I'm not getting any errors on my machine. It's domain joined Win 10 1809 Pro Plus. Commented May 9, 2019 at 13:12

2 Answers 2

Reset to default
1
  • Don't reuse the variable $item of the foreach inside the {scrript block} for other purposes.
  • create a [PSCustomObject] and emit it to a gathering variable for the whole foreach

Untested template:

New-Item -Name "UserLoginHistory" -Path C:\ -ItemType Directory -Force | Out-Null
$UserName = Read-Host -Prompt 'Which user are you searching for?'
$Events = Get-EventLog -LogName Security -Message "*$UserName*" | Where-Object {$_.EventID -eq 4624} 

$Data = foreach($Event in $Events){
    $item = $Event.Message.Split(":")
    [PSCustomObject]@{
        Time                 = $Event.TimeGenerated
        Subject              = $item[3].split()[2]
        NewLogin             = $item[14].split()[2]
        WorkstationName      = $item[26].split()[1] 
        SourceNetworkAddress = $item[27].split()[1]
    }
}
$Data | Format-Table -Autosize *
$Data | Out-Gridview
$Data | Export-Csv -Path C:\UserLoginHistory\LoginHistory.csv -NoTypeInformation
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Wow, that works very well. Also having the Out-Gridview in the mix let's the tech immediately see the info they need! Thank you!
0

Try stuffing your results into an array like this untested code.

    New-Item -Name "UserLoginHistory" -Path C:\ -ItemType Directory -Force | Out-Null
$UserName = Read-Host -Prompt 'Which user are you searching for?'
$a =Get-EventLog -LogName Security -Message "*$UserName*" | Where-Object {$_.EventID -eq 4624} 
$ReportOutPut = @() # An array to hold your output.
foreach($item in $a)
{
        $timeLog = $item.TimeGenerated
     $item = $item.Message.Split(":")

     $subject = $item[3].split()
     #$subject[2]
     $NewLogin = $item[14].split()
     #$NewLogin[2]
     $WorkstationName = $item[26].split()
     #$WorkstationName[1]
     $SourceNetworkAddress = $item[27].split()
     #$SourceNetworkAddress[1]


   "Time: $timeLog Subject: $($subject[2]) NewLogin: $($NewLogin[2]) WorkstationName $($WorkstationName[1]) SourceNetworkAddress $($SourceNetworkAddress[1])"

    $ReportOutput += [pscustomobject] @{
        Time = $timeLog;
        Subject = $subject[2];
        NewLogin = $NewLogin[2];
        WorkstationName =  $WorkstationName[1];
        SourceNetworkAddress = $SourceNetworkAddress[1]
        } # Custom objec to be exported via csv

    }

Export-Csv -InputObject $ReportOutPut -NoTypeInformation -Path C:\UserLoginHistory\LoginHistory.csv
Improve this answer

2 Comments

Fixed a typo with variable name.
I appreciate the response! This ends up with a mostly blank CSV, but I can mess with it a little and see if I can get it to export the correct info. Thank you!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.