How To Get the Data Out of ReplacementStrings Properly

When retrieving data from the event log, there is a set of data stored in a data field called ReplacementStrings that is very useful to the certain types of log entries. It’s structured as a string array, therefore, can be retrieved if you know the data structure.

The problem is, every type of event ID has different string array structure. So you need to exam each of them separately. To find a certain type of event ID’s structure, open one of the log entry, switch to Details tab and look at the EventData section.

Take an event ID 4740 entry as an example. It lays out as it’s structured, starting from 0, which is TargetUserName, the user account that gets locked out. The next one will be 1 for TargetDomainName, the computer where the account gets locked out.

So you can retrieve the data and display them accordingly, using ReplacementString[0] to get the data for TargetUserName and ReplacementString[1] for TargetDomainName.

Here is a script that retrieves lockout account info from the security event log, for your reference.

#Collect lockout accounts from ADS

$logname = "security"
$dcname = (Get-AdDomain).pdcemulator
$eventID = "4740"
$content = Get-EventLog -LogName $logname -ComputerName $dcname -After (Get-Date).AddDays(-1) -InstanceId $eventID | Select TimeGenerated, ReplacementStrings
$ofs = "`r`n`r`n"
$body = "Fetching event log started on " + (Get-Date) + $ofs

If ($content -eq $null)
    $body = $body + "No lock-out accounts happened today" + $ofs
    Foreach ($event in $content)
        $source = $content.ReplacementStrings[1]
        $username = $content.ReplacementStrings[0]
        $body = $body + $event.TimeGenerated + ": " + $username + " - " + $source + $ofs

Hope it helps.

2 thoughts on “How To Get the Data Out of ReplacementStrings Properly

  1. Thanks for this. Very helpful. One question: When looking at Event ID 4733 in Event Viewer, I can see an actual SAMAccountName for Member:Security ID in the General tab. However, when looking at the corresponding property in the Details tab, it shows a GUID. A GUID is also returned for the corresponding property when querying the record using Powershell.

    I feel that the SAMAccountName is probably can be extracted from the record somehow because it needs to be displayed in the General tab even when an Active Directory domain is not available.

    Do you know how to access the actual SAMAccountName using Powershell?

Leave a Reply

Your email address will not be published. Required fields are marked *