Extract value from EventID

jenewa2508 · June 19, 2025, 3:32am

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4688</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>13312</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2025-06-19T01:17:24.768901400Z" />
    <EventRecordID>67601</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="12892" />
    <Channel>Security</Channel>
    <Computer>DESKTOP</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DESKTOP$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x3pa99</Data>
    <Data Name="NewProcessId">0x684</Data>
    <Data Name="NewProcessName">C:\Windows\System32\cmd.exe</Data>
    <Data Name="TokenElevationType">%%1936</Data>
    <Data Name="ProcessId">0xb34</Data>
    <Data Name="CommandLine">
    </Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">-</Data>
    <Data Name="TargetDomainName">-</Data>
    <Data Name="TargetLogonId">0x0</Data>
    <Data Name="ParentProcessName">C:\Windows\System32\svchost.exe</Data>
    <Data Name="MandatoryLabel">S-1-16-16384</Data>
  </EventData>
</Event>

This is Event ID 4688. How do you directly extract the 0x3pa99 stored in the Data node with the Name attribute equal to "SubjectLogonId". I was trying to use it with Get-WinEvent -FilterXml $xpath but I don’t know save the 0x3pa99 part as a variable to be used later on

$xpath = @"
    <QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4688)]] and
    *[EventData[Data[@Name='SubjectLogonID'] and Data='0x3pa99']]
    </Select>
  </Query>
</QueryList>
"@

Get-WinEvent -FilterXml $xpath

Olaf · June 19, 2025, 7:03am

Would you like to give us a little more context?

You should treat such a post in a forum like you’d need to explain the issua to you grandma.

Share the relevant code, error messages if you have some and your issue or what’s not working as expected.

Thanks in advance.

tonyd · June 19, 2025, 2:59pm

As Olaf stated, more context would be nice. Here is a simple example to get the value, but again, more context is needed and this is not the only way.

[XML]$_.ToXml().SelectSingleNode("//*[@Name='SubjectLogonId']").InnerXml

In this case, I am piping the results of a Get-WinEvent through foreach-object, hence $_. Lastly, I think this would have been a good question for AI.

vern_anderson · June 19, 2025, 3:28pm

The EventLogEntry Object class in PowerShell has a very cool property named ReplacementStrings

Where you would index it. However, it’s hard for me to provide you with the correct code because I don’t have an example object in my event log. You would basically use whatever code you have that is capturing that exact event ID into a variable. Let’s say $MyEvent is your variable. Once you have it in the ISE or whatever where it stays in memory you would play around with the index number as follows.

$MyEVent.ReplacementStrings[0] and see if it contains the value "0x3pa99" then
$MyEVent.ReplacementStrings[1]
$MyEVent.ReplacementStrings[2] ## and so on until you find the "Index" of that string you are looking for.

Once you have it you would use normal string processing to remove the junk you didn’t want. for example. . .

'<Data Name="SubjectLogonId">0x3pa99</Data>'.Split('>').Split('<')[2]

But as the mighty admins have said we can’t really help you unless you share the code you have so far and what you have at least tried to do for yourself.

jenewa2508 · June 20, 2025, 1:40am

i do not know how to go from here (question updated)

psdarwin · June 20, 2025, 1:26pm

Are you saying you want to have a variable that contains this value, or another similar value, to use in filtering? If that’s an accurate guess, try this:

$MyData = '0x3pa99'

$xpath = @"
    <QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4688)]] and
    *[EventData[Data[@Name='SubjectLogonID'] and Data='$MyData']]
    </Select>
  </Query>
</QueryList>
"@

Get-WinEvent -FilterXml $xpath

psdarwin · June 20, 2025, 1:34pm

More description of what you’re trying to accomplish would be really helpful. The big picture will give us context to understand what your goal is. Otherwise, we’re just guessing.

tonyd · June 20, 2025, 2:32pm

And neither do we … sorry, couldnt resist that.

So, 4688 is the event ID for process creation. Depending on your audit policy, you will get a ton of these. I suspect what you really want is a way to query for that Event ID, then extract the ‘SubjectLogonId’ results from that query? Is that an accurate statement?

If so … try this … XPath altered a bit to remove the system created process fluff …

$XPath = "Event[System[EventID=4688]] and Event[EventData[Data[@Name='SubjectUserSid'] != 'S-1-5-18']] and Event[EventData[Data[@Name='SubjectUserSid'] != 'S-1-5-19']]"
$logonIds = New-Object System.Collections.Generic.List[System.Object]

Get-WinEvent -FilterXpath $XPath | foreach-object {
      $logonIds.Add(([XML]$_.ToXml()).SelectSingleNode("//*[@Name='SubjectLogonId']").InnerXml)
}

Again, depending on your audit policy, you will get a TON of results in the $logonIds list.

jenewa2508 · June 20, 2025, 8:57pm

$event = Get-winevent -filterhashtable @{logname='Security'; ID=4688}
$eventXml = [xml]$event.ToXml()
$eventxml.event.eventdata.data | where-object {$_.name -eq 'SubjectLogonId'}

Name           #text  
----           -----  
SubjectLogonId 0x3pa99

I would like only output the #text part

Olaf · June 20, 2025, 9:29pm

… I’m still not sure if I get it … do you mean this:

$Eventxml.Event.EventData.Data | 
    Where-Object {$_.name -eq 'SubjectLogonId'} | 
        Select-Object -ExpandProperty '#text'

??

jenewa2508 · June 20, 2025, 10:08pm

Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument". Error: "This document already has a 'DocumentElement' node."
At line:2 char:1
+ $eventXml = [xml]$event.ToXml()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvalidCastToXmlDocument

This error came up

Olaf · June 20, 2025, 10:20pm

And it didn’t come up before with the code you shared in your last reply?

You’ve got more than one result from your query … … so you have to use a loop …

$EventList = Get-WinEvent -FilterHashtable @{logname='Security'; ID=4688}
foreach ($EventItem in $EventList) {
    [xml]$eventXml = $EventItem.ToXml()
    $Eventxml.Event.EventData.Data | 
        Where-Object {$_.name -eq 'SubjectLogonId'} | 
            Select-Object -ExpandProperty '#text'
}

jenewa2508 · June 20, 2025, 10:53pm

WOW, that did the trick, Thankyou very much

Olaf · June 20, 2025, 11:04pm

Do you ever answer questions?

jenewa2508 · June 21, 2025, 12:22am

I have limited English. Please understand.

Topic		Replies	Views
Parsing event log message data PowerShell Help	4	203	May 16, 2024
Extracting a String using Regex PowerShell Help	7	274	May 16, 2024
Powershell Script PowerShell Help	4	243	May 16, 2024
Get info from an eventlog Message ( general/details) pane PowerShell Help	6	257	May 16, 2024
Security Event log filtering PowerShell Help	2	165	May 16, 2024

Extract value from EventID

Related topics