ReplacementStrings Property on event log objects

Does anyone know what ReplacementStrings are or what they can be used for?

Example 8 in the help for Get-EventLog shows some output i you’ve never seen this.

if anyone can provide more information I would appreciate it…Thanks


Event log messages are basically localized template strings, with some data injected in. The data is in the form of the “ReplacementStrings” array. It’s very much like PowerShell’s format operator:

"This is my format string.  Data point 1: {0}.  Data point 2: {1}" -f $dataPoints[0], $dataPoints[1]

By accessing the ReplacementStrings array directly, you avoid the need to try to parse the Message field (which can be a pain, particularly if you have localized messages in a different language at runtime.) Get-WinEvent gives you objects with the same information, but the property is called Properties instead of ReplacementStrings.

Wow how did I just now find out about this…LOL

Thanks Dave!

I use the Properties array from Get-WinEvent (that Dave referenced) in a function to determine what device is locking out user accounts. Here’s a blog I wrote about that, if you’re interested in it. I’ve also found that sometimes certain information may exist in the ReplacementStrings array of Get-EventLog and not necessarily in the Properties array of Get-WinEvent and vice-versa so if you don’t find what you’re looking for in one, try the other one (I wrote about some specific examples of this in my chapter in the PowerShell Deep Dives book).