How to parse out Failure Reason on Security Event Viewer Log

namerg
namerg used Ask the Experts™
on
I have the following script and i having hard time to accommodate the following field: Failure Reason

Get-WinEvent -FilterHashtable @{LogName="Security"; Id="4625"} | ForEach-Object {
	$xml = [xml]($_.ToXml() -replace 'xmlns=', 'foo=')
	$_ | Select-Object -Property `
		TimeCreated,
		Id,
		@{n='Message';					e={$_.Message.Split("`r")[0]}},
		@{n='Failure Reason';				e={$xml.SelectSingleNode("Event/EventData/Data[@Name='FailureReason']").InnerText}}
		@{n='Account Name';				e={$xml.SelectSingleNode("Event/EventData/Data[@Name='TargetUserName']").InnerText}},
		@{n='Account Domain';			e={$xml.SelectSingleNode("Event/EventData/Data[@Name='TargetDomainName']").InnerText}},
		@{n='Workstation Name';			e={$xml.SelectSingleNode("Event/EventData/Data[@Name='WorkstationName']").InnerText.Trim("`r`n")}},
		@{n='Source Network Address';	e={$xml.SelectSingleNode("Event/EventData/Data[@Name='IpAddress']").InnerText}},
		@{n='Source Port';				e={$xml.SelectSingleNode("Event/EventData/Data[@Name='IpPort']").InnerText}}
} | Where-Object {$_.'Account Name'  -eq "imorgan"} | Format-List

Open in new window


This is the event viewer log (General Tab):
An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		LLC1CCVCORPDC01$
	Account Domain:		CORP
	Logon ID:		0x3e7

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		imorgan
	Account Domain:		CORP

Failure Information:
	Failure Reason:		Account locked out.
	Status:			0xc0000234
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x1e0
	Caller Process Name:	C:\Windows\System32\lsass.exe

Network Information:
	Workstation Name:	LLC1CCVCORPDC01
	Source Network Address:	10.10.66.250
	Source Port:		57890

Detailed Authentication Information:
	Logon Process:		Advapi  
	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

Open in new window


And the (Details Tab) XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12546</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2018-11-09T13:04:38.547717600Z" /> 
  <EventRecordID>27818248888</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="480" ThreadID="1252" /> 
  <Channel>Security</Channel> 
  <Computer>LLC1CCVCORPDC01.corp.lcl</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">LLC1CCVCORPDC01$</Data> 
  <Data Name="SubjectDomainName">CORP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">imorgan</Data> 
  <Data Name="TargetDomainName">CORP</Data> 
  <Data Name="Status">0xc0000234</Data> 
  <Data Name="FailureReason">%%2307</Data> 
  <Data Name="SubStatus">0x0</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">Advapi</Data> 
  <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> 
  <Data Name="WorkstationName">LLC1CCVCORPDC01</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x1e0</Data> 
  <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data> 
  <Data Name="IpAddress">10.10.66.250</Data> 
  <Data Name="IpPort">57890</Data> 
  </EventData>
  </Event>

Open in new window

When i run the script, i do not get nothing. But if comment the "Failure Reason" line i get something.

Thanks for your help,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
change
Where-Object {$_.'Account Name'  -eq "imorgan"}

Open in new window

to
Where-Object {$_.'TargetUserName'  -eq "imorgan"}

Open in new window

Top Expert 2014
Commented:
I think what you're after is a way to avoid the "failure reason" appearing as "%%2307" (or something similar).
You can use the following replacement for line 7.
@{n='Failure Reason';			e={$_.Message | Where-Object { $_ -match "(?m)Failure Reason:\s+(?<reason>.+)$" } | ForEach-Object { $Matches['reason'] }}},

Open in new window


I've looked for something that would be more universal than trying to parse the entire message property (and be subject to changes in language settings), similar to how you've done the retrieval from XML for other properties, but so far have not come up with a method.  Values like "%%2307" are insertion string placeholders.  Messages are formed from message text files, which typically are compiled as .DLLs but can also be included in .EXEs (and maybe other) resources.  The location of these message text files is stored in the registry under subkeys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog, that corresponds with the specific logname and source.  So essentially you have have something like HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<eventlogname>\<eventsource>.  Once you locate the correct key, the location data is stored in a value named EventMessageFile, which points to the path of the .DLL (or other type of file).  There can also be a value for CategoryMessageFile, and ParameterMessageFile (these could all point to the same file, or different ones).  As I understand it, the ParameterMessageFile is where the insertion strings are defined for the placeholders which begin with a double percent sign (%%xxxx).

So far I haven't found any way to parse a message text file for insertion strings which correspond to their numbers.

The only bright side is that the message property of an event has already gone through the process of formatting (probably through the use of the FormatMessage function - https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-formatmessage), substituting all the placeholders with their insertion strings corresponding with the proper language.
namergSystems Administrator

Author

Commented:
Sweet, getting the right field and value. I am trying to export into a csv...but i get non-readable info.

.\Get-LogonHistory.ps1 | Export-Csv C:\Scripts\imorgan_logonhistory.csv -nti

Open in new window


"ClassId2e4f51ef21dd47e99d3c952918aff9cd","pageHeaderEntry","pageFooterEntry","autosizeInfo","shapeInfo","groupingEntry"
"033ecb2bc07a4d43b5ef94ed5a35d280",,,,"Microsoft.PowerShell.Commands.Internal.Format.ListViewHeaderInfo",
"9e210fe47d09416682b841769c78b8a3",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"27c87ef9bbda4f709f6b4002fa4af63c",,,,,
"4ec4f0187cb04f4cb6973460dfe252df",,,,,
"cf522b78d86c486691226b40aa69e95c",,,,,

Open in new window

Top Expert 2014

Commented:
If your script includes Format-* commands at the end, you can't then pipe that to Export-CSV.  Remove any Format-* commands from your script.  Then if you need to pipe the results to Format-List, Export-CSV, or whatever you can do so.
.\Get-LogonHistory.ps1 | Export-Csv C:\Scripts\imorgan_logonhistory.csv -nti
.\Get-LogonHistory.ps1 | Format-List
# etc.

Open in new window

namergSystems Administrator

Author

Commented:
Thank You.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial