Select Strings from Windows events via XML

Question

I am trying to select property from events I am able to create with script

$events = Get-WinEvent -FilterHashtable @{logname='Security'; ID=4728; } -MaxEvents 1 
$event = $events
[xml]$eventXML = [xml]$Event.ToXml()
$eventXML.Event.EventData.Data

if I run this it outputs, I need to select targetname,targetusername,subjectusername, I am not able to get the output, anyhelp will be very much appreciated.

Answer 1

As Swonkie already pointed out, Data is an array, and the values you're looking for are actually XML nodes in that array, hence you can't easily select them like you would with the properties of an object.

I would probably create a hashtable for each Data array, filter the array for the nodes you want selected, then build a custom object from each hashtable.

$names = 'TargetName', 'TargetUserName', 'SubjectUserName'

$events | ForEach-Object {
    ([xml]$_.ToXml()).Event.EventData | ForEach-Object {
        $props = @{}

        $_.Data |
            Where-Object { $names -contains $_.Name } |
            ForEach-Object { $props[$_.Name] = $_.'#text' }

        New-Object -Type PSObject -Property $props
    }
}

Answer 2

$eventXML.Event.EventData.Data is an array.

$eventXML.Event.EventData.Data | where { $_.Name -eq 'SubjectUserName' } | select -ExpandProperty '#text'

Or for PowerShell 3 and up:

$eventXML.Event.EventData.Data | where Name -eq 'SubjectUserName' | select -ExpandProperty '#text'