Windows – Powrshell Script to read the Windows Secutiry logs and filter Elevation type 196 and 1937

microsoft excelpowershellSecuritywindows

I have a powershell script that reads the elevation type and displays the content in powershell window. However I need to put the contents in Excel file.

Please help.


$WorkDir = "import.csv"

$datetimeAfter=get-date "6/20/2016 10:00:00 am"


$evtLogEntries=Get-EventLog -LogName Security -After $datetimeAfter -EntryType SuccessAudit -Message "A new process has been created*" | Export-Csv SecurityLog.csv

foreach( $evtEntry in $evtLogEntries){




$len=$evtEntry.Message.IndexOf("Token Elevation Type indicates")–$startIdx

# write-host $evtEntry.Message.substring($startIdx,$len)

switch ( $evtEntry.Message.substring($evtEntry.Message.IndexOf("%%"),6))


    "%%1936" { 
    write-host $evtEntry.TimeGenerated 
    write-host $evtEntry.Message.substring($startIdx,$len)
    write-host "`tToken Elevation Type: Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account."


    "%%1937" { 

    write-host $evtEntry.TimeGenerated
   write-host $evtEntry.Message.substring($startIdx,$len)
   write-host "`tToken Elevation Type: Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group."




# "%%1936" – Token Elevation Type: Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is
#disabled or if the user is the built-in Administrator account or a service account.

# "%%1937" – Token Elevation Type: Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control
#is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative
#privilege or to always require maximum privilege, and the user is a member of the Administrators group.

# "%%1938"- Token Elevation Type: Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used
#when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Best Answer

have you tried something like this :

Get-EventLog -logname security | Where-Object {($_.eventid -eq 1936) -or ($_.eventid -eq 1937) -or ($_.eventid -eq 1938)} | export-csv -path c:\temp\events