I try to use command below to get user sid from a specific event, convert it to username and after that put to output its value.
$sid = Get-Winevent -FilterHashtable @{Logname='system';ID=1065} -MaxEvents 1 | Select User -ExpandProperty Userid
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($sid)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value
I couldn't find the reason why it isn't working. It can't decode username.
$objUser
should store the username for the SID. I try to use it for domain users. SID should be valid, because I get it from an existing event.