get-logonevents

function get-logonevents {
  param(
    [string]$computer=$env:computername,
    [int]$days = 30
  )
  $millisecperday = 24*60*60*1000
  $logonType = @{
    2='Interactive';
    3='Network';
    4='Batch';
    5='Service';
    7='Unlock';
    8='NetworkCleartext';
    9='RunAsCredentials';
    10='RemoteInteractive';
    11='CachedInteractive';
  }
  Get-WinEvent -LogName Security -computer $computer -filterxpath ('*[System[(EventID=4624 or EventID=4648) and TimeCreated[timediff(@SystemTime) <= {0}]]]' -f ($days*$millisecperday)) | ForEach-Object{
    $event = $_
    $props = $event.Properties
    switch ($_.id) {
      4624 {
        $log = [ordered]@{
          date = $event.TimeCreated;
          eventid = $event.Id;
          subjectSID = $props[0].Value.Value;
          subjectName = '{0}\{1}' -f $props[2].Value,$props[1].Value;
          logonSID = $props[4].Value.Value;
          logonName = '{0}\{1}' -f $props[6].Value,$props[5].Value;
          logonType = $logonType[[int]$props[8].Value];
          target = $props[11].Value;
          process = '[{0}] {1}' -f $props[16].Value,$props[17].Value
        }
      }
      4648 {
        $log = [ordered]@{
          date = $event.TimeCreated;
          eventid = $event.Id;
          subjectSID = $props[0].Value;
          subjectName = '{0}\{1}' -f $props[2].Value,$props[1].Value;
          logonSID = '';
          logonName = $props[5].Value;
          logonType = 'n/a';
          target = $props[8].Value;
          process = '[{0}] {1}' -f $props[10].Value,$props[11].Value
        }
      }
    }
    new-object -type psobject -prop $log
  }
}