When using powershell to parse eventlogs on Windows 7 systems, I usually use something like the following to get the username of users that have logged on to the system:
get-eventlog -instanceID 4624 -computer <HostName> security | %{$_.ReplacementStrings[5]}
I need to also be able to parse archived logs the same way, but the get-winevent commandlet doesn't seem to provide the data in the same manner
get-winevent -path .\Archive-Security-2012-10-16-20-03-48-409.evtx | Where {$_.id -eq "4624"} | %{$_.ReplacementStrings[5]}
The whole method of using ReplacementStrings is not something I understand well. They both look like strings to me. Is there a way to parse the message field of archived logs the same way you parse the data in active eventlogs?