I was answering a question in the Spiceworks PowerShell Forum concerning the event log. The poster was looking for how to find out who had logged on to a particular computer. The answer was to use Get-WinEvent and search the Security log for the relevant event. Easy.
But how do you know which event to look for? There are so many events! Well, there's a PowerShell script for that. To find the different event codes and roughly what they mean looks like this:
But how do you know which event to look for? There are so many events! Well, there's a PowerShell script for that. To find the different event codes and roughly what they mean looks like this:
# Get all the security even
$e = Get-WinEvent -LogName Security
# Get the different message kinds:
$ids = $e | Sort-Object Name |Group-Object -property id
# And print the event types
Foreach ($id in $Ids) {
$m = ($id.Group[0].Message).SPLIT("`n")[0]
" {0:N5} {1}" -f ($id.NAME), $m }
This code first gets all the security events and sorts them by Event ID. Then the code extracts the first line of the Event Log message and displays the event ID and that first line. On my the output looks like this:
4624 An account was successfully logged on.
4672 Special privileges assigned to new logon.
4634 An account was logged off.
4648 A logon was attempted using explicit credentials.
5058 Key file operation.
5061 Cryptographic operation.
4798 A user's local group membership was enumerated.
4799 A security-enabled local group membership was enumerated.
4904 An attempt was made to register a security event source.
4905 An attempt was made to unregister a security event source.
4907 Auditing settings on object were changed.
5059 Key migration operation.
4688 A new process has been created.
4608 Windows is starting up.
4902 The Per-user audit policy table was created.
1100 The event logging service has shut down.
4616 The system time was changed.
4826 Boot Configuration Data loaded.
5033 The Windows Firewall Driver started successfully.
5024 The Windows Firewall service started successfully.
4647 User initiated logoff:
So knowing this, finding out who logged in is simple, right? You might think. It takes a bit of tinkering with the object, but here's my code:
# Get logon users
$le = $e | where id -eq 4624
$x =
foreach ($event in $le) {
$time = $event.timecreated
$username = $event.properties[5].value
$domain = $event.Properties[6].value
If (($username -ne '') -or ($Username -ne 'System')) {
$ht = @{}
$ht.time = $time
$ht.user = "$domain/$username"
New-object psobject -property $ht
# And display the results:
$x | group user | sort count -desc| ft name, count
This code creates a simple object for each event log entry for the relevant ID. This object just has the time, username and domain name from the event log entry. I create an object to, at the end, group then sort the logon events. The result is almost like this:
Fun and games with the event log!
1 comment:
Am i completely wrong here, but dont you miss an end bracket for the section that you start in line 8 of your #get logon users
Post a Comment