Thursday, October 12, 2017

Events in the Security Event Log

I was answering a question in the Spiceworks PowerShell Forum concerning the event log. The poster was looking for how to find out who had logged on to a particular computer. The answer was to use Get-WinEvent and search the Security log for the relevant event. Easy.

But how do you know which event to look for? There are so many events! Well, there's a PowerShell script for that. To find the different event codes and roughly what they mean looks like this:

# Get all the security even  
$e = Get-WinEvent -LogName Security
# Get the different message kinds:
$ids = $e | Sort-Object Name |Group-Object -property id
# And print the event types 
Foreach ($id in $Ids) {
$m = ($id.Group[0].Message).SPLIT("`n")[0] 
" {0:N5}    {1}" -f ($id.NAME), $m }
This code first gets all the security events and sorts them by Event ID. Then the code extracts the first line of the Event Log message and displays the event ID and that first line. On my the output looks like this:
 4624    An account was successfully logged on.
 4672    Special privileges assigned to new logon.
 4634    An account was logged off.
 4648    A logon was attempted using explicit credentials.
 5058    Key file operation.
 5061    Cryptographic operation.
 4798    A user's local group membership was enumerated.
 4799    A security-enabled local group membership was enumerated.
 4904    An attempt was made to register a security event source.
 4905    An attempt was made to unregister a security event source.
 4907    Auditing settings on object were changed.
 5059    Key migration operation.
 4688    A new process has been created.
 4608    Windows is starting up.
 4902    The Per-user audit policy table was created.
 1100    The event logging service has shut down.
 4616    The system time was changed.
 4826    Boot Configuration Data loaded.
 5033    The Windows Firewall Driver started successfully.
 5024    The Windows Firewall service started successfully.
 4647    User initiated logoff:
So knowing this, finding out who logged in is simple, right? You might think. It takes a bit of tinkering with the object, but here's my code:

# Get logon users
$le = $e | where id -eq 4624
$x =
foreach ($event in $le) {
$time = $event.timecreated
$username = $event.properties[5].value
$domain = $event.Properties[6].value
If (($username -ne '') -or ($Username -ne 'System')) {
$ht = @{}
$ht.time = $time
$ht.user = "$domain/$username"
New-object psobject -property $ht
# And display the results:
$x | group user | sort count -desc| ft name, count
This code creates a simple object for each event log entry for the relevant ID. This object just has the time, username and domain name from the event log entry. I create an object to, at the end, group then sort the logon events. The result is almost like this:
Name                                                    Count
----                                                    -----
COOKHAM.NET/JerryGarcia                                  7576
NT AUTHORITY/SYSTEM                                       746
COOKHAM.NET/COOKHAM24$                                     73
COOKHAM/BobWeir                                            36
NT VIRTUAL MACHINE/27A96661-D855-4286-81D6-BBB32172CCED     6
COOKHAM.NET/MickyHart                                       5
Window Manager/DWM-1                                        2
NT AUTHORITY/NETWORK SERVICE                                1
NT VIRTUAL MACHINE/55C8EC55-6D2B-421D-A454-28FCF4680366     1
NT VIRTUAL MACHINE/53EC57B5-BAB2-4A29-A34B-19A8BB857C42     1
NT VIRTUAL MACHINE/45FF27A5-C133-4213-9A4A-DBF4317D55D0     1
NT VIRTUAL MACHINE/4459B92D-0476-4815-B2DE-C3243CD2D82B     1
NT VIRTUAL MACHINE/3D886F3D-B8BD-41A0-8B05-B82AEB2FE99D     1
NT VIRTUAL MACHINE/370E6442-86B5-4310-BDAB-1882DAE4E5C6     1
NT VIRTUAL MACHINE/33872EB0-2259-4312-83F4-AE783B9D817C     1
NT VIRTUAL MACHINE/2FF8C7E0-CB1E-46E1-9C53-7DEFF18FB488     1
NT VIRTUAL MACHINE/289DD95C-0454-4D51-93FC-F4D7502D894B     1
NT VIRTUAL MACHINE/596834C2-6B40-47E6-9EC5-3231BAD2C01B     1
NT VIRTUAL MACHINE/125EFD6E-2F88-4E2E-A0F2-BDA9516B2B59     1
NT VIRTUAL MACHINE/0C77EC57-8A20-4533-A4E1-5CDB93CB1DC2     1
NT AUTHORITY/ANONYMOUS LOGON                                1
NT AUTHORITY/LOCAL SERVICE                                  1
NT VIRTUAL MACHINE/2FAD3305-C65D-4304-AFF1-F4CFC0C96381     1
NT VIRTUAL MACHINE/64D69931-57FE-491F-96C8-215DE6B3D3FC     1
NT VIRTUAL MACHINE/880CD2FD-7304-4CE1-B831-87ED01DD0BD7     1
NT VIRTUAL MACHINE/7A4205E9-D2C6-466C-82BE-80CFF9947738     1
NT VIRTUAL MACHINE/FA3ADF88-EA85-43A4-AE49-5551186977DB     1
NT VIRTUAL MACHINE/EBF0AAF0-2300-4CD3-9B92-BCA29896DD90     1
NT VIRTUAL MACHINE/E4B8AA47-B256-4918-9098-A80C09DC91ED     1
NT VIRTUAL MACHINE/DD8F6DE3-5F65-4990-B0DD-BF328BFB47BE     1
NT VIRTUAL MACHINE/DC824601-E4F9-445D-BFE4-44FB83D7B733     1
NT VIRTUAL MACHINE/DA85B909-A42E-400F-96CB-340BBB6E0DC0     1
NT VIRTUAL MACHINE/D5420357-DF18-4140-B986-B85CF25D8FF1     1
NT VIRTUAL MACHINE/C66F22AD-DF26-4ED3-A555-9FDDE0588EE4     1
NT VIRTUAL MACHINE/6A8984FD-8774-447A-9F35-4FD97766E303     1
NT VIRTUAL MACHINE/BFDAC935-60ED-4CF9-BE1C-FC12DC47EBB2     1
NT VIRTUAL MACHINE/BE427F4F-C3AC-4086-B58D-8B5B8B8C7863     1
NT VIRTUAL MACHINE/A20EA3B5-7926-4AE4-96D7-4AFE2E34D80A     1
NT VIRTUAL MACHINE/9C00DC59-E565-4B88-88D0-CEE2AC08E870     1
NT VIRTUAL MACHINE/95D96D7E-9A2F-46D8-8E02-0FC0B2F9E594     1
NT VIRTUAL MACHINE/953BFF3A-A3EA-4567-ABAD-2A7337CE3B26     1
NT VIRTUAL MACHINE/9353F711-F39C-47E0-B41A-9E85D70997D8     1
NT VIRTUAL MACHINE/88536766-EF5D-4AE9-A343-B3713EA912DF     1
Font Driver Host/UMFD-1                                     1
NT VIRTUAL MACHINE/BFAFEC2C-5565-4458-A359-A4EC6F62079C     1
Font Driver Host/UMFD-0                                     1
Fun and games with the event log!

1 comment:

Unknown said...

Am i completely wrong here, but dont you miss an end bracket for the section that you start in line 8 of your #get logon users