Get-LogonHistory.ps1

1. <#
2. .Synopsis
3. Extracts recent logon history for the local machine from the Security Event Log.
4. .Description
5. This script scans through the Security Event Log on the local machine for interactive logons (both local and remote), and logouts.
6.  
7. It then constructs a PowerShell Custom Object containing the fields of interest and writes that object to the pipeline as its output.
8.  
9. NOTE: This script must be run 'As Administrator' in order to access the Security Event Log.
10.  
11. To run this function on a remote computer, use it in conjunction with the Invoke-Command cmdlet.
12. .Inputs
13. None. You cannot pipe input to this script.
14. .Outputs
15. System.Management.Automation.PSCustomObject
16.  
17. Get-LogonHistory returns a custom object containing the following properties:
18.  
19. [String]UserName
20. The username of the account that logged on/off of the machine.
21. [String]ComputerName
22. The name of the computer that the user logged on to/off of.
23. [String]Action
24. The action the user took with regards to the computer. Either 'logon' or 'logoff'.
25. [String]LogonType
26. Either 'console' or 'remote', depending on how the user logged on. This property is null if the user logged off.
27. [DateTime]TimeStamp
28. A DateTime object representing the date and time that the user logged on/off.
29. .Notes
30.  
31. .Example
32. .\Get-LogonHistory.ps1
33.  
34. Description
35. -----------
36. Gets the available logon entries in the Security log on the local computer.
37. .Example
38. Invoke-Command -ComputerName 'remotecomputer' -File '.\Get-LogonHistory.ps1'
39.  
40. Description
41. -----------
42. Gets the available logon entries in the Security log on a remote computer named 'remotecomputer'.
43. #>
44.  
45.  
46. function Get-Win7LogonHistory {
47. $logons = Get-EventLog Security -AsBaseObject -InstanceId 4624,4647 |
48. Where-Object { ($_.InstanceId -eq 4647) `
49. -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+2")) `
50. -or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+10")) }
51. $poweroffs = Get-EventLog System -AsBaseObject -InstanceId 41
52. $events = $logons + $poweroffs | Sort-Object TimeGenerated
53.  
54. if ($events) {
55. foreach($event in $events) {
56. # Parse logon data from the Event.
57. if ($event.InstanceId -eq 4624) {
58. # A user logged on.
59. $action = 'logon'
60.  
61. $event.Message -match "Logon Type:\s+(\d+)" | Out-Null
62. $logonTypeNum = $matches[1]
63.  
64. # Determine logon type.
65. if ($logonTypeNum -eq 2) {
66. $logonType = 'console'
67. } elseif ($logonTypeNum -eq 10) {
68. $logonType = 'remote'
69. } else {
70. $logonType = 'other'
71. }
72.  
73. # Determine user.
74. if ($event.message -match "New Logon:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
75. $user = $matches[1]
76. } else {
77. $index = $event.index
78. Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
79. }
80.  
81. } elseif ($event.InstanceId -eq 4647) {
82. # A user logged off.
83. $action = 'logoff'
84. $logonType = $null
85.  
86. # Determine user.
87. if ($event.message -match "Subject:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
88. $user = $matches[1]
89. } else {
90. $index = $event.index
91. Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
92. }
93. } elseif ($event.InstanceId -eq 41) {
94. # The computer crashed.
95. $action = 'logoff'
96. $logonType = $null
97. $user = '*'
98. }
99.  
100. # As long as we managed to parse the Event, print output.
101. if ($user) {
102. $timeStamp = Get-Date $event.TimeGenerated
103. $output = New-Object -Type PSCustomObject
104. Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
105. Add-Member -MemberType NoteProperty -Name 'ComputerName' -Value $env:computername -InputObject $output
106. Add-Member -MemberType NoteProperty -Name 'Action' -Value $action -InputObject $output
107. Add-Member -MemberType NoteProperty -Name 'LogonType' -Value $logonType -InputObject $output
108. Add-Member -MemberType NoteProperty -Name 'TimeStamp' -Value $timeStamp -InputObject $output
109. Write-Output $output
110. }
111. }
112. } else {
113. Write-Host "No recent logon/logoff events."
114. }
115. }
116.  
117. function Get-WinXPLogonHistory {
118. $logons = Get-EventLog Security -AsBaseObject -InstanceId 528,551 |
119. Where-Object { ($_.InstanceId -eq 551) `
120. -or (($_.InstanceId -eq 528) -and ($_.Message -match "Logon Type:\s+2")) `
121. -or (($_.InstanceId -eq 528) -and ($_.Message -match "Logon Type:\s+10")) }
122. #$poweroffs = Get-Eventlog System -AsBaseObject -InstanceId 6008
123. #$events = $logons + $poweroffs | Sort-Object TimeGenerated
124.  
125. if ($events) {
126. foreach($event in $events) {
127. # Parse logon data from the Event.
128. if ($event.InstanceId -eq 528) {
129. # A user logged on.
130. $action = 'logon'
131.  
132. $event.Message -match "Logon Type:\s+(\d+)" | Out-Null
133. $logonTypeNum = $matches[1]
134.  
135. # Determine logon type.
136. if ($logonTypeNum -eq 2) {
137. $logonType = 'console'
138. } elseif ($logonTypeNum -eq 10) {
139. $logonType = 'remote'
140. } else {
141. $logonType = 'other'
142. }
143.  
144. # Determine user.
145. if ($event.message -match "Successful Logon:\s*User Name:\s*(\w+)") {
146. $user = $matches[1]
147. } else {
148. $index = $event.index
149. Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
150. }
151.  
152. } elseif ($event.InstanceId -eq 551) {
153. # A user logged off.
154. $action = 'logoff'
155. $logonType = $null
156.  
157. # Determine user.
158. if ($event.message -match "User initiated logoff:\s*User Name:\s*(\w+)") {
159. $user = $matches[1]
160. } else {
161. $index = $event.index
162. Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
163. }
164. }# elseif ($event.InstanceId -eq 6008) {
165. # The computer crashed.
166. # $action = 'logoff'
167. # $logonType = $null
168. # $user = '*'
169. #}
170.  
171. # As long as we managed to parse the Event, print output.
172. if ($user) {
173. $timeStamp = Get-Date $event.TimeGenerated
174. $output = New-Object -Type PSCustomObject
175. Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
176. Add-Member -MemberType NoteProperty -Name 'ComputerName' -Value $env:computername -InputObject $output
177. Add-Member -MemberType NoteProperty -Name 'Action' -Value $action -InputObject $output
178. Add-Member -MemberType NoteProperty -Name 'LogonType' -Value $logonType -InputObject $output
179. Add-Member -MemberType NoteProperty -Name 'TimeStamp' -Value $timeStamp -InputObject $output
180. Write-Output $output
181. }
182. }
183. } else {
184. Write-Host "No recent logon/logoff events."
185. }
186. }
187. $OSversion = (Get-WmiObject -Query 'SELECT version FROM Win32_OperatingSystem').version
188. if ($OSversion -ge 6) {
189. Get-Win7LogonHistory
190. } else {
191. Get-WinXPLogonHistory
192. }
193.  
194.  
195.  
196. import-module ActiveDirectory
197.  
198. $credpath = 'C:\safe\secretfile.txt'
199. $c = Import-Clixml -Path $credpath
200.  
201. Get-ADComputer -searchbase "dc=SDC,dc=internal" -Properties Name -Filter * | Select-Object Name
202.  
203. Invoke-Command -ComputerName "3130-AD04" Get-Win7LogonHistory | Select-Object UserName,Action,TimeStamp | Export-Csv "C:\cpmp.csv"