-
Notifications
You must be signed in to change notification settings - Fork 31
/
Get-UserLogonEvent.ps1
81 lines (58 loc) · 2.51 KB
/
Get-UserLogonEvent.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Function Get-UserLogonEvent {
<#
.SYNOPSIS
Gather logon information from Security Logs
.DESCRIPTION
Parse Windows Security Logs for Logon Events for specified user, in the specified timeframe
.PARAMETER User
The username to search for
.PARAMETER Hours
How many hours backwards in the log to search. This gets converted to milliseconds
.PARAMETER Computername
The computer you wish to search. Defaults to $env:COMPUTERNAME. Requires RPC to be available
.EXAMPLE
Get-UserLogonEvents -User jsmith -Hours 3
.EXAMPLE
Get-UserLogonEvents -User jsmith -Hours 3 -Computername RECEPTIONPC
#>
[cmdletBinding()]
Param(
[Parameter(Mandatory, Position = 0)]
[string]
$User,
[Parameter(Mandatory, Position = 1)]
[Int]
$Hours,
[Parameter(Position = 2, ValueFromPipeline, ValueFromPipelineByPropertyName)]
[string]
$Computername = $env:COMPUTERNAME
)
Process {
#Convert Hours to milliseconds, used by FilterXML Query
$ms = ($Hours * 3600000)
[xml]$Filterxml = @"
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[EventID='4624' and TimeCreated[timediff(@SystemTime) < = $ms]] and EventData/Data[@Name='TargetUserName'] = '$User']</Select>
</Query>
</QueryList>
"@
Get-WinEvent -FilterXml $Filterxml -ComputerName $Computername | ForEach-Object {
$UserLogonInformation = @{'ComputerName' = $Computername}
$UserLogonInformation.Add('Username', $User)
Switch (($_).Properties.Value[8]) {
'2' {$UserLogonInformation.Add('LogonType', 'Interactive -- Physical')}
'3' {$UserLogonInformation.Add('LogonType', 'Network -- File/Print')}
'4' {$UserLogonInformation.Add('LogonType', 'Batch')}
'5' {$UserLogonInformation.Add('LogonType', 'Service -- Startup')}
'7' {$UserLogonInformation.Add('LogonType', 'Unlock')}
'8' {$UserLogonInformation.Add('LogonType', 'NetworkClearText -- IIS Basic Auth')}
'9' {$UserLogonInformation.Add('LogonType', 'NewCredentials')}
'10' {$UserLogonInformation.Add('LogonType', 'RemoveInteractive -- RDS')}
'11' {$UserLogonInformation.Add('LogonType', 'CachedInteractive -- Use cached creds')}
}
$UserLogonInformation.Add('EventCreated', $_.TimeCreated)
return [pscustomobject]$UserLogonInformation
}
}
}