cainejunkazama/Get-Logon

## Get-Logon
<#
.SYNOPSIS
Gets successful logins from a specified computer and domain and then determines their type.
.DESCRIPTION
Get-Logins digs through a computer's local security logs to find successful logon events from any user from a specified domain and determines their logon type and time.

This is accomplished through the local RemoteRegistry service running on a machine. If this service is stopped, Get-Logins will start it.

NOTE: This function will also return the number of Spiceworks logins to the specified computer. Please modify the function to reflect your Spiceworks domain account name.
.PARAMETER Computer
The computer that you would like to determine login times for.
Defaults to the computer that the script is executing on.
.PARAMETER UserDomain
The domain from which you would like to view user logings.
Defaults to the domain of the user running the script.
.PARAMETER LeaveServiceRunning
Tells the script to stopped the RemoteRegistry service or to leave it running.
Defaults to $true.
.EXAMPLE
Get-Logins

This returns the login times for any user from the same domain as the user running the script from the computer the script is running on.
.EXAMPLE
Get-Logins DC01 -UserDomain DC01 -LeaveServiceRunning $false

Returns all logins to DC01 of any users local to DC01 and stops the RemoteRegistry service upon completion.
.OUTPUTS
Actual: Login from login screen
Network: Accessing shared files or a resource on the computer
Batch: Scheduled task
Service: Generated by a service
Unlock: User unlocks computer
Remote Interactive: RDP
Cached Interactive: Cached credentials used
.NOTES
Author: Twon of An
.LINK
Get-Service
Set-Service
Get-EventLog
Get-WmiObject
#>
Function Get-Logins
{
	param
	(
		[Parameter(ValueFromPipeline=$true,Mandatory=$false)]
		[String]$Computer = $env:computername
		,
		[Parameter(Mandatory=$false)]
		[String]$UserDomain = $env:userdomain
		,
		[Parameter(Mandatory=$false)]
		[Bool]$LeaveServiceRunning = $true
	)
	$x = 0
	$spiceworks=0
	$users = @()
	If($Computer -ne $env:computername)
	{
		$RegServ = Get-Service remoteregistry -ComputerName $Computer
		If($RegServ.status -ne "Running")
		{
			Set-Service remoteregistry -ComputerName $Computer -status Running #start RemoteRegistry service to allow remote viewing of Security Logs
		}
	}
	$events = Get-EventLog Security -ComputerName $Computer | Where-Object {($_.InstanceID -eq "4624") -and ($_.replacementstrings[6] -eq $UserDomain)}
	ForEach($event in $events)
	{
		If($event.replacementstrings[5] -ne "spiceworks") #My Spiceworks domain account is called: Spiceworks. I already know that it logs in a lot.
		{
			If($event.replacementstrings[5] -ne "$Computer`$") #Avoid grabbing the computers self logins.
			{
				Switch($event.replacementstrings[8]) #Logon type code
				{
					2{$type = "Actual"}
					3{$type = "Network"}
					4{$type = "Batch"}
					5{$type = "Service"}
					7{$type = "Unlock"}
					10{$type = "Remote Interactive"}
					11{$type = "Cached Interactive"}
					default{$type = $event.replacementstrings[8]} #If it returns a different code then defaults to the code number
				}

				$obj = New-Object System.Object
				$obj | add-member -type NoteProperty -name Account -value $event.replacementstrings[5]
				$obj | add-member -type NoteProperty -name Type -value $type
				$obj | add-member -type NoteProperty -name Time -value $event.timewritten
				$users += $obj
				$users[$x]
				$x++
			}
		}
		Else
		{
			$spiceworks++
		}
	}
	If($LeaveServiceRunning = $false)
	{
		Write-Host Turning RemoteRegistry service off...
		Get-WmiObject -Class Win32_Service -Filter 'name="remoteregistry"' -ComputerName $Computer | Invoke-WmiMethod -Name StopService | out-null
	}
	If($UserDomain -ne $Computer) #Spiceworks is a domain account. This skips it if searching for a local computer account.
	{
		Write-Host `nSpiceworks logon count: $spiceworks
	}
}
	<#
	.SYNOPSIS
	Gets successful logins from a specified computer and domain and then determines their type.
	.DESCRIPTION
	Get-Logins digs through a computer's local security logs to find successful logon events from any user from a specified domain and determines their logon type and time.

	This is accomplished through the local RemoteRegistry service running on a machine. If this service is stopped, Get-Logins will start it.

	NOTE: This function will also return the number of Spiceworks logins to the specified computer. Please modify the function to reflect your Spiceworks domain account name.
	.PARAMETER Computer
	The computer that you would like to determine login times for.
	Defaults to the computer that the script is executing on.
	.PARAMETER UserDomain
	The domain from which you would like to view user logings.
	Defaults to the domain of the user running the script.
	.PARAMETER LeaveServiceRunning
	Tells the script to stopped the RemoteRegistry service or to leave it running.
	Defaults to $true.
	.EXAMPLE
	Get-Logins

	This returns the login times for any user from the same domain as the user running the script from the computer the script is running on.
	.EXAMPLE
	Get-Logins DC01 -UserDomain DC01 -LeaveServiceRunning $false

	Returns all logins to DC01 of any users local to DC01 and stops the RemoteRegistry service upon completion.
	.OUTPUTS
	Actual: Login from login screen
	Network: Accessing shared files or a resource on the computer
	Batch: Scheduled task
	Service: Generated by a service
	Unlock: User unlocks computer
	Remote Interactive: RDP
	Cached Interactive: Cached credentials used
	.NOTES
	Author: Twon of An
	.LINK
	Get-Service
	Set-Service
	Get-EventLog
	Get-WmiObject
	#>
	Function Get-Logins
	{
	param
	(
	[Parameter(ValueFromPipeline=$true,Mandatory=$false)]
	[String]$Computer = $env:computername
	,
	[Parameter(Mandatory=$false)]
	[String]$UserDomain = $env:userdomain
	,
	[Parameter(Mandatory=$false)]
	[Bool]$LeaveServiceRunning = $true
	)
	$x = 0
	$spiceworks=0
	$users = @()
	If($Computer -ne $env:computername)
	{
	$RegServ = Get-Service remoteregistry -ComputerName $Computer
	If($RegServ.status -ne "Running")
	{
	Set-Service remoteregistry -ComputerName $Computer -status Running #start RemoteRegistry service to allow remote viewing of Security Logs
	}
	}
	$events = Get-EventLog Security -ComputerName $Computer \| Where-Object {($_.InstanceID -eq "4624") -and ($_.replacementstrings[6] -eq $UserDomain)}
	ForEach($event in $events)
	{
	If($event.replacementstrings[5] -ne "spiceworks") #My Spiceworks domain account is called: Spiceworks. I already know that it logs in a lot.
	{
	If($event.replacementstrings[5] -ne "$Computer`$") #Avoid grabbing the computers self logins.
	{
	Switch($event.replacementstrings[8]) #Logon type code
	{
	2{$type = "Actual"}
	3{$type = "Network"}
	4{$type = "Batch"}
	5{$type = "Service"}
	7{$type = "Unlock"}
	10{$type = "Remote Interactive"}
	11{$type = "Cached Interactive"}
	default{$type = $event.replacementstrings[8]} #If it returns a different code then defaults to the code number
	}

	$obj = New-Object System.Object
	$obj \| add-member -type NoteProperty -name Account -value $event.replacementstrings[5]
	$obj \| add-member -type NoteProperty -name Type -value $type
	$obj \| add-member -type NoteProperty -name Time -value $event.timewritten
	$users += $obj
	$users[$x]
	$x++
	}
	}
	Else
	{
	$spiceworks++
	}
	}
	If($LeaveServiceRunning = $false)
	{
	Write-Host Turning RemoteRegistry service off...
	Get-WmiObject -Class Win32_Service -Filter 'name="remoteregistry"' -ComputerName $Computer \| Invoke-WmiMethod -Name StopService \| out-null
	}
	If($UserDomain -ne $Computer) #Spiceworks is a domain account. This skips it if searching for a local computer account.
	{
	Write-Host `nSpiceworks logon count: $spiceworks
	}
	}