Created
August 7, 2013 20:46
-
-
Save cainejunkazama/6178480 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Gets successful logins from a specified computer and domain and then determines their type. | |
.DESCRIPTION | |
Get-Logins digs through a computer's local security logs to find successful logon events from any user from a specified domain and determines their logon type and time. | |
This is accomplished through the local RemoteRegistry service running on a machine. If this service is stopped, Get-Logins will start it. | |
NOTE: This function will also return the number of Spiceworks logins to the specified computer. Please modify the function to reflect your Spiceworks domain account name. | |
.PARAMETER Computer | |
The computer that you would like to determine login times for. | |
Defaults to the computer that the script is executing on. | |
.PARAMETER UserDomain | |
The domain from which you would like to view user logings. | |
Defaults to the domain of the user running the script. | |
.PARAMETER LeaveServiceRunning | |
Tells the script to stopped the RemoteRegistry service or to leave it running. | |
Defaults to $true. | |
.EXAMPLE | |
Get-Logins | |
This returns the login times for any user from the same domain as the user running the script from the computer the script is running on. | |
.EXAMPLE | |
Get-Logins DC01 -UserDomain DC01 -LeaveServiceRunning $false | |
Returns all logins to DC01 of any users local to DC01 and stops the RemoteRegistry service upon completion. | |
.OUTPUTS | |
Actual: Login from login screen | |
Network: Accessing shared files or a resource on the computer | |
Batch: Scheduled task | |
Service: Generated by a service | |
Unlock: User unlocks computer | |
Remote Interactive: RDP | |
Cached Interactive: Cached credentials used | |
.NOTES | |
Author: Twon of An | |
.LINK | |
Get-Service | |
Set-Service | |
Get-EventLog | |
Get-WmiObject | |
#> | |
Function Get-Logins | |
{ | |
param | |
( | |
[Parameter(ValueFromPipeline=$true,Mandatory=$false)] | |
[String]$Computer = $env:computername | |
, | |
[Parameter(Mandatory=$false)] | |
[String]$UserDomain = $env:userdomain | |
, | |
[Parameter(Mandatory=$false)] | |
[Bool]$LeaveServiceRunning = $true | |
) | |
$x = 0 | |
$spiceworks=0 | |
$users = @() | |
If($Computer -ne $env:computername) | |
{ | |
$RegServ = Get-Service remoteregistry -ComputerName $Computer | |
If($RegServ.status -ne "Running") | |
{ | |
Set-Service remoteregistry -ComputerName $Computer -status Running #start RemoteRegistry service to allow remote viewing of Security Logs | |
} | |
} | |
$events = Get-EventLog Security -ComputerName $Computer | Where-Object {($_.InstanceID -eq "4624") -and ($_.replacementstrings[6] -eq $UserDomain)} | |
ForEach($event in $events) | |
{ | |
If($event.replacementstrings[5] -ne "spiceworks") #My Spiceworks domain account is called: Spiceworks. I already know that it logs in a lot. | |
{ | |
If($event.replacementstrings[5] -ne "$Computer`$") #Avoid grabbing the computers self logins. | |
{ | |
Switch($event.replacementstrings[8]) #Logon type code | |
{ | |
2{$type = "Actual"} | |
3{$type = "Network"} | |
4{$type = "Batch"} | |
5{$type = "Service"} | |
7{$type = "Unlock"} | |
10{$type = "Remote Interactive"} | |
11{$type = "Cached Interactive"} | |
default{$type = $event.replacementstrings[8]} #If it returns a different code then defaults to the code number | |
} | |
$obj = New-Object System.Object | |
$obj | add-member -type NoteProperty -name Account -value $event.replacementstrings[5] | |
$obj | add-member -type NoteProperty -name Type -value $type | |
$obj | add-member -type NoteProperty -name Time -value $event.timewritten | |
$users += $obj | |
$users[$x] | |
$x++ | |
} | |
} | |
Else | |
{ | |
$spiceworks++ | |
} | |
} | |
If($LeaveServiceRunning = $false) | |
{ | |
Write-Host Turning RemoteRegistry service off... | |
Get-WmiObject -Class Win32_Service -Filter 'name="remoteregistry"' -ComputerName $Computer | Invoke-WmiMethod -Name StopService | out-null | |
} | |
If($UserDomain -ne $Computer) #Spiceworks is a domain account. This skips it if searching for a local computer account. | |
{ | |
Write-Host `nSpiceworks logon count: $spiceworks | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment