Event Log Viewer GUI / Powershell
This powershell script comes to us from SysAdminChannel. I added a couple of items such as Locked Out in the options and I made it a GUI interface. This script has come in handy to find accounts that keep getting Locked Out or what accounts have logged into a system. The Powershell script makes it easy to query the Event Log without having to sign into the server or use the MMC console.
I will paste the code below for you to use on your system. As said this code was created by the SysAdminChannel, I only changed it slightly for my purposes.
Function Get-LastLoginInfo {
<#
.Synopsis
This will get a Information on the last users who logged into a machine.
More info can be found: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
.NOTES
Name: Get-LastLoginInfo
Author: theSysadminChannel
Version: 1.0
DateCreated: 2020-Nov-27
Revised by: Andy Jordan
Version: 1.01
DateModified: 2021-Sep-03
Added: Added Locked out to the options and made it a GUI interface.
.EXAMPLE
Get-LastLoginInfo -ComputerName Server01, Server02, PC03 -SamAccountName username
.LINK
https://thesysadminchannel.com/get-computer-last-login-information-using-powershell -
#>
[CmdletBinding(DefaultParameterSetName="Default")]
param(
[Parameter(
Mandatory = $false,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 0
)]
[string[]] $ComputerName = $env:COMPUTERNAME,
[Parameter(
Position = 1,
Mandatory = $false,
ParameterSetName = "Include"
)]
[string] $SamAccountName,
[Parameter(
Position = 1,
Mandatory = $false,
ParameterSetName = "Exclude"
)]
[string] $ExcludeSamAccountName,
[Parameter(
Mandatory = $false
)]
[ValidateSet("SuccessfulLogin", "FailedLogin", "Logoff", "LockedOut", "DisconnectFromRDP")]
[string] $LoginEvent = "SuccessfulLogin",
[Parameter(
Mandatory = $false
)]
[int] $DaysFromToday = 3,
[Parameter(
Mandatory = $false
)]
[int] $MaxEvents = 1024,
[System.Management.Automation.PSCredential]
$Credential
)
BEGIN {
$StartDate = (Get-Date).AddDays(-$DaysFromToday)
Switch ($LoginEvent) {
SuccessfulLogin {$EventID = 4624}
FailedLogin {$EventID = 4625}
Logoff {$EventID = 4647}
LockedOut {$EventID = 4740}
DisconnectFromRDP {$EventID = 4779}
}
}
PROCESS {
foreach ($Computer in $ComputerName) {
try {
$Computer = $Computer.ToUpper()
$Time = "{0:F0}" -f (New-TimeSpan -Start $StartDate -End (Get-Date) | Select -ExpandProperty TotalMilliseconds) -as [int64]
if ($PSBoundParameters.ContainsKey("SamAccountName")) {
$EventData = "
*[EventData[
Data[@Name='TargetUserName'] != 'SYSTEM' and
Data[@Name='TargetUserName'] != '$($Computer)$' and
Data[@Name='TargetUserName'] = '$($SamAccountName)'
]
]
"
}
if ($PSBoundParameters.ContainsKey("ExcludeSamAccountName")) {
$EventData = "
*[EventData[
Data[@Name='TargetUserName'] != 'SYSTEM' and
Data[@Name='TargetUserName'] != '$($Computer)$' and
Data[@Name='TargetUserName'] != '$($ExcludeSamAccountName)'
]
]
"
}
if ((-not $PSBoundParameters.ContainsKey("SamAccountName")) -and (-not $PSBoundParameters.ContainsKey("ExcludeSamAccountName"))) {
$EventData = "
*[EventData[
Data[@Name='TargetUserName'] != 'SYSTEM' and
Data[@Name='TargetUserName'] != '$($Computer)$'
]
]
"
}
$Filter = @"
<QueryList>
<Query Id="0">
<Select Path="Security">
*[System[
Provider[@Name='Microsoft-Windows-Security-Auditing'] and
EventID=$EventID and
TimeCreated[timediff(@SystemTime) <= $($Time)]
]
]
and
$EventData
</Select>
</Query>
</QueryList>
"@
if ($PSBoundParameters.ContainsKey("Credential")) {
$EventLogList = Get-WinEvent -ComputerName $Computer -FilterXml $Filter -Credential $Credential -ErrorAction Stop
} else {
$EventLogList = Get-WinEvent -ComputerName $Computer -FilterXml $Filter -ErrorAction Stop
}
$Output = foreach ($Log in $EventLogList) {
#Removing seconds and milliseconds from timestamp as this is allow duplicate entries to be displayed
$TimeStamp = $Log.timeCReated.ToString('MM/dd/yyyy hh:mm tt') -as [DateTime]
switch ($Log.Properties[8].Value) {
2 {$LoginType = 'Interactive'}
3 {$LoginType = 'Network'}
4 {$LoginType = 'Batch'}
5 {$LoginType = 'Service'}
7 {$LoginType = 'Unlock'}
8 {$LoginType = 'NetworkCleartext'}
9 {$LoginType = 'NewCredentials'}
10 {$LoginType = 'RemoteInteractive'}
11 {$LoginType = 'CachedInteractive'}
}
if ($LoginEvent -eq 'FailedLogin') {
$LoginType = 'FailedLogin'
}
if ($LoginEvent -eq 'LockedOut') {
$LoginType = 'LockedOut'
$UserName = $Log.Properties[0].Value.toLower()
$Computer = $Log.Properties[1].Value.toLower()
}
if ($LoginEvent -eq 'DisconnectFromRDP') {
$LoginType = 'DisconnectFromRDP'
}
if ($LoginEvent -eq 'Logoff') {
$LoginType = 'Logoff'
$UserName = $Log.Properties[1].Value.toLower()
} else {
if ($LoginEvent -ne 'LockedOut') {
$UserName = $Log.Properties[5].Value.toLower()
}
}
[PSCustomObject]@{
ComputerName = $Computer
TimeStamp = $TimeStamp
UserName = $UserName
LoginType = $LoginType
}
}
#Because of duplicate items, we'll append another select object to grab only unique objects
$Output | select ComputerName, TimeStamp, UserName, LoginType -Unique | select -First $MaxEvents
} catch {
Write-Error $_.Exception.Message
}
}
}
END {}
}
$Form_Accounts = New-Object System.Windows.Forms.Form
$Form_Accounts.text = "Event Log Viewer"
$Form_Accounts.size = New-Object System.Drawing.Size(560,390)
$Form_Accounts.FormBorderStyle = "FixedDialog"
$Form_Accounts.TopMost = $true
$Form_Accounts.MaximizeBox = $false
$Form_Accounts.MinimizeBox = $false
$Form_Accounts.ControlBox = $true
$Form_Accounts.StartPosition = "CenterScreen"
$Form_Accounts.Font = "Segoa UI"
# Add labels/Combo Box's
$label_ComputerName = New-Object System.Windows.Forms.Label
$label_ComputerName.Location = New-Object System.Drawing.Size(8,16)
$label_ComputerName.Size = New-Object System.Drawing.Size(120,16)
$label_ComputerName.TextAlign = "TopLeft"
$label_ComputerName.Text = "Enter ComputerName:"
$Form_Accounts.Controls.Add($label_ComputerName)
$combo_ComputerName = New-Object System.Windows.Forms.ComboBox
$combo_ComputerName.Location = New-Object System.Drawing.Size(8,32)
$combo_ComputerName.Size = New-Object System.Drawing.Size(120,16)
$combo_ComputerName.Text = ""
[void] $combo_ComputerName.Items.Add("DC1")
[void] $combo_ComputerName.Items.Add("DC2")
[void] $combo_ComputerName.Items.Add("DC3")
[void] $combo_ComputerName.Items.Add("DC4")
[void] $combo_ComputerName.Items.Add("LSNTEC")
$Form_Accounts.Controls.Add($combo_ComputerName)
$label_NumOfDays = New-Object System.Windows.Forms.Label
$label_NumOfDays.Location = New-Object System.Drawing.Size(140,16)
$label_NumOfDays.Size = New-Object System.Drawing.Size(120,16)
$label_NumOfDays.TextAlign = "TopLeft"
$label_NumOfDays.Text = "Enter Number of Days:"
$Form_Accounts.Controls.Add($label_NumOfDays)
$textbox_NumOfDays = New-Object System.Windows.Forms.TextBox
$textbox_NumOfDays.Location = New-Object System.Drawing.Size(140,32)
$textbox_NumOfDays.Size = New-Object System.Drawing.Size(120,16)
$textbox_NumOfDays.Text = "3"
$Form_Accounts.Controls.Add($textbox_NumOfDays)
$label_Options = New-Object System.Windows.Forms.Label
$label_Options.Location = New-Object System.Drawing.Size(8,64)
$label_Options.Size = New-Object System.Drawing.Size(120,16)
$label_Options.TextAlign = "TopLeft"
$label_Options.Text = "Enter Options:"
$Form_Accounts.Controls.Add($label_Options)
$combo_Options = New-Object System.Windows.Forms.ComboBox
$combo_Options.Location = New-Object System.Drawing.Size(8,80)
$combo_Options.Size = New-Object System.Drawing.Size(120,16)
$combo_Options.Text = "LockedOut"
[void] $combo_Options.Items.Add("SuccessfulLogin")
[void] $combo_Options.Items.Add("FailedLogin")
[void] $combo_Options.Items.Add("Logoff")
[void] $combo_Options.Items.Add("LockedOut")
[void] $combo_Options.Items.Add("DisconnectFromRDP")
$Form_Accounts.Controls.Add($combo_Options)
$listbox_Logs = New-Object System.Windows.Forms.ListView
$listbox_Logs.View = 'Details'
$listbox_Logs.Location = New-Object System.Drawing.Size(8,110)
$listbox_Logs.Size = New-Object System.Drawing.Size(540,240)
$Form_Accounts.Controls.Add($listbox_Logs)
[void] $listbox_Logs.Columns.Add('ComputerName', 120)
[void] $listbox_Logs.Columns.Add('TimeStamp', 160)
[void] $listbox_Logs.Columns.Add('Username', 120)
[void] $listbox_Logs.Columns.Add('LoginType', 110)
$button_Run = New-Object System.Windows.Forms.Button
$button_Run.Location = New-Object System.Drawing.Size(140,80)
$button_Run.Size = New-Object System.Drawing.Size(120,20)
$button_Run.Text = "Submit"
$button_Run.Add_Click({
$listbox_Logs.Clear()
[void] $listbox_Logs.Columns.Add('ComputerName', 120)
[void] $listbox_Logs.Columns.Add('TimeStamp', 160)
[void] $listbox_Logs.Columns.Add('Username', 120)
[void] $listbox_Logs.Columns.Add('LoginType', 110)
$strComputer = $combo_ComputerName.Text
$intNumOfDays = $textbox_NumOfDays.Text
$strLogType = $combo_Options.Text
$events = Get-LastLoginInfo -ComputerName $strComputer -DaysFromToday $intNumOfDays -LoginEvent $strLogType
foreach ($event in $events){
$outComputerName = $event.ComputerName
$outTimeStamp = $event.TimeStamp
$outUserName = $event.UserName
$outLoginType = $event.LoginType
$item = New-Object System.Windows.Forms.ListViewItem($outComputerName)
[void] $item.SubItems.Add($outTimeStamp.ToString())
[void] $item.SubItems.Add($outUserName)
[void] $item.SubItems.Add($outLoginType)
[void] $listbox_Logs.Items.AddRange($item)
}
})
$Form_Accounts.Controls.Add($button_Run)
#Show Form
$Form_Accounts.Add_Shown({$Form_Accounts.Activate()})
[void] $Form_Accounts.ShowDialog()
Filed under: Computers - @ September 7, 2021 7:50 pm
Tags: Computers, Powershell