{"id":4647,"date":"2020-05-14T04:43:51","date_gmt":"2020-05-14T04:43:51","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=4647"},"modified":"2022-12-02T03:27:26","modified_gmt":"2022-12-02T03:27:26","slug":"reporting-on-event-id-logon-4624-and-7001-with-powershell","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/reporting-on-event-id-logon-4624-and-7001-with-powershell","title":{"rendered":"Reporting on Event ID ( logon ) 4624 and 7001 with Powershell"},"content":{"rendered":"\n<p>Find users who have physically logged into a machine 7001<\/p>\n\n\n<div class=\"wp-block-wab-pastacode\">\n\t<div class=\"code-embed-wrapper\"> <pre class=\"language-markup code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-markup code-embed-code\">param(<br\/>    [alias(&quot;CN&quot;)]<br\/>    $ComputerName=&quot;localhost&quot;<br\/>)<br\/><br\/>$UserProperty = @{n=&quot;User&quot;;e={(New-Object System.Security.Principal.SecurityIdentifier $_.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}}<br\/>$TypeProperty = @{n=&quot;Action&quot;;e={if($_.EventID -eq 7001) {&quot;Logon&quot;} else {&quot;Logoff&quot;}}}<br\/>$TimeProperty = @{n=&quot;Time&quot;;e={$_.TimeGenerated}}<br\/>$MachineNameProperty = @{n=&quot;MachinenName&quot;;e={$_.MachineName}}<br\/><br\/>foreach ($computer in $ComputerName) {<br\/>    Get-EventLog System -Source Microsoft-Windows-Winlogon -ComputerName $computer | select $UserProperty,$TypeProperty,$TimeProperty,$MachineNameProperty<br\/>}<\/code><\/pre> <div class=\"code-embed-infos\"> <\/div> <\/div><\/div>\n\n\n\n<p>Find users who have authenticated with different login types<\/p>\n\n\n<div class=\"wp-block-wab-pastacode\">\n\t<div class=\"code-embed-wrapper\"> <pre class=\"language-markup code-embed-pre line-numbers\"  data-start=\"1\" data-line-offset=\"0\"><code class=\"language-markup code-embed-code\">get-eventlog -ComputerName &quot;localhost&quot; -logname \u2019security\u2019 -instanceid 4624 -after (get-date).adddays(-10) | % {<br\/> <br\/>    [array] $login += [pscustomobject] @{<br\/>    <br\/>        account = $_.replacementstrings[5]<br\/>        time = $_.timewritten<br\/>        type = $_.replacementstrings[8]<br\/>        ip = $_.replacementstrings[18]<br\/>}}<br\/> <br\/>$login | ft -auto <\/code><\/pre> <div class=\"code-embed-infos\"> <\/div> <\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Find users who have physically logged into a machine 7001 Find users who have authenticated with different login types<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4647","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=4647"}],"version-history":[{"count":2,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4647\/revisions"}],"predecessor-version":[{"id":6470,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4647\/revisions\/6470"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=4647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=4647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=4647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}