If you’ve ever had to dig through Windows security event log for a specific event, you know it’s a bit of a pain. Fortunately, you can speed up your search with Powershell’s get-eventlog cmdlet.
Let’s look at filtering the security logs to see who has logged on to a computer. The Event ID for a Logon event is 4624.
However, there are 8 types of logons. They are explained here.
When I’m investigating as to whether a normal user has accessed, I’m generally looking for:
- Type 2: Interactive
- Type 10: Remote Interactive
- Type 11: Cached Interactive
Simple filtering within eventmgr.msc doesn’t offer the granularity for you to filter through types of logins. The get-eventlog cmdlet is really a better fit for such a task.
Remembering to run as administrator…
get-eventlog security -after 1/11/2017 | where{$_.InstanceID -eq 4624} | where {($_.ReplacementStrings[8] -eq 2) -or ($_.ReplacementStrings[8] -eq 10) -or ($_.ReplacementStrings[8] -eq 11)} | select TimeGenerated, {$_.ReplacementStrings[5]}, {$_.ReplacementStrings[8]}
Now, we didn’t simply ask for the User and Logon Type found in the description- we had to reference $_.ReplacementStrings.
$_.ReplacementStrings is an array with the various values of the event that you see in the event viewer message body.
$_.ReplacementStrings[8] pulls the logon value of the array. In the shot below, you can see this is Type 2: Interactive.
It’s definitely more efficient than poking through event viewer- it’s a win for Powershell.