Finding Logon Events

Provided you have Administrator privileges, here is a quick and easy way of dumping all login events. This way you can find out who logged in to a particular computer, and which authentication type was used:

#requires -RunAsAdministrator

Get-EventLog -LogName Security -InstanceId 4624 |
  ForEach-Object {
          Time = $_.TimeGenerated
          LogonType = $_.ReplacementStrings[8]
          Process = $_.ReplacementStrings[9]
          Domain = $_.ReplacementStrings[5]
          User = $_.ReplacementStrings[6]
          Method = $_.ReplacementStrings[10]
          Source = $_.Source

  } | Out-GridView

Twitter This Tip! ReTweet this Tip!

GD Star Rating