We help IT Professionals succeed at work.

Query Security logs for Logon

540 Views
Last Modified: 2013-11-18
I need a script to target a computer and use my current credentials or specified credentials and pull event id 528, 538, etc. or any event ID that gives successful logon.
Comment
Watch Question

I was just reading the answer to a similar question yesterday. If you don't mind getting additional information, such as last logon time, try this PAQ:
https://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23683543.html

Commented:
you can enter specified credentials in this lines:

UserName = ""
Password = ""

even if you leave blank(as is) the script will run
event id 538 is a log off event, didn't enter it to the script.
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Open in new window

Commented:
so the script will not bug with press ok message run it fro command line like this :

cscript scriptname.vbs

Commented:
this modeified will save the output to txt file
change log file path and name here:

Set objlog = objfso.CreateTextFile("c:\log.txt", true)
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

Commented:
crap messed up here
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objlog = objfso.CreateTextFile("c:\log.txt", true)
 
strComputer = inputbox("Enter Computer Name")
UserName = ""
Password = ""
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
 
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '528'")
 
For Each objEvent in colEvents
   objlog.WriteLine "Category: " & objEvent.Category
   objlog.WriteLine "Computer Name: " & objEvent.ComputerName
   objlog.WriteLine "Event Code: " & objEvent.EventCode
   objlog.WriteLine "Message: " & objEvent.Message
   objlog.WriteLine "Record Number: " & objEvent.RecordNumber
   objlog.WriteLine "Source Name: " & objEvent.SourceName
   objlog.WriteLine "Time Written: " & objEvent.TimeWritten
   objlog.WriteLine "Event Type: " & objEvent.Type
   objlog.WriteLine "User: " & objEvent.User
Next
 
MsgBox "done"

Open in new window

Author

Commented:
ok, this is a great start.  Couple things I'd like to change though..

1.  The events are one after another, I was hoping to get an event as 1 line.  Such as user, logon type, time, etc.  Reading it in this form is not very easy.

2.  The time written is a number that must be system time in a format that I don't understand.  Anyway to change that to what I would consider normal time formatting?
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
The event type didn't show in the csv when I opened it in excel.  

The code rocks though, thank you very much for this start.

Commented:
>> The event type didn't show in the csv when I opened it in excel.  

you mean event code ?

event code colum shows for me

Author

Commented:
I miss typed.  I mean the logon type.  The logon type if usefull because it differentiates between unlocking, locking, logging on locally, remotely, etc.

Commented:
you asked for "successful logon" script and this is what you got .

about logon type i dont' think there is a way to query such thing from the examples you gave like:
>> locking, logging on locally, remotely, etc.

Commented:
but you can look in the user colum and see if it's a remote or local user event
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.