Solved

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?

Posted on 2016-09-01
26
113 Views
Last Modified: 2016-09-01
How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
0
Comment
Question by:john lambert
  • 14
  • 11
26 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41779783
Use Get-WinEvent
Example...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP

Open in new window

2
 
LVL 17

Expert Comment

by:Spike99
ID: 41779901
Subsun,
Excellent script which worked for me, but, it gave me a huge amount of data.
So, I added this to the last line to produce a CSV file:

| Export-Csv <PATH to .csv File>

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41779954
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:john lambert
ID: 41780088
how to solve this??
File C:\Users\User5\Desktop\demo.ps1 cannot be loaded because the execution of
scripts is disabled on this system. Please see "get-help about_signing" for mor
e details.
At line:1 char:32
+ C:\Users\User5\Desktop\demo.ps1 <<<<
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780099
You need to change the powershell execution policy
Open the powershell console with run as administrator and run the following command
 Set-ExecutionPolicy remotesigned

Open in new window

1
 

Author Comment

by:john lambert
ID: 41780108
can u combine all?one click and solve all??
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780118
Set-ExecutionPolicy remotesigned
is a one time task unless you have disabled it using a GPO.
0
 

Author Comment

by:john lambert
ID: 41780122
can't see the usarnames:
MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 6:48:42
User        :
Domain      :
SourceIP    : 5.15.201.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 5:39:15
User        :
Domain      :
SourceIP    : 5.15.203.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 3:52:45

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780139
Hmm.. I just checked and it works for me.. Can you post a sample log?
0
 

Author Comment

by:john lambert
ID: 41780161
working for my other rdp

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:21 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:18 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780166
Does the event message have the complete information for  User, Domain, Source Network Address?
0
 

Author Comment

by:john lambert
ID: 41780167
yes and for my other rdp , username is empty,always

Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 5.15.xxxx
0
 

Author Comment

by:john lambert
ID: 41780170
No no  complete information for  User, Domain, Source Network Address
I check them all  Usernames ,Domains are empty for this rdp

snapshot
0
 

Author Comment

by:john lambert
ID: 41780194
how to modify the script to output.txt file?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780202
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780206
Use Export-csv to export the result...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

You can open report.csv using excel.
2
 

Author Comment

by:john lambert
ID: 41780212
i test and is working perfect,thank you...
0
 

Author Comment

by:john lambert
ID: 41780226
script working fine
0
 

Author Comment

by:john lambert
ID: 41780228
and modify script to see only the suers who logged TODAY?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41780270
Try this for last 24 hours event details..
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

2
 

Author Comment

by:john lambert
ID: 41780286
oh yess thankssssssssssss
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780308
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
1
 

Author Closing Comment

by:john lambert
ID: 41780388
thank you
0
 

Author Comment

by:john lambert
ID: 41780391
ok i close it thanks , do u know things about regex codes?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780449
not an expert in regex but can help with simple issues.. why?
0
 

Author Comment

by:john lambert
ID: 41780467
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
Synchronize a new Active Directory domain with an existing Office 365 tenant
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question