Solved

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?

Posted on 2016-09-01
26
74 Views
Last Modified: 2016-09-01
How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
0
Comment
Question by:john lambert
  • 14
  • 11
26 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41779783
Use Get-WinEvent
Example...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP

Open in new window

2
 
LVL 16

Expert Comment

by:Spike99
ID: 41779901
Subsun,
Excellent script which worked for me, but, it gave me a huge amount of data.
So, I added this to the last line to produce a CSV file:

| Export-Csv <PATH to .csv File>

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41779954
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
0
 

Author Comment

by:john lambert
ID: 41780088
how to solve this??
File C:\Users\User5\Desktop\demo.ps1 cannot be loaded because the execution of
scripts is disabled on this system. Please see "get-help about_signing" for mor
e details.
At line:1 char:32
+ C:\Users\User5\Desktop\demo.ps1 <<<<
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780099
You need to change the powershell execution policy
Open the powershell console with run as administrator and run the following command
 Set-ExecutionPolicy remotesigned

Open in new window

1
 

Author Comment

by:john lambert
ID: 41780108
can u combine all?one click and solve all??
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780118
Set-ExecutionPolicy remotesigned
is a one time task unless you have disabled it using a GPO.
0
 

Author Comment

by:john lambert
ID: 41780122
can't see the usarnames:
MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 6:48:42
User        :
Domain      :
SourceIP    : 5.15.201.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 5:39:15
User        :
Domain      :
SourceIP    : 5.15.203.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 3:52:45

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780139
Hmm.. I just checked and it works for me.. Can you post a sample log?
0
 

Author Comment

by:john lambert
ID: 41780161
working for my other rdp

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:21 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:18 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780166
Does the event message have the complete information for  User, Domain, Source Network Address?
0
 

Author Comment

by:john lambert
ID: 41780167
yes and for my other rdp , username is empty,always

Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 5.15.xxxx
0
 

Author Comment

by:john lambert
ID: 41780170
No no  complete information for  User, Domain, Source Network Address
I check them all  Usernames ,Domains are empty for this rdp

snapshot
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:john lambert
ID: 41780194
how to modify the script to output.txt file?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780202
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780206
Use Export-csv to export the result...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

You can open report.csv using excel.
2
 

Author Comment

by:john lambert
ID: 41780212
i test and is working perfect,thank you...
0
 

Author Comment

by:john lambert
ID: 41780226
script working fine
0
 

Author Comment

by:john lambert
ID: 41780228
and modify script to see only the suers who logged TODAY?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41780270
Try this for last 24 hours event details..
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

2
 

Author Comment

by:john lambert
ID: 41780286
oh yess thankssssssssssss
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780308
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
1
 

Author Closing Comment

by:john lambert
ID: 41780388
thank you
0
 

Author Comment

by:john lambert
ID: 41780391
ok i close it thanks , do u know things about regex codes?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780449
not an expert in regex but can help with simple issues.. why?
0
 

Author Comment

by:john lambert
ID: 41780467
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hi all.   The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.   If you are not doing it directly in a Domain Co…
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now