Solved

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?

Posted on 2016-09-01
26
93 Views
Last Modified: 2016-09-01
How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
0
Comment
Question by:john lambert
  • 14
  • 11
26 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41779783
Use Get-WinEvent
Example...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP

Open in new window

2
 
LVL 16

Expert Comment

by:Spike99
ID: 41779901
Subsun,
Excellent script which worked for me, but, it gave me a huge amount of data.
So, I added this to the last line to produce a CSV file:

| Export-Csv <PATH to .csv File>

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41779954
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
0
 

Author Comment

by:john lambert
ID: 41780088
how to solve this??
File C:\Users\User5\Desktop\demo.ps1 cannot be loaded because the execution of
scripts is disabled on this system. Please see "get-help about_signing" for mor
e details.
At line:1 char:32
+ C:\Users\User5\Desktop\demo.ps1 <<<<
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780099
You need to change the powershell execution policy
Open the powershell console with run as administrator and run the following command
 Set-ExecutionPolicy remotesigned

Open in new window

1
 

Author Comment

by:john lambert
ID: 41780108
can u combine all?one click and solve all??
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780118
Set-ExecutionPolicy remotesigned
is a one time task unless you have disabled it using a GPO.
0
 

Author Comment

by:john lambert
ID: 41780122
can't see the usarnames:
MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 6:48:42
User        :
Domain      :
SourceIP    : 5.15.201.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 5:39:15
User        :
Domain      :
SourceIP    : 5.15.203.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 3:52:45

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780139
Hmm.. I just checked and it works for me.. Can you post a sample log?
0
 

Author Comment

by:john lambert
ID: 41780161
working for my other rdp

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:21 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:18 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780166
Does the event message have the complete information for  User, Domain, Source Network Address?
0
 

Author Comment

by:john lambert
ID: 41780167
yes and for my other rdp , username is empty,always

Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 5.15.xxxx
0
 

Author Comment

by:john lambert
ID: 41780170
No no  complete information for  User, Domain, Source Network Address
I check them all  Usernames ,Domains are empty for this rdp

snapshot
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:john lambert
ID: 41780194
how to modify the script to output.txt file?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780202
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780206
Use Export-csv to export the result...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

You can open report.csv using excel.
2
 

Author Comment

by:john lambert
ID: 41780212
i test and is working perfect,thank you...
0
 

Author Comment

by:john lambert
ID: 41780226
script working fine
0
 

Author Comment

by:john lambert
ID: 41780228
and modify script to see only the suers who logged TODAY?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41780270
Try this for last 24 hours event details..
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

2
 

Author Comment

by:john lambert
ID: 41780286
oh yess thankssssssssssss
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780308
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
1
 

Author Closing Comment

by:john lambert
ID: 41780388
thank you
0
 

Author Comment

by:john lambert
ID: 41780391
ok i close it thanks , do u know things about regex codes?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780449
not an expert in regex but can help with simple issues.. why?
0
 

Author Comment

by:john lambert
ID: 41780467
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now