Solved

How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?

Posted on 2016-09-01
26
143 Views
Last Modified: 2016-09-01
How to see Event ID 1149 using powershell or cmd (the names and IPs  successfully logged in my remote)?Especially the IP's
To see reboot history i use this syntax and works great.Can anyone help me?thank you

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
0
Comment
Question by:john lambert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
26 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41779783
Use Get-WinEvent
Example...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP

Open in new window

2
 
LVL 17

Expert Comment

by:Spike99
ID: 41779901
Subsun,
Excellent script which worked for me, but, it gave me a huge amount of data.
So, I added this to the last line to produce a CSV file:

| Export-Csv <PATH to .csv File>

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41779954
Yes, it will pull all 1149 events available on server. you can also filter using Where-Object to get a single days event..
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:john lambert
ID: 41780088
how to solve this??
File C:\Users\User5\Desktop\demo.ps1 cannot be loaded because the execution of
scripts is disabled on this system. Please see "get-help about_signing" for mor
e details.
At line:1 char:32
+ C:\Users\User5\Desktop\demo.ps1 <<<<
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780099
You need to change the powershell execution policy
Open the powershell console with run as administrator and run the following command
 Set-ExecutionPolicy remotesigned

Open in new window

1
 

Author Comment

by:john lambert
ID: 41780108
can u combine all?one click and solve all??
include this inside the script?to be sure is activated?: Set-ExecutionPolicy remotesigned
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780118
Set-ExecutionPolicy remotesigned
is a one time task unless you have disabled it using a GPO.
0
 

Author Comment

by:john lambert
ID: 41780122
can't see the usarnames:
MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 6:48:42
User        :
Domain      :
SourceIP    : 5.15.201.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 5:39:15
User        :
Domain      :
SourceIP    : 5.15.203.100

MachineName : WIN-ERKU994KAAI
TimeCreated : 9/1/2016 3:52:45

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780139
Hmm.. I just checked and it works for me.. Can you post a sample log?
0
 

Author Comment

by:john lambert
ID: 41780161
working for my other rdp

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:21 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

MachineName : Delphi-Prog2
TimeCreated : 9/1/2016 6:36:18 PM
User        : Administrator
Domain      :
SourceIP    : 172.93.xxx

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780166
Does the event message have the complete information for  User, Domain, Source Network Address?
0
 

Author Comment

by:john lambert
ID: 41780167
yes and for my other rdp , username is empty,always

Remote Desktop Services: User authentication succeeded:

User:
Domain:
Source Network Address: 5.15.xxxx
0
 

Author Comment

by:john lambert
ID: 41780170
No no  complete information for  User, Domain, Source Network Address
I check them all  Usernames ,Domains are empty for this rdp

snapshot
0
 

Author Comment

by:john lambert
ID: 41780194
how to modify the script to output.txt file?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780202
ok.. script can pull the information from the event, only if it's present there. You can test by logging in using a domain account and see if the server logs the same.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780206
Use Export-csv to export the result...
Get-WinEvent "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
?{$_.ID -eq "1149"} | %{						
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

You can open report.csv using excel.
2
 

Author Comment

by:john lambert
ID: 41780212
i test and is working perfect,thank you...
0
 

Author Comment

by:john lambert
ID: 41780226
script working fine
0
 

Author Comment

by:john lambert
ID: 41780228
and modify script to see only the suers who logged TODAY?
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41780270
Try this for last 24 hours event details..
Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational";StartTime=(get-date).AddDays(-1);ID=1149} | %{
	New-Object PSObject -Property @{
		MachineName = $_.MachineName
		TimeCreated = $_.TimeCreated
		User = $_.Properties[0].Value            
		Domain = $_.Properties[1].Value            
		SourceIP = $_.Properties[2].Value 
	}
}| Select MachineName,TimeCreated,User,Domain,SourceIP | Export-csv C:\temp\report.csv -nti

Open in new window

2
 

Author Comment

by:john lambert
ID: 41780286
oh yess thankssssssssssss
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780308
You're Welcome!.. Don't forget to close the question by accepting the answer.. :-)
1
 

Author Closing Comment

by:john lambert
ID: 41780388
thank you
0
 

Author Comment

by:john lambert
ID: 41780391
ok i close it thanks , do u know things about regex codes?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41780449
not an expert in regex but can help with simple issues.. why?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question