Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

PowerShell to find remote logins

Posted on 2016-09-26
6
Medium Priority
?
167 Views
Last Modified: 2016-09-29
I need a powershell script which I can run against a list of PCs (Windows 7) and save the output to csv/excel.

I've done some searching and found the code below provides the raw data i need (but now need to get this data from multiple PCs and get the output to a file)

E.g. of PowelShell script:
             
$IDs = @(
                    "1024"
                )
Get-WinEvent -ComputerName IS-020115-RL -logname "Microsoft-Windows-TerminalServices-RDPClient/Operational" | Select MachineName,Message,User,TimeCreated,SourceIP,Id | Where-Object {($IDs -contains $_.id)}

E.g. of screen output:

MachineName : IS-020115-RL.internal.thewinesociety.com
Message     : RDP ClientActiveX is trying to connect to the server (Sophos)
User        :
TimeCreated : 09/06/2016 17:03:40
SourceIP    :
Id          : 1024

The specific info I need are the remote computer name "Sophos" in the above and TimeCreated.  I'm really under time pressure so am looking for the 'complete' script not hints please.
EgScript.txt
0
Comment
Question by:fieldj
  • 3
  • 3
6 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41816018
The specific info I need are the remote computer name "Sophos" in the above and TimeCreated.  I'm really under time pressure so am looking for the 'complete' script not hints please.
I presume you need the remote computer in message as a separate property in the output and the script should run against multiple computers.. If yes, Try following code..
GC C:\Computers.txt | % {
	Write-Host "Working on $_"
	Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

You can place the computers you want to search In the input file..
Computers.txt format.
ComputerA
ComputerB
ComputerC

Open in new window

0
 

Author Comment

by:fieldj
ID: 41816197
Hi Subsun
Thanks I just trying this now - a couple of questions.  
If the remote PC has never RDP'd into another PC/Server will the output file list the computer name then NUL / so you know its been queried but no results found?
Is it possible to constrain the log to just the last 90 days?
Thanks
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41816216
Change line 3 to following to get last 90 days logs..
Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";StartTime=(get-date).AddDays(-90);ID=1024} | 

Open in new window


Script will read the RemoteComp property value from the message part of the event, if the server is not listed in event message then the result will be null.
and if there is no 1024 event, Then you may get error No events were found that match the specified selection criteria...
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:fieldj
ID: 41817569
Hi Subsun

I have run this now, it works well but i wonder if its possible to capture the error
"Get-WinEvent : The RPC server is unavailable" on the output file.  

My understanding is, I get this error because the computer its querying is off.  As I'm running against 100s of machines if the error was output to file it would make it much easier to power on the machines, and run run against just those that were missed.

Thanks again
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 41817645
You can use the Try/Catch for error handling..
GC C:\Computers.txt | % {
$comp = $_
	Write-Host "Working on $comp"
	Try{Get-WinEvent -ComputerName $comp -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} -ea 1 | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
	}Catch{
	$_.Exception.Message | Select @{N="MachineName";E={$comp}},@{N="Message";E={$_}},TimeCreated,Id,RemoteComp
	}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

Ref : http://ss64.com/ps/try.html
0
 

Author Closing Comment

by:fieldj
ID: 41821460
Great help, thank you
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question