Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PowerShell to find remote logins

Posted on 2016-09-26
6
Medium Priority
?
146 Views
Last Modified: 2016-09-29
I need a powershell script which I can run against a list of PCs (Windows 7) and save the output to csv/excel.

I've done some searching and found the code below provides the raw data i need (but now need to get this data from multiple PCs and get the output to a file)

E.g. of PowelShell script:
             
$IDs = @(
                    "1024"
                )
Get-WinEvent -ComputerName IS-020115-RL -logname "Microsoft-Windows-TerminalServices-RDPClient/Operational" | Select MachineName,Message,User,TimeCreated,SourceIP,Id | Where-Object {($IDs -contains $_.id)}

E.g. of screen output:

MachineName : IS-020115-RL.internal.thewinesociety.com
Message     : RDP ClientActiveX is trying to connect to the server (Sophos)
User        :
TimeCreated : 09/06/2016 17:03:40
SourceIP    :
Id          : 1024

The specific info I need are the remote computer name "Sophos" in the above and TimeCreated.  I'm really under time pressure so am looking for the 'complete' script not hints please.
EgScript.txt
0
Comment
Question by:fieldj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41816018
The specific info I need are the remote computer name "Sophos" in the above and TimeCreated.  I'm really under time pressure so am looking for the 'complete' script not hints please.
I presume you need the remote computer in message as a separate property in the output and the script should run against multiple computers.. If yes, Try following code..
GC C:\Computers.txt | % {
	Write-Host "Working on $_"
	Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

You can place the computers you want to search In the input file..
Computers.txt format.
ComputerA
ComputerB
ComputerC

Open in new window

0
 

Author Comment

by:fieldj
ID: 41816197
Hi Subsun
Thanks I just trying this now - a couple of questions.  
If the remote PC has never RDP'd into another PC/Server will the output file list the computer name then NUL / so you know its been queried but no results found?
Is it possible to constrain the log to just the last 90 days?
Thanks
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41816216
Change line 3 to following to get last 90 days logs..
Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";StartTime=(get-date).AddDays(-90);ID=1024} | 

Open in new window


Script will read the RemoteComp property value from the message part of the event, if the server is not listed in event message then the result will be null.
and if there is no 1024 event, Then you may get error No events were found that match the specified selection criteria...
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:fieldj
ID: 41817569
Hi Subsun

I have run this now, it works well but i wonder if its possible to capture the error
"Get-WinEvent : The RPC server is unavailable" on the output file.  

My understanding is, I get this error because the computer its querying is off.  As I'm running against 100s of machines if the error was output to file it would make it much easier to power on the machines, and run run against just those that were missed.

Thanks again
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 41817645
You can use the Try/Catch for error handling..
GC C:\Computers.txt | % {
$comp = $_
	Write-Host "Working on $comp"
	Try{Get-WinEvent -ComputerName $comp -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} -ea 1 | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
	}Catch{
	$_.Exception.Message | Select @{N="MachineName";E={$comp}},@{N="Message";E={$_}},TimeCreated,Id,RemoteComp
	}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

Ref : http://ss64.com/ps/try.html
0
 

Author Closing Comment

by:fieldj
ID: 41821460
Great help, thank you
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question