PowerShell to find remote logins

I need a powershell script which I can run against a list of PCs (Windows 7) and save the output to csv/excel.

I've done some searching and found the code below provides the raw data i need (but now need to get this data from multiple PCs and get the output to a file)

E.g. of PowelShell script:

$IDs = @(
"1024"
)
Get-WinEvent -ComputerName IS-020115-RL -logname "Microsoft-Windows-TerminalServices-RDPClient/Operational" | Select MachineName,Message,User,TimeCreated,SourceIP,Id | Where-Object {($IDs -contains $_.id)}

E.g. of screen output:

MachineName : IS-020115-RL.internal.thewinesociety.com
Message : RDP ClientActiveX is trying to connect to the server (Sophos)
User :
TimeCreated : 09/06/2016 17:03:40
SourceIP :
Id : 1024

The specific info I need are the remote computer name "Sophos" in the above and TimeCreated. I'm really under time pressure so am looking for the 'complete' script not hints please.
EgScript.txt

Windows Server 2008Microsoft Server OSPowershell

Last Comment

fieldj

8/22/2022 - Mon

SubSun

9/26/2016

The specific info I need are the remote computer name "Sophos" in the above and TimeCreated. I'm really under time pressure so am looking for the 'complete' script not hints please.

I presume you need the remote computer in message as a separate property in the output and the script should run against multiple computers.. If yes, Try following code..

GC C:\Computers.txt | % {
	Write-Host "Working on $_"
	Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

You can place the computers you want to search In the input file..
Computers.txt format.

ComputerA
ComputerB
ComputerC

Open in new window

fieldj

9/26/2016

ASKER

Hi Subsun
Thanks I just trying this now - a couple of questions.
If the remote PC has never RDP'd into another PC/Server will the output file list the computer name then NUL / so you know its been queried but no results found?
Is it possible to constrain the log to just the last 90 days?
Thanks

SubSun

9/26/2016

Change line 3 to following to get last 90 days logs..

Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";StartTime=(get-date).AddDays(-90);ID=1024} |

Open in new window

Script will read the RemoteComp property value from the message part of the event, if the server is not listed in event message then the result will be null.
and if there is no 1024 event, Then you may get error No events were found that match the specified selection criteria...

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

rwheeler23

fieldj

9/27/2016

ASKER

Hi Subsun

I have run this now, it works well but i wonder if its possible to capture the error
"Get-WinEvent : The RPC server is unavailable" on the output file.

My understanding is, I get this error because the computer its querying is off. As I'm running against 100s of machines if the error was output to file it would make it much easier to power on the machines, and run run against just those that were missed.

Thanks again

ASKER CERTIFIED SOLUTION

SubSun

9/27/2016

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

fieldj

9/29/2016

ASKER

Great help, thank you