Solved

PowerShell to find remote logins

Posted on 2016-09-26
6
131 Views
Last Modified: 2016-09-29
I need a powershell script which I can run against a list of PCs (Windows 7) and save the output to csv/excel.

I've done some searching and found the code below provides the raw data i need (but now need to get this data from multiple PCs and get the output to a file)

E.g. of PowelShell script:
             
$IDs = @(
                    "1024"
                )
Get-WinEvent -ComputerName IS-020115-RL -logname "Microsoft-Windows-TerminalServices-RDPClient/Operational" | Select MachineName,Message,User,TimeCreated,SourceIP,Id | Where-Object {($IDs -contains $_.id)}

E.g. of screen output:

MachineName : IS-020115-RL.internal.thewinesociety.com
Message     : RDP ClientActiveX is trying to connect to the server (Sophos)
User        :
TimeCreated : 09/06/2016 17:03:40
SourceIP    :
Id          : 1024

The specific info I need are the remote computer name "Sophos" in the above and TimeCreated.  I'm really under time pressure so am looking for the 'complete' script not hints please.
EgScript.txt
0
Comment
Question by:fieldj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41816018
The specific info I need are the remote computer name "Sophos" in the above and TimeCreated.  I'm really under time pressure so am looking for the 'complete' script not hints please.
I presume you need the remote computer in message as a separate property in the output and the script should run against multiple computers.. If yes, Try following code..
GC C:\Computers.txt | % {
	Write-Host "Working on $_"
	Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

You can place the computers you want to search In the input file..
Computers.txt format.
ComputerA
ComputerB
ComputerC

Open in new window

0
 

Author Comment

by:fieldj
ID: 41816197
Hi Subsun
Thanks I just trying this now - a couple of questions.  
If the remote PC has never RDP'd into another PC/Server will the output file list the computer name then NUL / so you know its been queried but no results found?
Is it possible to constrain the log to just the last 90 days?
Thanks
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41816216
Change line 3 to following to get last 90 days logs..
Get-WinEvent -ComputerName $_ -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";StartTime=(get-date).AddDays(-90);ID=1024} | 

Open in new window


Script will read the RemoteComp property value from the message part of the event, if the server is not listed in event message then the result will be null.
and if there is no 1024 event, Then you may get error No events were found that match the specified selection criteria...
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:fieldj
ID: 41817569
Hi Subsun

I have run this now, it works well but i wonder if its possible to capture the error
"Get-WinEvent : The RPC server is unavailable" on the output file.  

My understanding is, I get this error because the computer its querying is off.  As I'm running against 100s of machines if the error was output to file it would make it much easier to power on the machines, and run run against just those that were missed.

Thanks again
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41817645
You can use the Try/Catch for error handling..
GC C:\Computers.txt | % {
$comp = $_
	Write-Host "Working on $comp"
	Try{Get-WinEvent -ComputerName $comp -FilterHashTable @{LogName="Microsoft-Windows-TerminalServices-RDPClient/Operational";ID=1024} -ea 1 | 
	Select *,@{N="RemoteComp";E={$_.Properties[1].Value}}
	}Catch{
	$_.Exception.Message | Select @{N="MachineName";E={$comp}},@{N="Message";E={$_}},TimeCreated,Id,RemoteComp
	}
}| Select MachineName,Message,TimeCreated,Id,RemoteComp | 
Export-csv C:\temp\report.csv -nti

Open in new window

Ref : http://ss64.com/ps/try.html
0
 

Author Closing Comment

by:fieldj
ID: 41821460
Great help, thank you
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question