trying to get logon/logoff on a domain | PowerShell | Page 1

heavy trench Jun 24, 2024, 1:10 PM

#

Hello, i try to get logon/logoff for period of the last week-end (2024-06-22 to 2024-06-24)

All i could do was:

Get-WinEvent -FilterHashtable @{
 LogName = 'Security'
 Id = 4624
 StartTime = "22/06/2024"
 EndTime = "24/06/2024"
}

But there is so much entries … must be each process which logon/logoff (several logon per seconds).
How can i filter that for human users ?

Thank you.

modern drum Jun 24, 2024, 1:24 PM

#

Hello
Maybe you can check the Logon Type
For example the 2
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624#logon-types-and-descriptions

4624(S) An account was successfully logged on. - Windows 10

Describes security event 4624(S) An account was successfully logged on.

heavy trench Jun 24, 2024, 1:29 PM

#

Thank you. I should filter with Select-Object with correct type, shouldn't i ?

Get-WinEvent -FilterHashtable @{
 LogName = 'Security'

 Id = 4624

 StartTime = "22/06/2024"
 EndTime = "24/06/2024"

} | Select-Object @{Type=2}

but i get an error on the Select-Object (invalid argument)

modern drum Jun 24, 2024, 1:35 PM

#

Select-Object is to choose a property to display/use. To filter you must do a Where-Object

#

For exemple

| Where-Object Type -eq 2

heavy trench Jun 24, 2024, 1:40 PM

#

ah, i see, thank you. And what i want is type 3 (for remote logging)

#

Get-WinEvent -FilterHashtable @{
 LogName = 'Security'
 Id = 4624
 StartTime = "22/06/2024"
 EndTime = "24/06/2024"
} | Where-Object Type -eq 3

Unfortunately, it returns nothing. I should have mentioned i try to get login/logoff from the domains on a windows server. May be it's not the good method.

modern drum Jun 24, 2024, 2:19 PM

#

I just checked

$Events = Get-WinEvent -FilterHashtable @{
 LogName = 'Security'
 Id = 4624
 StartTime = "22/06/2024"
 EndTime = "24/06/2024"
}

If you look at the members of the EventLogRecord class you will see that there is no Type property
https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogrecord

$Events | Get-Memeber

If you want to see all the values for each property you can do a Select-Object *
For example,, to watch only the first event in the extracted Event list

$Events[0] | Select-Object *

You will see that the Logon Type value is in the Message property
Unfortunately this property is a block of text

$Events[0].Message.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     String                                   System.Object

It will therefore be necessary to filter the text using the Select-String command.

$Events | Where-Object { $_.Message | Select-String "Logon Type:\s+3"}

Another technique is to go through the properties of the EventLogRecord object
If you look at the properties property, you will see that the eighth value is Logon Type

$Events[0].Properties

So we can make the filter on this eighth value of the Properties property

$Events |  Where-Object {$_.properties[8].value -eq 3}

heavy trench Jun 24, 2024, 2:33 PM

#

thank you for taking time to explain !

#trying to get logon/logoff on a domain