Auditing Logons

by Sep 7, 2017

Have you ever wondered whether someone has logged into your PC while you were away? In a previous tip we explained how you can examine the rich auditing information found in the Windows Security log, provided you have Administrator privileges.

To find out who logged into your PC, try the code below! The function Get-LogonInfo searches for security events with ID 4624. Security information is protected, so you need to be an Administrator to run this code. This is why the code uses a #requires statement that prevents non-Admins from running the code.

#requires -RunAsAdministrator

function Get-LogonInfo
{
  param
  (
    [Int]$Newest = [Int]::MaxValue,
    [DateTime]$Before,
    [DateTime]$After,
    [string[]]$ComputerName,
    $Authentication = '*',
    $User = '*',
    $Path = '*'
  )

  $null = $PSBoundParameters.Remove('Authentication')
  $null = $PSBoundParameters.Remove('User')
  $null = $PSBoundParameters.Remove('Path')
  $null = $PSBoundParameters.Remove('Newest')
    

  Get-EventLog -LogName Security -InstanceId 4624 @PSBoundParameters |
  ForEach-Object {
    [PSCustomObject]@{
      Time = $_.TimeGenerated
      User = $_.ReplacementStrings[5]
      Domain = $_.ReplacementStrings[6]
      Path = $_.ReplacementStrings[17]
      Authentication = $_.ReplacementStrings[10]

    }
  } |
  Where-Object Path -like $Path |
  Where-Object User -like $User |
  Where-Object Authentication -like $Authentication |
  Select-Object -First $Newest
}


$yesterday = (Get-Date).AddDays(-1)
Get-LogonInfo -After $yesterday |
Out-GridView

The function also utilizes the automatic $PSBoundParameters hash table which contains all parameters that a user submitted. Only a part of these should be forwarded to Get-EventLog, so all parameters that serve other purposes are removed from the hash table. This way, the user can simply forward the parameters Before, After, and ComputerName to Get-EventLog.

Next, the event information is examined. All relevant information can always be found in the property ReplacementStrings which is an array. As it turns out, for events with ID 4624, the sixth (index 5) element is the user name, the seventh (index 6) is the domain, and the 18th (index 17) lists the path to the executable that performed the login.

Physical logins are typically performed by lsass, the local security authority. So to see just logins from humans that logged right into your machine, try this:

$yesterday = (Get-Date).AddDays(-1)
Get-LogonInfo -After $yesterday -Path *\lsass.exe |
Out-GridView

Twitter This Tip! ReTweet this Tip!