none
Powershell command to find logon and logoff times of a local account RRS feed

  • Question

  • Hi Guys, 

    I have been trying to find a Powershell script that will list all the dates and times of each logon and logoff of a local user (Not AD) for the last 30 days. I can only find a script that does this for AD, anyone know a script to do this for a local user?

    Regards

    Dan

    Tuesday, August 6, 2019 9:40 AM

Answers

  • You may need to use the event ids in order to filter the logon and logoffs, once done you can filter out the local users from the same, below might help:

    $events = Get-WinEvent -Path C:\Windows\System32\winevt\Logs\Security.evtx | where {($_.Id -eq 4624 -and $_.properties[8].value -eq 10) -or ($_.Id -eq 4634 -and $_.properties[4].value -eq 2) } 
        
    foreach ($event in $events)
    {
    
        # userid will vary depending on event type:
        if($event.Id -eq 4624) { $userid = $event.properties[5].value }
        if($event.Id -eq 4634) { $userid = $event.properties[1].value }
    
        $event | Select TimeCReated, TaskDisplayName, Machinename, @{"Name" ="UserID";"Expression" = {$userid}}
    }

    Tuesday, August 6, 2019 1:26 PM
  • The local SAM account database does not track user logon or logoff events. You can enable auditing of local logon and logoff events, then use a script, similar to what DumbleD0re posted, to parse the resulting log of events. However, the log roles over, so you may not be able to go back 30 days, depending on how much activity is recorded and the maximum log size.

    A common solution for tracking domain logons and logoffs is to use group policy to configure logon and logoff scripts. The scripts can append one line per logon/logoff to a shared log file, documenting logon or logoff, datetime, user name, and computer name. Scripts can parse the resulting log for a specific user's activity. However, for local logons only logon scripts are available. There is no provision to configure local logoff scripts.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, August 6, 2019 4:10 PM
    Moderator

All replies

  • You may need to use the event ids in order to filter the logon and logoffs, once done you can filter out the local users from the same, below might help:

    $events = Get-WinEvent -Path C:\Windows\System32\winevt\Logs\Security.evtx | where {($_.Id -eq 4624 -and $_.properties[8].value -eq 10) -or ($_.Id -eq 4634 -and $_.properties[4].value -eq 2) } 
        
    foreach ($event in $events)
    {
    
        # userid will vary depending on event type:
        if($event.Id -eq 4624) { $userid = $event.properties[5].value }
        if($event.Id -eq 4634) { $userid = $event.properties[1].value }
    
        $event | Select TimeCReated, TaskDisplayName, Machinename, @{"Name" ="UserID";"Expression" = {$userid}}
    }

    Tuesday, August 6, 2019 1:26 PM
  • The local SAM account database does not track user logon or logoff events. You can enable auditing of local logon and logoff events, then use a script, similar to what DumbleD0re posted, to parse the resulting log of events. However, the log roles over, so you may not be able to go back 30 days, depending on how much activity is recorded and the maximum log size.

    A common solution for tracking domain logons and logoffs is to use group policy to configure logon and logoff scripts. The scripts can append one line per logon/logoff to a shared log file, documenting logon or logoff, datetime, user name, and computer name. Scripts can parse the resulting log for a specific user's activity. However, for local logons only logon scripts are available. There is no provision to configure local logoff scripts.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, August 6, 2019 4:10 PM
    Moderator
  • Thank you! 

    It appears they don't have auditing enabled anyway, so didn't pull much off, but I'll save that for future reference

    Regards

    Dan

    Wednesday, August 7, 2019 10:41 AM
  • I tried to run the whole script, but Powershell is only accepting this bit, also where would I put the username? Do you have an example?

    Regards

    Dan

    $events = Get-WinEvent -Path C:\Windows\System32\winevt\Logs\Security.evtx | where {($_.Id -eq 4624 -and $_.properties[8].value -eq 10) -or ($_.Id -eq 4634 -and $_.properties[4].value -eq 2) }
    Thursday, August 22, 2019 3:23 PM
  • Your command is incorrect.  To query the security log for a specific event:

     Get-WinEvent -FilterHashtable @{Logname='Security';ID=4634}

    To filter for information in the properties use an XML or XPath query.  Search for articles that will teach you how to write XML queries.

    Here are some examples:

    # ==============================================================================================
    # 
    # Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2012
    # 
    # NAME: 
    # 
    # AUTHOR: jrv
    # DATE  : 5/24/2014
    # 
    # COMMENT: Various methods of obtaining events
    # 
    # ==============================================================================================
    
    # event log XPath queries.
    
    $xmlquery=@'
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">
         *[System[(EventID='4624')]
         and
         EventData[Data[@Name='LogonType'] and (Data='2' or Data='3')]
         ] 
        </Select>
      </Query>
    </QueryList>
    '@
    
    $xmlquery=@'
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">
         *[System[(EventID='4624') and TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
         and
         EventData[Data[@Name='LogonType'] and (Data='2' or Data='3')]] 
        </Select>
      </Query>
    </QueryList>
    '@
    Get-WinEvent -FilterXml $xmlquery -MaxEvents 10
    
    # Get event data as XML
    #build a filter
    $filter=@'
         *[System[(EventID='4624')]
         and
         EventData[Data[@Name='LogonType'] and (Data='2' or Data='3')]
         ]
    '@
    
    $xmltext=Get-WinEvent -LogName Security -FilterXPath $filter |%{$_.ToXML()}
    $xml=[xml]"<Events>$xmltext</Events>"
    
    # you now have the XML for all selected events.
    $xml.Events.Event
    
    
    $filter = @'
         *[System[(EventID='4624')]
         and
         EventData[Data[@Name='LogonType'] and (Data='2')]
         ]
    '@
    
    $xmltext = Get-WinEvent -LogName Security -FilterXPath $filter -MaxEvents 10 -ComputerName WS701 |
    	ForEach-Object{ $_.ToXML() }
    $xml = [xml]"<Events>$xmltext</Events>"
    $xml.Events.event[0].Eventdata.Data
    
    $filterXML = @'
    <QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">
    		*[System[Provider[@Name='Microsoft-Windows-Kernel-General']
    			and (Level=4 or Level=0) 
    			and (EventID=12)]]
    	</Select>
      </Query>
    </QueryList>
    '@
    Get-WinEvent -ComputerName WS701 -MaxEvents 1 -FilterXml $filterXML
    
    


    \_(ツ)_/

    Thursday, August 22, 2019 3:36 PM