From 229acaf4b7a5a6afd49d71e77e3fd4aaf9977045 Mon Sep 17 00:00:00 2001 From: Tommy Harris Date: Thu, 20 May 2021 13:51:40 -0600 Subject: [PATCH 1/3] New function: Get-RdpConnectionLogs Signed-off-by: Tommy Harris --- ATG-PS-Functions.txt | 71 ++++++++++++++++++++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 72 insertions(+) diff --git a/ATG-PS-Functions.txt b/ATG-PS-Functions.txt index c8589ef..3480fd8 100644 --- a/ATG-PS-Functions.txt +++ b/ATG-PS-Functions.txt @@ -568,6 +568,77 @@ Function Get-InternetHealth { $SpeedtestHealth } +Function Get-RdpConnectionLogs { + <# + + .SYNOPSIS + This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from + multiple servers and outputs the human-readable results to a CSV/Table. This data is not filterable in the + native Windows Event Viewer. + + Version: November 9, 2016 + + + .DESCRIPTION + This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from + multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native + Windows Event Viewer. + + NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins too. + + Author: + Mike Crowley + https://BaselineTechnologies.com + + .EXAMPLE + + .\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1" + + .LINK + https://MikeCrowley.us/tag/powershell + + #> + + Param( + [array]$ServersToQuery = (hostname), + [datetime]$StartTime = "January 1, 1970" + ) + + foreach ($Server in $ServersToQuery) { + + $LogFilter = @{ + LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + ID = 21, 23, 24, 25 + StartTime = $StartTime + } + + $AllEntries = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $Server + + $AllEntries | ForEach-Object { + $entry = [xml]$_.ToXml() + [array]$Output += New-Object PSObject -Property @{ + TimeCreated = $_.TimeCreated + User = $entry.Event.UserData.EventXML.User + IPAddress = $entry.Event.UserData.EventXML.Address + EventID = $entry.Event.System.EventID + ServerName = $Server + } + } + } + + $FilteredOutput += $Output | Select-Object TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={ + if ($_.EventID -eq '21'){"Logon"} + if ($_.EventID -eq '22'){"Shell Start"} + if ($_.EventID -eq '23'){"Logoff"} + if ($_.EventID -eq '24'){"Disconnected"} + if ($_.EventID -eq '25'){"Reconnection"} + } + } + + $FilteredOutput | Sort-Object -Property TimeCreated | Format-Table -AutoSize + + } + Function Install-AppDefaults { Write-Host "Downloading App Defaults" New-Item -ItemType Directory -Force -Path C:\Ambitions\ITS247Agent diff --git a/README.md b/README.md index d2b252a..2dcca50 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ Get-ADUserPassExpirations Get-ATGPS Get-DiskUsage Get-InternetHealth +Get-RdpConnectionLogs Get-ThunderBolt Install-AppDefaults Install-Choco From 94b85f73320d6aeb0821c2f3543a035657763b6f Mon Sep 17 00:00:00 2001 From: Tommy Harris Date: Thu, 20 May 2021 14:10:33 -0600 Subject: [PATCH 2/3] Fix Get-RdpConnectionLogs Example Signed-off-by: Tommy Harris --- ATG-PS-Functions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ATG-PS-Functions.txt b/ATG-PS-Functions.txt index 3480fd8..4151111 100644 --- a/ATG-PS-Functions.txt +++ b/ATG-PS-Functions.txt @@ -592,7 +592,7 @@ Function Get-RdpConnectionLogs { .EXAMPLE - .\RDPConnectionParser.ps1 -ServersToQuery Server1, Server2 -StartTime "November 1" + Get-RdpConnectionLogs -ServersToQuery Server1, Server2 -StartTime "November 1" .LINK https://MikeCrowley.us/tag/powershell From 99469f2550f4b10c4f6e785abcb048f970d48f67 Mon Sep 17 00:00:00 2001 From: Tommy Harris Date: Thu, 27 May 2021 10:32:45 -0600 Subject: [PATCH 3/3] Rename Get-RdpConnectionLogs to Get-LoginHistory Signed-off-by: Tommy Harris --- ATG-PS-Functions.txt | 10 +++++----- README.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ATG-PS-Functions.txt b/ATG-PS-Functions.txt index 4151111..3bcc21d 100644 --- a/ATG-PS-Functions.txt +++ b/ATG-PS-Functions.txt @@ -568,7 +568,7 @@ Function Get-InternetHealth { $SpeedtestHealth } -Function Get-RdpConnectionLogs { +Function Get-LoginHistory { <# .SYNOPSIS @@ -581,10 +581,10 @@ Function Get-RdpConnectionLogs { .DESCRIPTION This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from - multiple servers and outputs the human-readable results to a CSV. This data is not filterable in the native - Windows Event Viewer. + multiple servers and outputs the human-readable results to a CSV/Table. This data is not filterable in + the native Windows Event Viewer. - NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins too. + NOTE: Despite this log's name, it includes both RDP logins as well as regular console logins1. Author: Mike Crowley @@ -592,7 +592,7 @@ Function Get-RdpConnectionLogs { .EXAMPLE - Get-RdpConnectionLogs -ServersToQuery Server1, Server2 -StartTime "November 1" + Get-LoginHistory -ServersToQuery Server1, Server2 -StartTime "November 1" .LINK https://MikeCrowley.us/tag/powershell diff --git a/README.md b/README.md index 2dcca50..26a8afb 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ Get-ADUserPassExpirations Get-ATGPS Get-DiskUsage Get-InternetHealth -Get-RdpConnectionLogs +Get-LoginHistory Get-ThunderBolt Install-AppDefaults Install-Choco