Viewing failed and successful logons with PowerShell
Contents
Failed and successful logon events in Event Viewer
Windows generates the following events when a logon attempt occurs:
- event 4624 if the logon attempt succeeded;
- event 4625 if the logon attempt failed.
If you want to know who attempted to log in to a computer, you can use Event Viewer to look for these events. The problem is that you usually want to see information stored in properties of the events, and Event Viewer allows you to view properties of only one event at a time — not very convenient if you have a computer that is used by many users (for example, RDS server).
Displaying failed and successful logon events with PowerShell
You can use PowerShell to lay out information in events 4624 and 4625 in more readable way. The following command generates table with some details about failed logons:
# List failed logon attempts in last 3 hours
Get-EventLog -LogName Security -InstanceId 4625 -After (Get-Date).AddHours(-3) `
| select `
Index,
@{ Name = "TimeGenerated"; Expression = { $_.TimeGenerated.ToString("yyyy-MM-dd HH:mm:ss") } },
@{ Name = "AccountName"; Expression = { $_.ReplacementStrings[5] } },
@{ Name = "AccountDomain"; Expression = { $_.ReplacementStrings[6] } },
@{ Name = "LogonType"; Expression = { $_.ReplacementStrings[10] } },
@{ Name = "WorkstationName"; Expression = { $_.ReplacementStrings[13] } },
@{ Name = "SourceNetworkAddress"; Expression = { $_.ReplacementStrings[19] } },
@{ Name = "Status"; Expression = { $_.ReplacementStrings[7] } },
@{ Name = "SubStatus"; Expression = { $_.ReplacementStrings[9] } } `
| FT -AutoSize
The output looks like this:
Index TimeGenerated AccountName AccountDomain LogonType WorkstationName SourceAddress Status SubStatus
----- ------------- ----------- ------------- --------- --------------- ------------- ------ ---------
33900 2020-07-24 10:41:28 John.Doe SRV045 2 SRV045 127.0.0.1 0xc000006d 0xc000006a
33890 2020-07-24 10:36:05 Admin NB21 3 NB21 10.15.10.11 0xc000006d 0xc0000064
33880 2020-07-24 10:00:34 Guest SRV001 3 SRV001 - 0xc000006e 0xc0000072
31865 2020-07-24 09:17:39 Administrator NB18 3 NB18 10.15.10.70 0xc000006d 0xc000006a
31840 2020-07-24 09:17:39 AdminGG1 3 Server002 142.250.180.206 0xc000006d 0xc0000064
31833 2020-07-24 09:15:13 ADMINISTRATOR 3 - 172.217.20.14 0xc000006d 0xc0000064
31831 2020-07-24 09:13:14 ADMINISTRATOR 3 - 172.217.20.14 0xc000006d 0xc0000064
31830 2020-07-24 09:11:13 ADMINISTRATOR 3 - 172.217.20.14 0xc000006d 0xc0000064
31827 2020-07-24 09:10:14 GUEST WORKGROUP 3 AEC4CE70FFFD 74.6.231.20 0xc000006d 0xc0000064
31810 2020-07-24 09:09:35 Administrator WIN-FDQCT15JG 3 Windows7 98.137.11.163 0xc000006d 0xc0000064
31810 2020-07-24 09:09:35 UID002134 CONTOSO 3 WS003 10.15.10.11 0xc000006d 0xc0000064
Microsoft documentation about event 4625 contains list of codes in LogonType and Status fields.
And you can use this command to get similar table for successful logons:
# List successful logon attempts in last 3 hours
Get-EventLog -LogName Security -InstanceId 4624 -After (Get-Date).AddHours(-3) `
| select `
Index,
@{ Name = "TimeGenerated"; Expression = { $_.TimeGenerated.ToString("yyyy-MM-dd HH:mm:ss") } },
@{ Name = "AccountName"; Expression = { $_.ReplacementStrings[5] } },
@{ Name = "AccountDomain"; Expression = { $_.ReplacementStrings[6] } },
@{ Name = "LogonType"; Expression = { $_.ReplacementStrings[8] } },
@{ Name = "WorkstationName"; Expression = { $_.ReplacementStrings[11] } },
@{ Name = "SourceNetworkAddress"; Expression = { $_.ReplacementStrings[18] } } `
| FT -AutoSize
Output:
Index TimeGenerated AccountName AccountDomain LogonType WorkstationName SourceNetworkAddress
----- ------------- ----------- ------------- --------- --------------- --------------------
4202584 2020-07-24 18:13:09 ScriptExecutor SRV045 4 - -
4201974 2020-07-24 19:11:17 Sam.Johnson SRV045 3 WS216 185.20.185.20
4199127 2020-07-24 19:10:11 DWM-19 Window Manager 2 - -
4199105 2020-07-24 18:35:21 Jane.Doe SRV045 10 SRV045 98.137.11.163
4199094 2020-07-24 18:35:20 Jane.Doe SRV045 3 DESKTOP-B 142.250.180.206
4199088 2020-07-24 18:23:37 ScriptExecutor SRV045 4 - -
4199081 2020-07-24 18:20:37 Paul.Smith SRV045 10 SRV045 98.137.11.163
4199076 2020-07-24 18:20:37 DWM-19 Window Manager 2 - -
4199075 2020-07-24 18:20:37 DWM-19 Window Manager 2 - -
4199073 2020-07-24 18:20:36 Paul.Smith SRV045 3 DESKTOP-KN9F7C3 98.137.11.163
4199035 2020-07-24 18:17:55 Jane.Doe SRV045 10 SRV045 142.250.180.206
4199020 2020-07-24 18:14:16 SYSTEM NT AUTHORITY 5 - -
Failed logons statistics
To get some statistics we can group event log entries by date and see how many failed logon attempts occurred every day:
# Get number of failed logons per date in last 48 hours
(Get-EventLog -LogName Security -InstanceId 4625 -After (Get-Date).AddDays(-3)).TimeGenerated `
| select @{
Name = "Date";
Expression = { $_.ToString("yyyy-MM-dd") + ", " + $_.DayOfWeek }
} `
| group Date `
| FT `
@{ Name = "Date"; Expression = { $_.Name } },
@{ Name = "FailedLogonAttemptsCount"; Expression = { $_.Count } }
Output:
Date FailedLogonAttemptsCount
---- ------------------------
2020-07-24, Thursday 12
2020-07-23, Wednesday 11
2020-07-22, Tuesday 4
We can group event log entries by computer name and IP address and see how many failed logon attempts were made from each computer:
# Number of failed logons per source IP address and source hostname
Get-EventLog -LogName Security -InstanceId 4625 -After (Get-Date).AddDays(-2) `
| select `
@{ Name = "WorkstationName"; Expression = { $_.ReplacementStrings[13] } },
@{ Name = "SourceNetworkAddress"; Expression = { $_.ReplacementStrings[19] } } `
| group `
"WorkstationName",
"SourceNetworkAddress" `
| FT `
@{ Name = "SourceHostname"; Expression = { $_.Name.Split(",")[0] } },
@{ Name = "SourceNetworkAddress"; Expression = { $_.Name.Split(",")[1].Trim() } },
@{ Name = "FailedLogonAttemptsCount"; Expression = { $_.Count } }
Output:
SourceHostname SourceNetworkAddress FailedLogonAttemptsCount
-------------- -------------------- ------------------------
DESKTOP-123 127.0.0.1 1
S216 185.20.185.20 3