remote pc forensics

Welcome Forums General PowerShell Q&A remote pc forensics

Viewing 1 reply thread
  • Author
    Posts
    • #246372
      Participant
      Topics: 2
      Replies: 0
      Points: 23
      Rank: Member

      I need to gather security events below on remote pc, save it to c:\temp on my machine in a nice csv format for each entry and list computer name, event id, username, date and time of event.

      windows logon event id – 4624
      windows logoff event id – 4634
      windows lock event id – 4800
      windows unlock event id – 4801

      my current script does not seem to be working very well and need assistance please. I need the full details of the event in the capture for HR\Legal to include client name, date\time, and user name info

      $computers=get-content c:\temp\computers-to-investigate.txt
      foreach($computer in $computers)
      {
      Get-EventLog Security -ComputerName $computers | Where {$_.InstanceID -like “4800”} | Select $UserProperty | FT
      }

       

    • #246378
      Participant
      Topics: 7
      Replies: 2458
      Points: 6,439
      Helping Hand
      Rank: Community MVP

      jeremy, welcome to Powershell.org. Please take a moment and read the very first post on top of the list of this forum: Read Me Before Posting! You’ll be Glad You Did!.

      When you post code, error messages, sample data or console output format it as code, please.
      In the “Text” view you can use the code tags “CODE“, in the “Visual” view you can use the format template “Preformatted“. You can go back edit your post and fix the formatting – you don’t have to create a new one.
      Thanks in advance.

      What you’re asking for is almost impossible. Most event log entries are way to complex to be displayed in a simple table on the console. Run the following code on your pc to see what I mean:

      [/crayon]

      You use a loop to iterate over a list of computers but in your loop you do not use a single computer – $computer. Instead you use the list – $computers. So you query the complete list for each and every single computer again and again and again. 😉

      You should not use Get-Eventlog anymore. Instead use the new Get-WinEvent. Try this as a starter:

      [/crayon]

      BTW: What is in your variable $UserProperty?

Viewing 1 reply thread
  • You must be logged in to reply to this topic.