Track User Logon Events with Power Shell

(Last Updated On: 2018-09-27)

So I am working on a project to get all the LogOn \ LogOff events for a specific user on a Terminal Server.
When I did few online searches there was some indication of how to get this done with PowerShell.
But this did not have exactly what I was looking for because it only specified Log On and Log Off event.
What happens if the user disconnects and Reconnects, does this also count as a Log Off Event?

I am looking for a list in csv forma which will give me the Instance ID (converted to reading Format) with the User Name and the Time of the event. Seems Simple Enough.

Event Viewer

To do the necessary I looked at the Event Viewer and Compared the output to PowerShell.
Security, 4624, Logon, Audit Success
To get to the event viewer open the Start menu and type in Event, alternate Click the Icon and select run as administrator.
Once Open Browse to the Security Event Log and filter the log by Instance ID 4624. This will give you the Full view of the Event Logged. The Event Viewer gives a very fair amount of data but there is one very critical Section Missing.
There is no User Name at all.

Power Shell

Doing the same with Power shell we get the exact same issue, No User Name.
Category, 12544, Replacement StringAs well is now the Category is numbers instead of Human Readable Format.

To get the Full PowerShell view of the event Open PowerShell in Admin Mode and Copy and Paste the Below commands.
$Event = Get-EventLog -LogName Security -InstanceId 4624 -Newest 1
$Event | Format-List

Power Shell VS Event Viewer

Below is the link between the data that I could best fit.
Comparison, Event Viewer, PowerShell

The Table shows the information received from PowerShell against what shows in the event viewer. (NA = Not Available)

Power ShellEvent Viewer
LogNameNASecurity
Index13400NA
EntryType\KeyWordsSuccessAuditAudit Success
InstanceID\Event ID46244624
Message:Very Long TextNA
Category:(12544)NA
CategoryNumber12544NA
ReplacementStringComa Seperated ListNA
SourceMicrosoft-windows-Security-AuditingMicrosoft Windows Security
Time GeneratedTime and Date GivenNA
TimeWritten\LoggedTime and Date GivenTime and Date Given
UserNameBlankNot Available
LevelNAInformation
OpCodeNAInfo
Task CategoryNALogon
ComputerNAComputer Name

So how does the Event viewer have information that PowerShell does not?

 

Well the Replacement string is the answer, the event viewer reads the information from this comma separated list and populates the Computer field.
So my question to Microsoft, Why could you not just populate the Username as well?

Anyway to get past this we have to modify the code to read the replacement string.
See Post: Power Shell Replacement String Variables for more details
I have to say thanks to Martin9700 on Spice Works for assisting with getting the answer:
Replacement String

So Solving one question does not resolve the query yet as more questions was created.

  1. What InstanceID do I need to Search for?
  2. How do I convert the Category back to Readable Format?

Look out for the next Post to see how we resolve Each Question.

 

 

If you liked what you read Please Share.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *