Track User Logon Events with Power Shell

(Last Updated On: 2018-09-27)

So I am working on a project to get all the LogOn \ LogOff events for a specific user on a Terminal Server.
When I did few online searches there was some indication of how to get this done with PowerShell.
But this did not have exactly what I was looking for because it only specified Log On and Log Off event.
What happens if the user disconnects and Reconnects, does this also count as a Log Off Event?

I am looking for a list in csv forma which will give me the Instance ID (converted to reading Format) with the User Name and the Time of the event. Seems Simple Enough.

Event Viewer

To do the necessary I looked at the Event Viewer and Compared the output to PowerShell.
Security, 4624, Logon, Audit Success
To get to the event viewer open the Start menu and type in Event, alternate Click the Icon and select run as administrator.
Once Open Browse to the Security Event Log and filter the log by Instance ID 4624. This will give you the Full view of the Event Logged. The Event Viewer gives a very fair amount of data but there is one very critical Section Missing.
There is no User Name at all.

Power Shell

Doing the same with Power shell we get the exact same issue, No User Name.
Category, 12544, Replacement StringAs well is now the Category is numbers instead of Human Readable Format.

To get the Full PowerShell view of the event Open PowerShell in Admin Mode and Copy and Paste the Below commands.
$Event = Get-EventLog -LogName Security -InstanceId 4624 -Newest 1
$Event | Format-List

Power Shell VS Event Viewer

Below is the link between the data that I could best fit.
Comparison, Event Viewer, PowerShell

The Table shows the information received from PowerShell against what shows in the event viewer. (NA = Not Available)

Power Shell Event Viewer
LogName NA Security
Index 13400 NA
EntryType\KeyWords SuccessAudit Audit Success
InstanceID\Event ID 4624 4624
Message: Very Long Text NA
Category: (12544) NA
CategoryNumber 12544 NA
ReplacementString Coma Seperated List NA
Source Microsoft-windows-Security-Auditing Microsoft Windows Security
Time Generated Time and Date Given NA
TimeWritten\Logged Time and Date Given Time and Date Given
UserName Blank Not Available
Level NA Information
OpCode NA Info
Task Category NA Logon
Computer NA Computer Name

So how does the Event viewer have information that PowerShell does not?

 

Well the Replacement string is the answer, the event viewer reads the information from this comma separated list and populates the Computer field.
So my question to Microsoft, Why could you not just populate the Username as well?

Anyway to get past this we have to modify the code to read the replacement string.
See Post: Power Shell Replacement String Variables for more details
I have to say thanks to Martin9700 on Spice Works for assisting with getting the answer:
Replacement String

So Solving one question does not resolve the query yet as more questions was created.

  1. What InstanceID do I need to Search for?
  2. How do I convert the Category back to Readable Format?

Look out for the next Post to see how we resolve Each Question.

 

 

********************************************************

If you liked what you read Please Share.
I’d love it if you followed me on YouTube and Facebook.

Also, feel free to subscribe to my posts by email.
Donations for the site can be made here.

Thanks for reading.
Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *