Functions and Event Logs

Unsolved:

Solved:

Get-EventLog System -source Microsoft-Windows-WinLogon

Processing Event Logs into a Custom Object

We will collect logon/logoff events from the last 14 days, loop through them, and build a custom object with four properties:

Time – from TimeGenerated
Id – from InstanceId
Event – mapped from InstanceId (Logon/Logoff)
User – from ReplacementStrings[1]

Verify that events exist:

Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-14)

Create the script:

https://github.com/Hsanokklis/SYS-320-Automating-and-Scripting/blob/main/week3/14_days_Logs.ps1github.com

# Get login and logoff records from Windows Events and save to a variable
# Get the last 14 days 

$loginouts = Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-14)

# Check if any events were found before looping
if ($loginouts) {

    $loginoutsTable = @() # Empty Array to fill customly
    for ($i=0; $i -lt $loginouts.Count; $i++) {

        # creating event property value 
        $event = ""
        if ($loginouts[$i].InstanceId -eq "7001") { $event="Logon" }
        if ($loginouts[$i].InstanceId -eq "7002") { $event="Logoff" }

        # Creating user Property value 
        $user = $loginouts[$i].ReplacementStrings[1]

        # Adding each new line (in form of a custom object) to our empty array
        $loginoutsTable += [pscustomobject]@{
            "Time"  = $loginouts[$i].TimeGenerated; `
            "Id"    = $loginouts[$i].InstanceId; `
            "Event" = $event; `
            "User"  = $user;
        }
    } # End of for loop

    $loginoutsTable
}
else {
    Write-Host "No Winlogon events found in the last 14 days."
}

Part 2: User ID Translation

Find the SID for your user (champuser)

# this will print out the SID's for the users in your system 
# In my case I want the SID for "champuser"

Get-WmiObject Win32_UserAccount | Select-Object Name, SID

# run all the following lines to assign the SID to User.Value

$SID = New-Object System.Security.Principal.SecurityIdentifier(“S-1-5-21-1180699209-877415012-3182924384-1004”)
$User = $SID.Translate([System.Security.Principal.NTAccount])
$User.Value

How to: Convert a SID to username in PowerShell — Joe's Tech SpaceJoe's Tech Space

Adding User SID translation to our 14-day log script

SYS-320-Automating-and-Scripting/week3/14_days_logs_SID.ps1 at main · Hsanokklis/SYS-320-Automating-and-ScriptingGitHub

# Get login and logoff records from Windows Events and save to a variable
# Get the last 14 days 

$loginouts = Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-14)
# Check if any events were found before looping
if ($loginouts) {
    $loginoutsTable = @() # Empty Array to fill customly
    for ($i=0; $i -lt $loginouts.Count; $i++) {
        # creating event property value 
        $event = ""
        if ($loginouts[$i].InstanceId -eq "7001") { $event="Logon" }
        if ($loginouts[$i].InstanceId -eq "7002") { $event="Logoff" }
        
        # Creating user Property value - Translate SID to Username
        $sid = $loginouts[$i].ReplacementStrings[1]
        try {
            $user = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value
        }
        catch {
            $user = $sid  # If translation fails, keep the SID
        }
        
        # Adding each new line (in form of a custom object) to our empty array
        $loginoutsTable += [pscustomobject]@{
            "Time"  = $loginouts[$i].TimeGenerated; `
            "Id"    = $loginouts[$i].InstanceId; `
            "Event" = $event; `
            "User"  = $user;
        }
    } # End of for loop
    $loginoutsTable
}
else {
    Write-Host "No Winlogon events found in the last 14 days."
}

Part 3: Turn Script into a Function that takes user input

Hard code the number of days

SYS-320-Automating-and-Scripting/week3/14_days_logs_Function_HardCoded.ps1 at main · Hsanokklis/SYS-320-Automating-and-ScriptingGitHub

A) Turn it into a function that takes 1 input and returns results

Instead of the code just running as a script, we are going to wrap it in a function block
The function will accept a parameter (input)
It will return the table instead of just displaying it

B) The input is the number of days

Right now the script is hardcoded to -14 days
Instead, we will make this flexible so we can specify any number of days when we call the function
Example: You could ask for 7 days, 30 days, etc.

C) Call your function and print results

After defining the function, we will use it by calling it with a number
Then display what it returns

# this script is going to hard code the number of days
# Define the function
function Get-LoginEvents {
    param(
        [int]$Days  # Input parameter: number of days 
    )
    
    # Get login and logoff records from Windows Events
    $loginouts = Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-$Days)
    
    # Check if any events were found before looping
    if ($loginouts) {
        $loginoutsTable = @() # Empty Array to fill customly
        for ($i=0; $i -lt $loginouts.Count; $i++) {
            # creating event property value 
            $event = ""
            if ($loginouts[$i].InstanceId -eq "7001") { $event="Logon" }
            if ($loginouts[$i].InstanceId -eq "7002") { $event="Logoff" }
            
            # Creating user Property value - Translate SID to Username
            $sid = $loginouts[$i].ReplacementStrings[1]
            try {
                $user = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value
            }
            catch {
                $user = $sid  # If translation fails, keep the SID
            }
            
            # Adding each new line (in form of a custom object) to our empty array
            $loginoutsTable += [pscustomobject]@{
                "Time"  = $loginouts[$i].TimeGenerated; `
                "Id"    = $loginouts[$i].InstanceId; `
                "Event" = $event; `
                "User"  = $user;
            }
        } # End of for loop
        
        return $loginoutsTable  # Return the results
    }
    else {
        Write-Host "No Winlogon events found in the last $Days days."
        return $null
    }
}

# Call the function with 14 days as the parameter and print results
$results = Get-LoginEvents -Days 14
$results

Allow users to input the number of days

SYS-320-Automating-and-Scripting/week3/Logs_User_input.ps1 at main · Hsanokklis/SYS-320-Automating-and-ScriptingGitHub

# this script is going to let user input the number of days they want to look bac
# Define the function
function Get-LoginEvents {
    param(
        [int]$Days  # Input parameter: number of days 
    )
    
    # Get login and logoff records from Windows Events
    $loginouts = Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-$Days)
    
    # Check if any events were found before looping
    if ($loginouts) {
        $loginoutsTable = @() # Empty Array to fill customly
        for ($i=0; $i -lt $loginouts.Count; $i++) {
            # creating event property value 
            $event = ""
            if ($loginouts[$i].InstanceId -eq "7001") { $event="Logon" }
            if ($loginouts[$i].InstanceId -eq "7002") { $event="Logoff" }
            
            # Creating user Property value - Translate SID to Username
            $sid = $loginouts[$i].ReplacementStrings[1]
            try {
                $user = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value
            }
            catch {
                $user = $sid  # If translation fails, keep the SID
            }
            
            # Adding each new line (in form of a custom object) to our empty array
            $loginoutsTable += [pscustomobject]@{
                "Time"  = $loginouts[$i].TimeGenerated; `
                "Id"    = $loginouts[$i].InstanceId; `
                "Event" = $event; `
                "User"  = $user;
            }
        } # End of for loop
        
        return $loginoutsTable  # Return the results
    }
    else {
        Write-Host "No Winlogon events found in the last $Days days."
        return $null
    }
}

# Prompt the user to enter number of days
$daysInput = Read-Host "Enter the number of days to look back"
$results = Get-LoginEvents -Days $daysInput
$results
# Define the function
function Get-LoginEvents {
    param(
        [int]$Days  # Input parameter: number of days 
    )
    
    # Get login and logoff records from Windows Events
    $loginouts = Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-$Days)
    
    # Check if any events were found before looping
    if ($loginouts) {
        $loginoutsTable = @() # Empty Array to fill customly
        for ($i=0; $i -lt $loginouts.Count; $i++) {
            # creating event property value 
            $event = ""
            if ($loginouts[$i].InstanceId -eq "7001") { $event="Logon" }
            if ($loginouts[$i].InstanceId -eq "7002") { $event="Logoff" }
            
            # Creating user Property value - Translate SID to Username
            $sid = $loginouts[$i].ReplacementStrings[1]
            try {
                $user = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value
            }
            catch {
                $user = $sid  # If translation fails, keep the SID
            }
            
            # Adding each new line (in form of a custom object) to our empty array
            $loginoutsTable += [pscustomobject]@{
                "Time"  = $loginouts[$i].TimeGenerated; `
                "Id"    = $loginouts[$i].InstanceId; `
                "Event" = $event; `
                "User"  = $user;
            }
        } # End of for loop
        
        return $loginoutsTable  # Return the results
    }
    else {
        Write-Host "No Winlogon events found in the last $Days days."
        return $null
    }
}

# Prompt the user to enter number of days
$daysInput = Read-Host "Enter the number of days to look back"
$results = Get-LoginEvents -Days $daysInput
$results

Part 4: Computer start-up/shut-down function

We are now going to create another function to track the following:

Computer shutdowns (EventId 6006)
Computer startups (EventId - it's 6005)

The function should return a table with the same structure as our first function (Time, Id, Event, User).

We are changing the following for the function:

Different EventIds: Uses EventId (not InstanceId) - 6005 for Startup, 6006 for Shutdown
Filtered events: Added Where-Object to only get events with EventId 6005 or 6006
User is "System": Hard-coded as "System" since these are system events, not user events
Event names: "Startup" and "Shutdown" instead of "Logon" and "Logoff"

SYS-320-Automating-and-Scripting/week3/StartUp_ShutDown_Function.ps1 at main · Hsanokklis/SYS-320-Automating-and-ScriptingGitHub

# Function to get computer startup and shutdown events
function Get-StartupShutdownEvents {
    param(
        [int]$Days  # Input parameter: number of days to look back
    )
    
    # Get startup and shutdown records from Windows Events
    $events = Get-EventLog system -After (Get-Date).AddDays(-$Days) | Where-Object { $_.EventId -eq 6005 -or $_.EventId -eq 6006 }
    
    # Check if any events were found before looping
    if ($events) {
        $eventsTable = @() # Empty Array to fill customly
        for ($i=0; $i -lt $events.Count; $i++) {
            # Creating event property value based on EventId
            $event = ""
            if ($events[$i].EventId -eq "6005") { $event="Startup" }
            if ($events[$i].EventId -eq "6006") { $event="Shutdown" }
            
            # Adding each new line (in form of a custom object) to our empty array
            $eventsTable += [pscustomobject]@{
                "Time"  = $events[$i].TimeGenerated; `
                "Id"    = $events[$i].EventId; `
                "Event" = $event; `
                "User"  = "System";
            }
        } # End of for loop
        
        return $eventsTable  # Return the results
    }
    else {
        Write-Host "No startup/shutdown events found in the last $Days days."
        return $null
    }
}

# Call the function with 30 days as the parameter and print results
$startupShutdownResults = Get-StartupShutdownEvents -Days 30
$startupShutdownResults

Combining the Functions into One Script

SYS-320-Automating-and-Scripting/week3/Login_Logoff_AND_Startup_Shutdown.ps1 at main · Hsanokklis/SYS-320-Automating-and-ScriptingGitHub

 # Function 1: Login/Logoff Events
function Get-LoginEvents {
    param(
        [int]$Days
    )
    
    $loginouts = Get-EventLog system -Source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-$Days)
    
    if ($loginouts) {
        $loginoutsTable = @()
        for ($i=0; $i -lt $loginouts.Count; $i++) {
            $event = ""
            if ($loginouts[$i].InstanceId -eq "7001") { $event="Logon" }
            if ($loginouts[$i].InstanceId -eq "7002") { $event="Logoff" }
            
            $sid = $loginouts[$i].ReplacementStrings[1]
            try {
                $user = (New-Object System.Security.Principal.SecurityIdentifier($sid)).Translate([System.Security.Principal.NTAccount]).Value
            }
            catch {
                $user = $sid
            }
            
            $loginoutsTable += [pscustomobject]@{
                "Time"  = $loginouts[$i].TimeGenerated; `
                "Id"    = $loginouts[$i].InstanceId; `
                "Event" = $event; `
                "User"  = $user;
            }
        }
        return $loginoutsTable
    }
    else {
        Write-Host "No Winlogon events found in the last $Days days."
        return $null
    }
}

# Function 2: Startup/Shutdown Events
function Get-StartupShutdownEvents {
    param(
        [int]$Days
    )
    
    $events = Get-EventLog system -After (Get-Date).AddDays(-$Days) | Where-Object { $_.EventId -eq 6005 -or $_.EventId -eq 6006 }
    
    if ($events) {
        $eventsTable = @()
        for ($i=0; $i -lt $events.Count; $i++) {
            $event = ""
            if ($events[$i].EventId -eq "6005") { $event="Startup" }
            if ($events[$i].EventId -eq "6006") { $event="Shutdown" }
            
            $eventsTable += [pscustomobject]@{
                "Time"  = $events[$i].TimeGenerated; `
                "Id"    = $events[$i].EventId; `
                "Event" = $event; `
                "User"  = "System";
            }
        }
        return $eventsTable
    }
    else {
        Write-Host "No startup/shutdown events found in the last $Days days."
        return $null
    }
}

# Call both functions and display results
$loginResults = Get-LoginEvents -Days 10
$startupShutdownResults = Get-StartupShutdownEvents -Days 100

Write-Host "`nLogin/Logoff Events:"
$loginResults

Write-Host "`nStartup/Shutdown Events:"
$startupShutdownResults

Part 5: Using dot notation to call our functions from the script we've made

What is dot notation?

Dot sourcing loads a script and keeps everything in the current session.

Dot notation in our script

Finds your Login_Logoff_AND_Startup_Shutdown.ps1 file
Loads all the functions from it (Get-LoginEvents and Get-StartupShutdownEvents)
Makes them available so you can use them in the rest of your script

SYS-320-Automating-and-Scripting/week3/Dot_Notation.ps1 at main · Hsanokklis/SYS-320-Automating-and-ScriptingGitHub

# we are using the functions in Get-LoginEvents and Get-StartupShutdownEvents

. (Join-Path $PSScriptRoot Login_Logoff_AND_Startup_Shutdown.ps1) 
clear 

# Get Login and Logoff from the last 15 days 
$loginoutTable = Get-LoginEvents -Days 15
$loginoutTable 

# Get all startup/shutdown events from the last 25 days
$allEvents = Get-StartupShutdownEvents -Days 25

# Get Shut Downs from the last 25 days 
$shutdownsTable = $allEvents | Where-Object { $_.Event -eq "Shutdown" }
$shutdownsTable 

# Get Start Ups from the last 25 days 
$startupsTable = $allEvents | Where-Object { $_.Event -eq "Startup" }
$startupsTable

PreviousWeek 3: Powershell Flow Control NextWeek 4 & 5 PowerShell and Accessing File Content, Web Scraping, and Regex

Last updated 4 months ago

hashtagPart 1: Login/Logoff records for Windows Events

hashtagUnsolved:

hashtagSolved:

hashtagProcessing Event Logs into a Custom Object

hashtagVerify that events exist:

hashtagCreate the script:

hashtagPart 2: User ID Translation

hashtagFind the SID for your user (champuser)

hashtagAdding User SID translation to our 14-day log script

hashtagPart 3: Turn Script into a Function that takes user input

hashtagHard code the number of days

hashtagAllow users to input the number of days

hashtagPart 4: Computer start-up/shut-down function

hashtagWe are changing the following for the function:

hashtagCombining the Functions into One Script

hashtagPart 5: Using dot notation to call our functions from the script we've made

hashtag What is dot notation?

hashtagDot notation in our script

Part 1: Login/Logoff records for Windows Events