[PowerShell每日技巧]通过安全日志查看错误的登陆尝试(20140113)

DAIC

Whenever someone logs on with invalid credentials, there will be a log entry in the security log.

Here is a function that can read these events from the security log (Admin privileges needed). It will then list all the invalid logons found in the log:

1. # requires Admin privileges!
   
2. function Get-LogonFailure
   
3. {
   
4.       param($ComputerName)
   
5.       try
   
6.       {
   
7.           Get-EventLog -LogName security -EntryType FailureAudit -InstanceId 4625 -ErrorAction Stop @PSBoundParameters |
   
8.                   ForEach-Object {
   
9.                     $domain, $user = $_.ReplacementStrings[5,6]
   
10.                     $time = $_.TimeGenerated
    
11.                     "Logon Failure: $domain\$user at $time"
    
12.                 }
    
13.       }
    
14.       catch
    
15.       {
    
16.             if ($_.CategoryInfo.Category -eq 'ObjectNotFound')
    
17.             {
    
18.                   Write-Host "No logon failures found." -ForegroundColor Green
    
19.             }
    
20.             else
    
21.             {
    
22.                   Write-Warning "Error occured: $_"
    
23.             }
    
24. 
    
25.       }
    
26. 
    
27. }

复制代码

Note that this function can work remotely, too. Use the -ComputerName parameter to query a remote system. The remote system needs the running RemoteRegistry service, and you need local administrator privileges on the target machine.

http://powershell.com/cs/blogs/tips/archive/2014/01/13/finding-logon-failures.aspx