Sunday, June 21, 2015

More artifacts through PowerShell - Part 2

Quickly identify a login event.

    Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | ft -auto -wrap

Quickly identify a login event for a particular user.

   Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | where {$_.message -like ‘*john*’ } | ft -auto –wrap

Quickly identify a login event for multiple users.

   Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | where {$_.message -like ‘*john*’ -or $_.message -like ‘*jane*’} | ft -auto –wrap

Quickly identify login events between two dates.

  Get-WinEvent -FilterHashtable @{Logname='security';ID=4624 ;StartTime="5/1/15";EndTime="5/31/15"} | ft -auto –wrap

Login events for a particular user between two dates.

  Get-WinEvent -FilterHashtable @{Logname='security';ID=4624 ;StartTime="5/25/15";EndTime="5/30/15"} | where {$_.message -like ‘*john*’ } | ft -auto –wrap

Quickly identify error events for previous day.

  Get-EventLog -LogName System -EntryType error -After (Get-Date).AddDays(-1) | ft -auto -wrap

Error events for a specific source such as NETLOGON

  Get-EventLog -LogName System -EntryType error -Source NETLOGON -After (Get-Date).AddDays(-1) | ft -auto -wrap

As a reminder, you can export any of these into a text file with the 'out-file' option; an example:

  Get-EventLog -LogName System -EntryType error -After (Get-Date).AddDays(-1) | ft -auto -wrap | out-file c:\event.txt

No comments: