Results 1 to 12 of 12
Thread: power shell script
Hybrid View
-
9th December 2016 22:08 #1Registered User
Join Date: Jun:2013
Location: >.<
Posts: 6,182
power shell script
xls ( - logoff/login , (, , ..):
Code:# Authors: Ryan DeVries, Drew Bonasera, Scott Smith # Rochester Institute of Technology - Computer System Forensics # Variables # Reads the hostname, sets to the local hostname if left blank $hostname = read-host "Enter the IP or hostname of the computer you wish to scan (Leave blank for local)" if ($hostname.length -eq 0){$hostname = $env:computername} # Reads the start date, sets to 1/1/2000 if left blank $startTmp = read-host "Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000)" if ($startTmp.length -eq 0){$startTmp = "1/1/2000"} $startDate = get-date $startTmp # Reads the end date, sets to the current date and time if left blank $endTmp = read-host "Enter the end date to scan to (MM/DD/YYYY, default current time)" if ($endTmp.length -eq 0){$endTmp = get-date} $endDate = get-date $endTmp # Reads a Yes or No response to print only the failed login attempts, defaults to No $scope = read-host "Print only failed logins (Y/N, default N)" if ($scope.length -eq 0){$scope = "N"} # Writes a line with all the parameters selected for report write-host "Hostname: "$hostname "`tStart: "$startDate "`tEnd: "$endDate "`tOnly Failed Logins: "$scope "`n" # Store each event from the Security Log with the specificed dates and computer in an array $log = Get-Eventlog -LogName Security -ComputerName $hostname -after $startDate -before $endDate # Loop through each security event, print only failed login attempts if ($scope -match "Y"){ foreach ($i in $log){ # Logon Failure Events, marked red # Local if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red" } # Remote if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor "red" } } } # Loop through each security event, print all login/logoffs with type, date/time, status, account name, and IP address if remote else{ foreach ($i in $log){ # Logon Successful Events # Local (Logon Type 2) if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 2)){ write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] } # Remote (Logon Type 10) if (($i.EventID -eq 4624 ) -and ($i.ReplacementStrings[8] -eq 10)){ write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[18] } # Logon Failure Events, marked red # Local if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 2)){ write-host "Type: Local Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] -foregroundcolor "red" } # Remote if (($i.EventID -eq 4625 ) -and ($i.ReplacementStrings[10] -eq 10)){ write-host "Type: Remote Logon`tDate: "$i.TimeGenerated "`tStatus: Failure`tUser: "$i.ReplacementStrings[5] "`tIP Address: "$i.ReplacementStrings[19] -foregroundcolor "red" } # Logoff Events if ($i.EventID -eq 4647 ){ write-host "Type: Logoff`t`tDate: "$i.TimeGenerated "`tStatus: Success`tUser: "$i.ReplacementStrings[1] } } }
-
10th December 2016 09:52 #2
powershell, export-csv .csv . "" . .
-
10th December 2016 13:16 #3Registered User
Join Date: Jun:2013
Location: >.<
Posts: 6,182
-
10th December 2016 14:41 #4
.csv .

Code:PS C:\> | Export-Csv -Path "logdata.csv"
-
11th December 2016 23:56 #5
"write-host" write-output. 0 ... - , ..
.
COM .NET- PowerShell. xls, xlsx.
PowerShell ?Last edited by autosvet; 12th December 2016 at 01:34.
-
12th December 2016 10:33 #6Registered User
Join Date: Jun:2013
Location: >.<
Posts: 6,182
, ( , ).
: ( ( )), ..
PS1 ( ), 2 . PS1 , PS2+ 7 - .
, . , .
:
:Code:PS D:\> Get-Host Name : ConsoleHost Version : 5.1.14393.206 InstanceId : 752a9633-eb52-4da1-bcc2-b8cecc2ec0d5 UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy DebuggerEnabled : True IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace
Code:PS D:\> .\test.ps1 Enter the IP or hostname of the computer you wish to scan (Leave blank for local): Enter the start date to scan from (MM/DD/YYYY, default 1/1/2000): 11/12/2016 Enter the end date to scan to (MM/DD/YYYY, default current time): Print only failed logins (Y/N, default N): Hostname: ss4 Start: 11.12.2016 12:00:00 AM End: 12.12.2016 10:53:35 AM Only Failed Logins: N Type: Local Logon Date: 12.12.2016 10:53:25 AM Status: Success User: nav1 Type: Local Logon Date: 12.12.2016 10:53:25 AM Status: Success User: nav1 Type: Local Logon Date: 12.12.2016 10:53:17 AM Status: Success User: DWM-3 Type: Local Logon Date: 12.12.2016 10:53:17 AM Status: Success User: DWM-3 Type: Logoff Date: 12.12.2016 10:53:16 AM Status: Success User: 1 Type: Local Logon Date: 12.12.2016 10:52:40 AM Status: Success User: 1 Type: Local Logon Date: 12.12.2016 10:52:37 AM Status: Success User: 1 Type: Local Logon Date: 12.12.2016 10:52:13 AM Status: Success User: DWM-2 Type: Local Logon Date: 12.12.2016 10:52:13 AM Status: Success User: DWM-2 Type: Local Logon Date: 12.12.2016 10:50:35 AM Status: Success User: nav1 Type: Local Logon Date: 12.12.2016 10:50:35 AM Status: Success User: nav1 Type: Local Logon Date: 12.12.2016 10:12:05 AM Status: Success User: nav1 Type: Local Logon Date: 12.12.2016 10:12:05 AM Status: Success User: nav1 PS D:\> PS D:\> .\test.ps1




Reply With Quote

Lenovo ThinkPad 15 IdeaPad 15
5th May 2023, 22:16 in