3LToolKit.psm1

Function Get-3LLogonEventAccountName {

    #requires -RunAsAdministrator

    #requires -Modules PSScriptTools

    <#
 
    .SYNOPSIS
        Get all logon events (Success and Failure) and extract some logon details
 
    .SYNOPSIS
        Get all authenticate events that are used to authenticate.
        Logon attempts are retrieved from events in the security eventlog with eventid 4624 and 4625.
        Each computer is queried as a separate job. The output of all jobs is merged in the end.
 
    .EXAMPLE
        Get-3LLogonEventAccountName -InformationAction Continue
         
        Get all logon events on the local machine and displays status messages.
 
    .EXAMPLE
        Get-3LLogonEventAccountName -afterDate (Get-Date).addDays(-14)
 
        Get all logon events on the local machine in the last 14 days
 
    .EXAMPLE
        Get-3LLogonEventAccountName -afterDate (Get-Date).addHours(-1)
 
        Get all logon events on the local machine in the hour
 
    .EXAMPLE
        Get-3LLogonEventAccountName -computerName SVR1, SVR2 -Progress
 
        Get all logon events on the specified computers.
        During analyzing the Security log Events, a progressbar is displayed.
         
 
    .EXAMPLE
        Get-3LLogonEventAccountName -InformationVariable info
        $info | Where Tags -eq 'Success'
 
        The first command collect all logon events on the local computer.
        Messages from the Information stream are collected in the info variable
        The second command shows all Information messages tagged as 'Success'
 
 
    .NOTES
 
        Author: Frits van Drie (3-Link.nl)
        Date : 2021-10-20
     
    #>


    [CmdletBinding()]

    param(

        [string[]]$computerName,
        [datetime]$afterDate = (Get-Date).AddDays(-1),
        [switch]$progress

    )

    Begin {

        Function Write--JobProgress {

            <#
                .NOTES
                    Date: 2021-10-19
            #>


            param($job)

            # Make sure the first child job exists
            if($job.ChildJobs[0].Progress -ne $null) {

                # Extract the latest progress of the job and write the progress
                $jobProgressHistory    = $job.ChildJobs[0].Progress
                $latestProgress        = $jobProgressHistory[$jobProgressHistory.Count - 1]
                $latestPercentComplete = $latestProgress | Select -expand PercentComplete
                $latestActivity        = $latestProgress | Select -expand Activity
                $latestStatus          = $latestProgress | Select -expand StatusDescription

                # a unique ID per ProgressBar

                if ( $latestProgress.PercentComplete -ge 0 ) {

                    Write-Progress -Id $job.Id -Activity $latestActivity -Status $latestStatus -PercentComplete $latestPercentComplete

                }
            }
        }

        # module PSScriptTools required
        try { 
            $module = 'PSScriptTools'
            Import-Module $module -ErrorAction Stop
            Write-Information "SUCCESS: Imported Module: $module"

            $function_ConvertEventLogRecord = "Function Convert-EventLogRecord {" + (Get-Item function:Convert-EventLogRecord).ScriptBlock + " }"

        }
        catch {
            Write-Information "FAILURE: Could not import required Module: $module"
            Write-Error $_
            Break
        }

        if ( ($PSBoundParameters.Keys -notcontains 'computerName') -or ($computerName -eq 'localhost') ) {
            $computerName = $env:COMPUTERNAME
        }

        $msec = ((Get-Date)- $afterDate).TotalMilliseconds

        $xml  = @"
        <QueryList>
          <Query Id="0" Path="Security">
            <Select Path="Security">*[System[(Level=2 or Level=4 or Level=0) and (EventID=4624 or EventID=4625) and (TimeCreated[timediff(@SystemTime) `&lt;= $msec])]]</Select>
          </Query>
        </QueryList>
"@
 # xmlFilter

        [array]$startedJobs = @()


    } # end Begin{}

    Process {

        foreach ( $computer in $computerName ) {

            $jobName = "LogonEvents-$computer"
            Write-Information "STATUS : Running Job $jobName" -Tags 'Status'
            $job = Start-Job -Name $jobName -ArgumentList $xml, $computer, $progress, $function_ConvertEventLogRecord {

                param($xml, $computer, $progress, $function_ConvertEventLogRecord)

                Write-Information "STATUS : Setting up session to computer $computer" -Tags 'Status'

                try {
                    New-PSSession -ComputerName $computer -ErrorAction Stop
                    Write-Information "SUCCESS: Connected to computer $computer" -Tags 'Success'
                } # try New-PSSession
                catch {
                    Write-Information "FAILURE: Session to computer $computer failed" -Tags 'Failure'
                    continue

                }

                if ( $session = Get-PSSession -ComputerName $computer -ErrorAction SilentlyContinue) {
                    Write-Information "STATUS : Starting Invoke-Command to computer $computer" -Tags 'Status'
                    $outputInvoke = Invoke-Command -Session $session -ArgumentList $xml, $progress, $activity, $function_ConvertEventLogRecord {

                        param($xml, $progress, $activity, $function_ConvertEventLogRecord)

                        iex $function_ConvertEventLogRecord  # load function: Convert-EventLogRecord

                        $computer = $env:COMPUTERNAME

                        $splatParam = @{}
                        $splatParam.add('FilterXml', $xml)
                        $splatParam.add('ComputerName', $computer)

                        try {

                            Write-Information "STATUS : Reading events from computer $computer" -Tags 'Status'
                            $events = Get-WinEvent @splatParam -ErrorAction Stop

                            $total  = $events.Count

                        }
                        catch {
                            Write-Information "INFO : $($_.tostring())"
                            Write-Error $_
                            return
                        }


                        $activity = "Analyzing $total Events from computer $computer"
                        Write-Information "STATUS : $activity" -Tags 'Status'

                        $done = 0

                        $returnInvoke  = @()

                        foreach ($event in $events) {

                            $obj = Convert-EventLogRecord $event

                            $returnInvoke += $obj

                            if ( $progress ) {
                                $done++
                                Write-Progress -Activity $activity -Status "$done\$total" -PercentComplete ($done/$total*100)
                            }

                        } # end foreach event

                        if ( $progress ) {
                            Write-Progress -Activity $activity -Status "$done\$total" -PercentComplete ($done/$total*100)
                            #Write-Progress -Activity $activity -Completed
                        }


                        return $returnInvoke


                    }
                    # end Invoke-Command


                    Get-PSSession -ComputerName $computer | Remove-PSSession

                    return $outputInvoke

                } # end if Get-PSSession

            } # end Start-Job

            [array]$startedJobs += $job

        } # end foreach computer
        Write-Information ""

    } # end Process{}


    End {

# while ( $jobs = (Get-Job -Name '*-LogonEvents') ) {
        Write-Information "STATUS : Waiting for jobs to finish`n"

        while ( $startedJobs ) {
# foreach ( $job in $jobs ) {
            foreach ( $job in $startedJobs ) {

                $jobState = $job.State  # to prevent status changes during processing

                if ($jobState -eq 'Completed' ) {

                    Write--JobProgress -job $job

                    Write-Information "STATUS : Importing results from job: $(($job).Name)" -Tags 'Status'
                     $receivedJob = Receive-Job $job

                    $job | Remove-Job
                    $startedJobs = $startedJobs | Where {$_ -ne $job}

                    if ($receivedJob.length -gt 1) {
                        # remove the first item which is the job
                        [array]$outputJob += $receivedJob[1..($receivedJob.length-1)]
                    }

                    Write-Information "SUCCESS: Job ready: $(($job).Name)`n" -Tags 'Success'
                }
                else {
                    Write--JobProgress -job $job
                    #sleep 1
                }


            } # end foreach job
            
        } # end While



        Write-Output $outputJob

    } # end End{}
        
}

Function Write-3LNetworkConfigurationToFile {

<#
 
.SYNOPSIS
    Find text in a file
 
.NOTES
    Author : Frits van Drie (3-Link.nl)
    Versions : 2021.09.24
 
.EXAMPLE
    SaveNetworkConfigurationToFile -openFile
 
 
.EXAMPLE
    SaveNetworkConfigurationToFile -path 'C:\data\network.txt'
 
#>



    [CmdletBinding()]

    param (

        [string]$path = "$($env:USERPROFILE)\Documents\$($env:COMPUTERNAME)-$($MyInvocation.MyCommand)-$(Get-Date -Format yyyyMMdd_HHmmss).txt",

        [string]$header,

        [switch]$openFile,

        [switch]$noFile

    )

    [array]$result = @()
    $result += "================================================================================================="
    $result += "Computer : $($env:COMPUTERNAME)"
    $result += "Date : $(Get-Date -Format 'yy-MM-dd (HH:mm:ss)')"
    if ($MyInvocation.BoundParameters.ContainsKey('header')) {
    
        $result += "Description: $header"
    }
    $result += "=================================================================================================`n"
    

    # Gather info
    try {

        $result += "`n================================================================================================="
        $result += "Get-NetAdapter"
        $result += "=================================================================================================`n"
        $result += Get-NetAdapter              -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Get-NetIPAddress"
        $result += "=================================================================================================`n"
        $result += Get-NetIPAddress            -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Get-NetRoute"
        $result += "=================================================================================================`n"
        $result += Get-NetRoute                -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Get-DnsClientCache"
        $result += "=================================================================================================`n"
        $result += Get-DnsClientCache          -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Show-DnsServerCache"
        $result += "=================================================================================================`n"
        (Get-DnsClientServerAddress -Family IPv4 | Where serveraddresses ).serveraddresses | foreach {
            $result += "`n===================="
            $result += "DNS: $_"
            $result += "====================`n"
            try {
                $result += Show-DnsServerCache -ComputerName $_ -ea Stop
            }
            catch {
                $result += "Cache of $_ could not be read"
            }
        }


        $result += "`n================================================================================================="
        $result += "Get-NetTCPConnection"
        $result += "=================================================================================================`n"
        $result += Get-NetTCPConnection -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Get-Process"
        $result += "=================================================================================================`n"
        $result += Get-Process -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Get-DnsClientServerAddress"
        $result += "=================================================================================================`n"
        $result += Get-DnsClientServerAddress  -ErrorAction Stop | ft -AutoSize


        $result += "`n================================================================================================="
        $result += "Certificates"
        $result += "=================================================================================================`n"
        $result += GCI 'Cert:\LocalMachine\My' -ErrorAction Stop | ft -AutoSize
        $result += GCI 'Cert:\CurrentUser\My'  -ErrorAction Stop | ft -AutoSize

    }

    catch {

        Write-Error $error[0]
        break

    }


    if ( $noFile ) {

        $openFile = $true

        $path = Join-Path $env:TEMP (Split-Path $path -Leaf)

    }



    try {

        $result | Out-File $path -Append -ErrorAction Stop -Width 200

    }

    catch {

        Write-Error $error[0]
        break

    }



    if ($openFile) {

        notepad.exe $path

    }
    


    if ($noFile) {

        Write-Verbose "Network configuration saved to $path"

        Start-Sleep 2

        Remove-Item $path -Force -ea SilentlyContinue

    }

    else {

        Write-Host "Network configuration saved to $path" -f Yellow

    }

}

Function Out-3LNotepad {
  param
  (
    [Parameter(Mandatory=$true, ValueFromPipeline=$true)]
    [String]
    [AllowEmptyString()] 
    $Text
  )

  begin
  {
    $sb = New-Object System.Text.StringBuilder
  }

  process
  {
    $null = $sb.AppendLine($Text)
  }
  end
  {
    $text = $sb.ToString()

    $process = Start-Process notepad -PassThru
    $null = $process.WaitForInputIdle()


    $sig = '
      [DllImport("user32.dll", EntryPoint = "FindWindowEx")]public static extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow);
      [DllImport("User32.dll")]public static extern int SendMessage(IntPtr hWnd, int uMsg, int wParam, string lParam);
    '


    $type = Add-Type -MemberDefinition $sig -Name APISendMessage -PassThru
    $hwnd = $process.MainWindowHandle
    [IntPtr]$child = $type::FindWindowEx($hwnd, [IntPtr]::Zero, "Edit", $null)
    $null = $type::SendMessage($child, 0x000C, 0, $text)
  }
}

Function Find-3LStringInFile {

<#
 
.SYNOPSIS
    Find text in a file
 
.NOTES
    Author : Frits van Drie (3-Link.nl)
    Versions : 2021.09.23
 
.EXAMPLE
    FindStringInFile -pattern 'Project' -path "document.txt"
    searches document.txt in current folder for 'project' or 'Project'
 
.EXAMPLE
    FindStringInFile -pattern 'Project' -path "document.txt" -caseSensitive
    searches document.txt in current folder for 'Project'
 
.EXAMPLE
    gci "C:\Users\user\documents" -File | foreach { FindStringInFile -pattern 'project' -path $_.FullName }
    searches all users documents 'project' or 'Project'
 
#>



    [CmdletBinding()]

    param (

        [parameter(mandatory = $true)]
        [string]$pattern,

        [parameter(mandatory = $true)]
        [string]$path,

        [parameter(mandatory = $false)]
        [switch]$caseSensitive

    )

    begin {

        Write-Verbose "Start Function: $($MyInvocation.MyCommand)"

    }

    process {

        foreach ($file in $path) {

            try {

                $objfile = Get-item $path -ea Stop

                $result = $objFile | Select-String -Pattern $pattern -ea Stop -CaseSensitive:$caseSensitive

                Write-Output $result

            }

            catch {

                Write-Error "File not found: $path"

            }
        }

    }

    end {

        Write-Verbose "End Function: $($MyInvocation.MyCommand)"

    }

}