Public/Get-RemoteLogonEvent.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
function Get-RemoteLogonEvent {
    [CmdLetBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
        [Alias('IPAddress','__Server','CN')]
        [string[]]$ComputerName='localhost',
        [ValidateNotNull()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty,
        [datetime]$StartTime,
        [datetime]$EndTime,
        [int64]$MaxEvents,
        [switch]$Oldest,
        [switch]$Raw
    )

    Begin {


        if ($StartTime -and $EndTime) {
            $TimeCreatedFilter = "and (System/TimeCreated[@SystemTime>='$($StartTime.ToUniversalTime().ToString("s"))' and @SystemTime<='$($EndTime.ToUniversalTime().ToString("s"))'])"
        } elseif ($StartTime) {
            $TimeCreatedFilter = "and (System/TimeCreated[@SystemTime>='$($StartTime.ToUniversalTime().ToString("s"))'])"
        } elseif ($EndTime) {
            $TimeCreatedFilter = "and (System/TimeCreated[@SystemTime<='$($EndTime.ToUniversalTime().ToString("s"))'])"
        } else {
            $TimeCreatedFilter = $null
        }

        $FilterXmlText = '<QueryList>'
        $FilterXmlText += '<Query Id="0" Path="Security">'
        $FilterXmlText += '<Select Path="Security">'
        $FilterXmlText += '*[System[Provider[@Name=''Microsoft-Windows-Security-Auditing''] and '
        $FilterXmlText += '(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4778 or EventID=4779)]]'
        $FilterXmlText += ' and *[EventData[Data[@Name=''LogonType''] and (Data=''3'' or Data=''8'' or Data=''10'')]]'
        $FilterXmlText += $TimeCreatedFilter
        $FilterXmlText += '</Select>'
        $FilterXmlText += '</Query>'
        $FilterXmlText += '</QueryList>'

        [xml]$FilterXml = $FilterXmlText

        $ParameterSplat = @{}
        if ($Credential) {
            $ParameterSplat['Credential'] = $Credential
        }
        if ($MaxEvents) {
            $ParameterSplat['MaxEvents'] = $MaxEvents
        }
        if ($Oldest) {
            $ParameterSplat['Oldest'] = $true
        }

    }

    Process {
        if ($Raw) {
            Get-MyEvent -ComputerName $ComputerName -FilterXml $FilterXml @ParameterSplat
        } else {
            Get-MyEvent -ComputerName $ComputerName -FilterXml $FilterXml @ParameterSplat | ConvertFrom-EventLogRecord -EventRecordType 'RemoteLogonEvent'
        }
    }

    End {

    }
}